On 04/03, Steve French wrote:
SMB2.1 or later is probably fine (and we note SMB2.1 or 3) for most cases in our mount warning message. But this FIPS compliance issue reminds me that we should get the other auth mechanisms working that are 'peer to peer' (so not forced to be domain joined). krb5 is great, but Macs support 'peer-to-peer kerberos' and also SCRAM (RFC 7677) so we could also presumably get FIPS compliant login for peer-to-peer cases if we implement on or both of those other auth mechanisms.
Thanks, Steve. AFAIK, as I mentioned earlier, I don't see FIPS disapproving particular auth mechanisms, but if those you mention uses algorithms that are not on FIPS-validated crypto modules, we're out of luck there as well. (full disclosure: I'm not yet familiar with "peer-to-peer kerberos") On-topic: I'd just like to have this patch merged for informational purposese only. I then can start working on your's and Tom's suggestions.
Anyone have some Macs or Mac VMs to test against ...?
Yes. But let's move this one privately please. Cheers, Enzo
