Created attachment 16348 [details]
truncated log of apt install samba-common-bin
When installing samba on Debian bullseye, the very concerning message "Weak crypto is allowed" gets printed when testparm checks the default smb.conf.
This message does not include enough details for the person seeing it to understand where the weak crypto is coming from, what vulnerabilities in samba the weak crypto enables and what the consequences to interoperability etc are of disabling the weak crypto and how to disable the week crypto if desired.
Probably the right way to do this would be to document the questions above on a wiki or web page or in the samba documentation and then add a link to that documentation from the testparm message.
This bug was referenced in samba master:
Thanks for https://gitlab.com/samba-team/samba/-/commit/5c27740aeff273bcd5f027d36874e56170234146
> will fall back to these weak crypto algorithms if it is not possible
> to use strong cryptography by default.
What are the reasons of this fallback? Can we have more info?
Yeah, we need to enumerate the main cases that use 'weak' cryptography and so will fail if FIPS mode is enabled.
NTLM authentication is the main one, it uses RC4-MD5. Will look into it next week with Alexander.