On Thu, 2014-07-03 at 22:54 +0200, Lars Hanke wrote:> If I query the AD DC I see:
>
> root at samba4:/# ldapsearch -H ldap://samba.ad.microsult.de -Y GSSAPI
> '(sAMAccountName=mgr)'
> SASL/GSSAPI authentication started
> SASL username: Administrator at AD.MICROSULT.DE
> SASL SSF: 56
> SASL data security layer installed.
>
> I would like to see SASL SSF: 112. Does anyone know whether and where
> this can be configured?
I don't think it's actually that weak, but the SASL libs probably
don't
know how to tell any better. At the very least it would be using
arcfour-hmac-md5, perhaps AES if provisioned at a high enough functional
level.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba