Created attachment 16348 [details]
truncated log of apt install samba-common-bin
When installing samba on Debian bullseye, the very concerning message "Weak crypto is allowed" gets printed when testparm checks the default smb.conf.
This message does not include enough details for the person seeing it to understand where the weak crypto is coming from, what vulnerabilities in samba the weak crypto enables and what the consequences to interoperability etc are of disabling the weak crypto and how to disable the week crypto if desired.
Probably the right way to do this would be to document the questions above on a wiki or web page or in the samba documentation and then add a link to that documentation from the testparm message.
This bug was referenced in samba master:
Thanks for https://gitlab.com/samba-team/samba/-/commit/5c27740aeff273bcd5f027d36874e56170234146
> will fall back to these weak crypto algorithms if it is not possible
> to use strong cryptography by default.
What are the reasons of this fallback? Can we have more info?
Yeah, we need to enumerate the main cases that use 'weak' cryptography and so will fail if FIPS mode is enabled.
NTLM authentication is the main one, it uses RC4-MD5. Will look into it next week with Alexander.
I think that updating the testparm documentation isn't quite enough, since testparm could be run by things like the Debian package upgrade scripts and then the sysadmin could see the warning and wonder what it is about without, but have no idea where to go looking because the warning doesn't point that out.
A simple "See DIAGNOSTICS in testparm(1) manual page." message (maybe just when weak crypto is allowed?) would make the documentation added much more accessible.