[Samba] samba4 ad tls version

Norbert Hanke norbert.hanke at gmx.ch
Fri Sep 17 21:03:04 UTC 2021

On 17.09.2021 22:24, Andrew Bartlett via samba wrote:
> On Fri, 2021-09-17 at 11:19 -0300, Marcos Ariel Negrini via samba
> wrote:
>> Hello:
>> I have a samba4 ad cluster, I am reading about the tls configuration
>> in
>> the smb file. I was looking into disabling the deprecated tls
>> versions.
>> I was wondering if there could be problems with older versions of
>> windows (in the cluster we have windows 7 mixed with 10) connecting
>> to
>> samba. Which tls configuration is recommended?
>> Regards
> In general we don't find Windows clients use TLS at all, they all use
> NTLM or ideally Kerberos.
> So you should be able to restrict this without that concern.
> I hope this helps clarify things,
> Andrew Bartlett

I checked against a Samba 4.14.5 DC running on Debian Buster (Raspberry Pi):

 > openssl s_client -connect dc2.ad.mydomain.ch:636
depth=1 C = CH, O = Myorg, CN = Myorg CA 1
verify return:1
depth=0 C = CH, O = Myorg, CN = dc2.ad.mydomain.ch
verify return:1
Shared Requested Signature Algorithms:
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

Looks like what GnuTLS/OpenSSL on the systems offer, without any
limitations superimposed by Samba.

But as Andrew pointed out: what a Windows client will use is a different
pair of shoes.


More information about the samba mailing list