-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello everybody, since the patch for all the badlock bugs it is not possible to access a Samba 4 ADDC-database with ldb-tools. Everytime I try it, I get the following error: root at addc-02:~# ldbsearch -H ldaps://addc-02.example2.net -U administrat or TLS failed to missing crlfile - with 'tls verify peer as_strict_as_possible' When I add: - ---------------------- tls verify peer = no_check - ---------------------- to smb.conf I will get the following error: root at addc-02:~# ldbsearch -H ldaps://addc-02.example2.net -U administrat or Password for [EXAMPLE2\administrator]: Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED - <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <> Failed to connect to 'ldaps://addc-02.example2.net' with backend 'ldaps': (null) Failed to connect to ldaps://addc-02.example2.net - (null) Only If I put the line - -------------- ldap server require strong auth = no - --------------- to smb.conf, everything is workin again. BUT as I understand these two paramters, I will go back to the old behavior and a man in the middle attack ist possible. Is there a solution to keep the securtiy high AND still use the ldb-tool s? I couldn't find anything in any documentation. Stefan -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlda+sEACgkQ2JOGcNAHDTaxOgCdGrRAdXykih/CCpXJr4o6loZR YnwAoKj6kqAmpUslWMbfY0IKXdxT6MtO =foKL -----END PGP SIGNATURE-----
On Fri, 2016-06-10 at 19:37 +0200, Stefan Kania wrote:> Hello everybody, > > since the patch for all the badlock bugs it is not possible to access > a Samba 4 ADDC-database with ldb-tools. Everytime I try it, I get the > following error:...> When I add: > ---------------------- > tls verify peer = no_check > ---------------------- > to smb.conf I will get the following error: > > > > root at addc-02:~# ldbsearch -H ldaps://addc-02.example2.net -U > administrat > or > Password for [EXAMPLE2\administrator]: > Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED - > <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <> > Failed to connect to 'ldaps://addc-02.example2.net' with backend > 'ldaps': (null) > Failed to connect to ldaps://addc-02.example2.net - (null) > > Only If I put the line > -------------- > ldap server require strong auth = no > --------------- > to smb.conf, everything is workin again. BUT as I understand these > two > paramters, I will go back to the old behavior and a man in the middle > attack ist possible. > > Is there a solution to keep the securtiy high AND still use the ldb > -tool > s? > I couldn't find anything in any documentation.Just don't use ldaps://, instead use Kerberos (-k yes). I know it seems strange, but direct encryption with Kerberos is more secure than LDAP over SSL/TLS. Therefore, we only accept simple binds over ldaps:// by default. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 11.06.2016 um 22:07 schrieb Andrew Bartlett:> On Fri, 2016-06-10 at 19:37 +0200, Stefan Kania wrote: >> Hello everybody, >> >> since the patch for all the badlock bugs it is not possible to >> access a Samba 4 ADDC-database with ldb-tools. Everytime I try >> it, I get the following error: >Thank you Andrew, I always thought ldaps ist better then ldap with kerberos, but you are right the kerberos-principal is better checked then a self signed certificate. Now it is working with the following commands kinit administrator ldbsearch -H ldap://addc.example.net "cb=administrator" -k yes Thank you Stefan> ... > >> When I add: ---------------------- tls verify peer = no_check >> ---------------------- to smb.conf I will get the following >> error: >> >> >> >> root at addc-02:~# ldbsearch -H ldaps://addc-02.example2.net -U >> administrat or Password for [EXAMPLE2\administrator]: Failed to >> bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED - >> <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <> Failed to >> connect to 'ldaps://addc-02.example2.net' with backend 'ldaps': >> (null) Failed to connect to ldaps://addc-02.example2.net - >> (null) >> >> Only If I put the line -------------- ldap server require strong >> auth = no --------------- to smb.conf, everything is workin >> again. BUT as I understand these two paramters, I will go back to >> the old behavior and a man in the middle attack ist possible. >> >> Is there a solution to keep the securtiy high AND still use the >> ldb -tool s? I couldn't find anything in any documentation. > > Just don't use ldaps://, instead use Kerberos (-k yes). I know it > seems strange, but direct encryption with Kerberos is more secure > than LDAP over SSL/TLS. > > Therefore, we only accept simple binds over ldaps:// by default. > > Andrew Bartlett >- -- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre E-Mail. Weiter Informationen unter http://www.gnupg.org Mein Schlüssel liegt auf hkp://subkeys.pgp.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAldfupcACgkQ2JOGcNAHDTZ+CACfSukOLts5eURwyP+7vJDY3c4s e+0AoIU9d4AaSaaDe+BZII+t+0skzauA =cjNL -----END PGP SIGNATURE-----