samba - May 2018 - Re： how to disable RC4 in samba

Hello,
I find that samba support several encrypt method. Iwant to disable RC4, where
can I set it? My samba version is  4.5.16.
Thanks.

On Thu, 2018-05-03 at 14:41 +0800, ryanyang51--- via samba
wrote:
> Hello,
> I find that samba support several encrypt method. Iwant to disable RC4,
where can I set it? My samba version is  4.5.16.
> Thanks.
No, this isn't possible.  At best you could remove the use of arcfour-
hmac-md4 from Kerberos and RC4 from netlogon. 

For netlogon, set 'reject md5 clients = yes'

For kerberos, see the krb5.conf

The rest as listed here can't be directly controlled, particularly in
your older version:

https://gitlab.com/catalyst-samba/samba-docs/wikis/cryptography/what-pa
rts-of-samba-use-cryptography-and-what-algorithms-are-used

Samba 4.7 supports 'ntlm auth = disabled' which will block some more of
these indirectly however.

I hope this helps.  If you can explain your use case it will assist me
in helping you further. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Fri, 2018-05-04 at 15:27 +0800, ryanyang51 at 163.com
wrote:
> Thanks for your answer. "reject md5 clients = yes" works for
disabling RC4 in netlogon.
> I want to ask you for another question.can samba 4.5.16 configure tls
protocol to version 1.1 or higher version. and can configure the chipers of tls
protocol not use des chipers.
For parts of Samba using GnuTLS (the AD DC essentially) the 
tls priority options provides some control here.

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba