Bug 14583 - testparm: explain what "Weak crypto is allowed" means
Summary: testparm: explain what "Weak crypto is allowed" means
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.13.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andreas Schneider
QA Contact: Samba QA Contact
Depends on:
Reported: 2020-11-27 01:52 UTC by Paul Wise
Modified: 2021-02-26 01:50 UTC (History)
3 users (show)

See Also:

truncated log of apt install samba-common-bin (260 bytes, text/plain)
2020-11-27 01:52 UTC, Paul Wise
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Paul Wise 2020-11-27 01:52:38 UTC
Created attachment 16348 [details]
truncated log of apt install samba-common-bin

Forwarding https://bugs.debian.org/975882

When installing samba on Debian bullseye, the very concerning message "Weak crypto is allowed" gets printed when testparm checks the default smb.conf.

This message does not include enough details for the person seeing it to understand where the weak crypto is coming from, what vulnerabilities in samba the weak crypto enables and what the consequences to interoperability etc are of disabling the weak crypto and how to disable the week crypto if desired.

Probably the right way to do this would be to document the questions above on a wiki or web page or in the samba documentation and then add a link to that documentation from the testparm message.
Comment 1 Samba QA Contact 2020-11-27 13:49:08 UTC
This bug was referenced in samba master:

Comment 2 Mathieu Parent 2020-11-27 14:19:51 UTC
Thanks for https://gitlab.com/samba-team/samba/-/commit/5c27740aeff273bcd5f027d36874e56170234146

> will fall back to these weak crypto algorithms if it is not possible
>	to use strong cryptography by default.

What are the reasons of this fallback? Can we have more info?
Comment 3 Andrew Bartlett 2020-11-27 20:39:04 UTC
Yeah, we need to enumerate the main cases that use 'weak' cryptography and so will fail if FIPS mode is enabled.
Comment 4 Andreas Schneider 2020-11-28 19:06:34 UTC
NTLM authentication is the main one, it uses RC4-MD5. Will look into it next week with Alexander.
Comment 5 Paul Wise 2021-02-26 01:50:51 UTC
I think that updating the testparm documentation isn't quite enough, since testparm could be run by things like the Debian package upgrade scripts and then the sysadmin could see the warning and wonder what it is about without, but have no idea where to go looking because the warning doesn't point that out.

A simple "See DIAGNOSTICS in testparm(1) manual page." message (maybe just when weak crypto is allowed?) would make the documentation added much more accessible.