[Samba] "weak crypto is allowed"--The thread to end all threads

Gregory Sloop gregs at sloop.net
Fri May 27 19:05:21 UTC 2022

So, pardon me, if this feels like thread hijack - but I get this message too, and though I'm on Ubuntu, I've vuln-tested (Greenbone) my DC's and the tests show that the DC's/servers are allowing weak crypto too.
So, perhaps it would be useful for all of us, if someone would highlight the params for Samba that deal with crypto, and how (best-practices) they should be configured.
I keep intending to address my DC's, but life happens - and so this thread caught my attention.
John, if you want me to start a different thread, I'm glad to do so, but perhaps this would help us address both our concerns.  :)

> On Fri, 2022-05-27 at 16:48 +0100, John Ericsson via samba wrote:

>> So people have been asking about this message for several years.

>> It appears when I run "testparm".
>> Some say its a bug (it is not)

> There is a bug report for it:
> https://bugzilla.samba.org/show_bug.cgi?id=14583

>> Some say its not samba related but refers to the OS.

> Yes, gnutls

>> what I have not found is anyone saying "add this setting to smb.conf"
>> and
>> the message will go.

> As far as I know, there isn't anything you can add.

>> i am running vanilla rhel8 with crypto policies set to "future"

> But do they allow falling back to weaker crypto ? Which is what the
> message means.

> Rowland

More information about the samba mailing list