How to Fix "Weak Crypto is Allowed" in Samba » History » Version 4
Gareth Eaton, 12/18/2023 12:44 AM
| 1 | 1 | Gareth Eaton | h1. How to Fix "Weak Crypto is Allowed" in Samba |
|---|---|---|---|
| 2 | |||
| 3 | 4 | Gareth Eaton | The "Weak crypto is allowed" message from testparm in Samba is a known issue. It often appears due to internal checks related to cryptographic methods and does not necessarily indicate a significant security flaw in your configuration. |
| 4 | 1 | Gareth Eaton | |
| 5 | 4 | Gareth Eaton | Ensuring strong security in Samba can be achieved by using SMB3 and carefully managing authentication methods. |
| 6 | 1 | Gareth Eaton | |
| 7 | 1. Open the Samba configuration file, usually located at `/etc/samba/smb.conf`, with a text editor. Use a command like `sudo nano /etc/samba/smb.conf`. |
||
| 8 | |||
| 9 | 2. Inside the `smb.conf` file, find the *`[global]` section* , where you can configure global settings for Samba. |
||
| 10 | |||
| 11 | 3. Add or modify the following lines in the `[global]` section: |
||
| 12 | <pre> |
||
| 13 | 4 | Gareth Eaton | server min protocol = SMB3 |
| 14 | server max protocol = SMB3 |
||
| 15 | 1 | Gareth Eaton | ntlm auth = yes |
| 16 | lanman auth = no |
||
| 17 | </pre> |
||
| 18 | |||
| 19 | 3 | Gareth Eaton | These settings ensure that Samba uses a secure protocol (SMB3.02) and enables NTLM authentication while disabling weaker LANMAN authentication. |
| 20 | 1 | Gareth Eaton | |
| 21 | 4. Save the changes and exit the text editor. |
||
| 22 | |||
| 23 | 5. Restart the Samba service to apply the new configuration. Use a command like `sudo systemctl restart smbd` (command may vary depending on your Linux distribution). |
||
| 24 | |||
| 25 | 6. Run the `testparm` command again to verify that the "Weak crypto is allowed" message is no longer displayed. |
||
| 26 | |||
| 27 | By following these steps, you'll improve the security of your Samba server by disabling weak cryptographic algorithms. |