samba - Jul 2014 - Strong cryptography for Kerberos available?

If I query the AD DC I see:

root at samba4:/# ldapsearch -H  ldap://samba.ad.microsult.de -Y GSSAPI 
'(sAMAccountName=mgr)'
SASL/GSSAPI authentication started
SASL username: Administrator at AD.MICROSULT.DE
SASL SSF: 56
SASL data security layer installed.

I would like to see SASL SSF: 112. Does anyone know whether and where 
this can be configured?

Regards,
  - lars.

On Thu, 2014-07-03 at 22:54 +0200, Lars Hanke wrote:
> If I query the AD DC I see:
> 
> root at samba4:/# ldapsearch -H  ldap://samba.ad.microsult.de -Y GSSAPI 
> '(sAMAccountName=mgr)'
> SASL/GSSAPI authentication started
> SASL username: Administrator at AD.MICROSULT.DE
> SASL SSF: 56
> SASL data security layer installed.
> 
> I would like to see SASL SSF: 112. Does anyone know whether and where 
> this can be configured?
I don't think it's actually that weak, but the SASL libs probably
don't
know how to tell any better.  At the very least it would be using
arcfour-hmac-md5, perhaps AES if provisioned at a high enough functional
level. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba