[Samba] "weak crypto is allowed"--The thread to end all threads

Andrew Bartlett abartlet at samba.org
Fri May 27 20:47:11 UTC 2022


On Fri, 2022-05-27 at 20:46 +0100, Rowland Penny via samba wrote:
> If I am understanding this incorrectly, then I am sure Andrew will jump
> in.

Yeah, it really isn't like that.

Samba has always controlled the most important algorithms used in the
protocols via smb.conf options, and continues to do so.

We set a level of operation that is a compromise between continued
operation in our typical deployments.

In general, we try to match (and in a few cases better, eg LDAP in
Samba requires message signatures, avoiding NTLM/Kerberos forwarding
attacks) or better current Windows behaviour in general.

The phrasing is being improved as it continues to cause distress,
because it is simply a view into the additional restrictions on RC4 and
MD5 (essentially) that can be OS-configured that override or go beyond
what can be controlled with our settings.  

In particular, this controls use of RC4 (now considered weak) in LSA
and NETLOGON and MD5-based passwords (storing passwords for HTTP-
Digest) in the AD DC, but doesn't control the storage of the NT hash
(MD4 based), nor arcfour-hmac-md5 Kerberos.  It does ban all NTLM
authentication due to the use of MD5 in NTLMv2. 

Without FIPS mode in GnuTLS, there are still these options:
 - ntlm auth (and lanman auth, which this overrides)
 - client lanman auth, client ntlmv2 auth, client kerberos auth
Unrelated to FIPS mode there is:
 - server smb3 encryption algorithms, server smb3 signing algorithms
 - client smb3 encryption algorithms, client signing algorithms
 - allow nt4 crypto, reject md5 clients (NETLOGON Schannel)
and settings about using cryptography at all, eg (this is not
exclusive):
 - client schannel, server schannel, server require schannel (NETLOGON
Schannel)
 - client signing, client ipc signing, server signing (SMB SIGNING)

Here is the full list of sites that check using this.  Other than NTLM
controls the above, these don't have an smb.conf control, and I have
raised this as a concern.  In particular RC4 is offered over NETLOGON
and Kerberos and should be turned off in 2022.

I would also love to see an over-all, smb.conf based policy control to
give administrators some confidence that they have met a minimum bar,
but this requires development resources.

Anyway, here are the list of things this mode controls:

source3/libads/kerberos.c:      if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_ALLOWED &&
source3/libads/sasl.c:  if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
source3/param/loadparm.c:       if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
source3/param/loadparm.c:enum samba_weak_crypto lp_weak_crypto()
source3/param/loadparm.h:enum samba_weak_crypto lp_weak_crypto(void);
source3/rpc_server/lsa/srv_lsa_nt.c:    if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
source3/rpc_server/netlogon/srv_netlog_nt.c:    if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED) {
source3/rpc_server/samr/srv_samr_nt.c:  if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
source3/rpc_server/samr/srv_samr_nt.c:  if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
source3/rpc_server/samr/srv_samr_nt.c:                  if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
source3/rpc_server/samr/srv_samr_nt.c:                  if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
source3/rpc_server/samr/srv_samr_nt.c:                  if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
source3/rpc_server/samr/srv_samr_nt.c:                  if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_DISALLOWED &&
[abartlet at jesse samba]$ git grep lpcfg_weak
auth/gensec/gensec_start.c:         lpcfg_weak_crypto(security->settings->lp_ctx) != SAMBA_WEAK_CRYPTO_ALLOWED) {
lib/param/loadparm.c:enum samba_weak_crypto lpcfg_weak_crypto(struct loadparm_context *lp_ctx)
lib/param/loadparm.c:   if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
libcli/auth/netlogon_creds_cli.c:       if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
source4/dsdb/samdb/ldb_modules/password_hash.c: if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_ALLOWED) {
source4/librpc/rpc/dcerpc_schannel.c:   if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
source4/param/pyparam.c:                lpcfg_weak_crypto(PyLoadparmContext_AsLoadparmContext(self));
source4/rpc_server/lsa/dcesrv_lsa.c:    if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED &&
source4/rpc_server/netlogon/dcerpc_netlogon.c:  if (lpcfg_weak_crypto(dce_call->conn->dce_ctx->lp_ctx) ==
source4/rpc_server/samr/samr_password.c:        if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED &&
source4/rpc_server/samr/samr_password.c:        if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED &&
source4/rpc_server/samr/samr_password.c:        if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED &&
source4/torture/rpc/netlogon_crypto.c:          (lpcfg_weak_crypto(tctx->lp_ctx) ==


This is displayed in testparm so as to aid diagnosis, as we rely in
GnuTLS to for most of our cryptography we will fail if we attempt
operations banned by whole-system policies. 

Finally, with much frustration, only some operating systems/linux
distributions compile GnuTLS with the FIPS mode that even applies these
settings.  So not only can't we easily test this mode except on Fedora
images, many administrators can't change the output of this string even
if they want.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba




More information about the samba mailing list