On Tue, 2021-10-05 at 17:40 -0400, Edward M. Kutrzyba III via samba
wrote:> I made the mistake of upgrading our Samba-ad to 4.12 on REL7. FIPS
> was
> enabled, so I discovered that I had to disable FIPS to get my AD
> domain
> back. Is there a version of samba-ad I can run on REL8 that is FIPS
> compliant?
Not at this time. Later versions of Samba do better at using GnuTLS
for cryptography, which means more of Samba honours the FIPS mode
signals from the system (this makes actual operation harder however).
Looking at master we do test the Samba AD DC in FIPS mode, so do try
the most current releases, but there will be things that just won't
work, like NTLM.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions