[Samba] "weak crypto is allowed"--The thread to end all threads

Andrew Bartlett abartlet at samba.org
Fri May 27 20:51:32 UTC 2022

On Fri, 2022-05-27 at 20:16 +0100, Rowland Penny via samba wrote:
> On Fri, 2022-05-27 at 12:05 -0700, Gregory Sloop via samba wrote:
> > So, pardon me, if this feels like thread hijack - but I get this
> > message too, and though I'm on Ubuntu, I've vuln-tested (Greenbone)
> > my DC's and the tests show that the DC's/servers are allowing weak
> > crypto too.
> Not strictly true, from my understanding, Samba falls back to weak
> crypto because that is all that gnutls on the OS allows, you cannot
> override this.

It isn't so much 'fall back' as 'allow if required/requested by the
client/server', and essentially applies to RC4 outside Kerberos (which
is what the code checks if GnuTLS will allow). 

Andrew Bartlett

Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba

More information about the samba mailing list