[Samba] samba4 ad tls version
norbert.hanke at gmx.ch
Fri Sep 17 21:03:04 UTC 2021
On 17.09.2021 22:24, Andrew Bartlett via samba wrote:
> On Fri, 2021-09-17 at 11:19 -0300, Marcos Ariel Negrini via samba
>> I have a samba4 ad cluster, I am reading about the tls configuration
>> the smb file. I was looking into disabling the deprecated tls
>> I was wondering if there could be problems with older versions of
>> windows (in the cluster we have windows 7 mixed with 10) connecting
>> samba. Which tls configuration is recommended?
> In general we don't find Windows clients use TLS at all, they all use
> NTLM or ideally Kerberos.
> So you should be able to restrict this without that concern.
> I hope this helps clarify things,
> Andrew Bartlett
I checked against a Samba 4.14.5 DC running on Debian Buster (Raspberry Pi):
> openssl s_client -connect dc2.ad.mydomain.ch:636
depth=1 C = CH, O = Myorg, CN = Myorg CA 1
depth=0 C = CH, O = Myorg, CN = dc2.ad.mydomain.ch
Shared Requested Signature Algorithms:
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Looks like what GnuTLS/OpenSSL on the systems offer, without any
limitations superimposed by Samba.
But as Andrew pointed out: what a Windows client will use is a different
pair of shoes.
More information about the samba