Mandi! Rowland Penny via samba In chel di` si favelave...> I think that is what Andrew is trying to tell you, the printer needs to > support SASL over TLS/SSL or it will never work. I don't think there is > anything you can do, but I am surprised that the print doesn't already > support it, after all, it isn't something new ;-)Mi confusion grow. ;-) As stated in my previous email, MFP printer works with this tshark dump: AD, 'ldap server require strong auth = no' 1 0.000000 10.5.1.202 -> 10.5.1.25 TCP 74 40258→389 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=121084503 TSecr=0 WS=16 2 0.000019 10.5.1.25 -> 10.5.1.202 TCP 74 389→40258 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=361924284 TSecr=121084503 WS=128 3 0.000179 10.5.1.202 -> 10.5.1.25 TCP 66 40258→389 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=121084503 TSecr=361924284 4 0.003849 10.5.1.202 -> 10.5.1.25 LDAP 80 bindRequest(1) "<ROOT>" simple 5 0.003857 10.5.1.25 -> 10.5.1.202 TCP 66 389→40258 [ACK] Seq=1 Ack=15 Win=29056 Len=0 TSval=361924285 TSecr=121084504 6 0.005388 10.5.1.25 -> 10.5.1.202 LDAP 80 bindResponse(1) success 7 0.005536 10.5.1.202 -> 10.5.1.25 TCP 66 40258→389 [ACK] Seq=15 Ack=15 Win=5840 Len=0 TSval=121084504 TSecr=361924285 8 0.023918 10.5.1.202 -> 10.5.1.25 LDAP 183 searchRequest(2) "<ROOT>" baseObject 9 0.024364 10.5.1.25 -> 10.5.1.202 LDAP 219 searchResEntry(2) "<ROOT>" | searchResDone(2) success 10 0.063587 10.5.1.202 -> 10.5.1.25 TCP 66 40258→389 [ACK] Seq=132 Ack=168 Win=6912 Len=0 TSval=121084516 TSecr=361924290 11 0.074684 10.5.1.202 -> 10.5.1.25 LDAP 1555 bindRequest(3) "<ROOT>" sasl 12 0.074698 10.5.1.25 -> 10.5.1.202 TCP 66 389→40258 [ACK] Seq=168 Ack=1621 Win=32000 Len=0 TSval=361924302 TSecr=121084518 13 0.079764 10.5.1.25 -> 10.5.1.202 LDAP 270 bindResponse(3) success 14 0.079974 10.5.1.202 -> 10.5.1.25 TCP 66 40258→389 [ACK] Seq=1621 Ack=372 Win=7984 Len=0 TSval=121084519 TSecr=361924304 15 0.085792 10.5.1.202 -> 10.5.1.25 LDAP 402 searchRequest(4) "dc=ad,dc=fvg,dc=lnf,dc=it" wholeSubtree 16 0.086364 10.5.1.25 -> 10.5.1.202 LDAP 574 searchResEntry(4) "CN=gaio,OU=Roaming,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it" | searchResRef(4) | searchResRef(4) | searchResRef(4) | se 17 0.087354 10.5.1.202 -> 10.5.1.25 LDAP 73 unbindRequest(5) 18 0.087401 10.5.1.202 -> 10.5.1.25 TCP 66 40258→389 [FIN, ACK] Seq=1964 Ack=880 Win=9056 Len=0 TSval=121084520 TSecr=361924305 19 0.087467 10.5.1.25 -> 10.5.1.202 TCP 66 389→40258 [FIN, ACK] Seq=880 Ack=1965 Win=34944 Len=0 TSval=361924306 TSecr=121084520 20 0.087621 10.5.1.202 -> 10.5.1.25 TCP 66 40258→389 [ACK] Seq=1965 Ack=881 Win=9056 Len=0 TSval=121084520 TSecr=361924306 and clearly this is an example of SASL over PLAIN LDAP, no TLS nor SSL, because i can ''see'' the query (if it was TLS/SSL, i'll see the SSL/TLS handshake and the only 'data'.) So seems that my MFP use plain SASL, and so i'ma bit confused on what 'sign and seal' mean. ;) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Fri, 11 May 2018 11:26:31 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > > > I think that is what Andrew is trying to tell you, the printer > > needs to support SASL over TLS/SSL or it will never work. I don't > > think there is anything you can do, but I am surprised that the > > print doesn't already support it, after all, it isn't something > > new ;-) > > Mi confusion grow. ;-) > > As stated in my previous email, MFP printer works with this tshark > dump: > > AD, 'ldap server require strong auth = no' > > So seems that my MFP use plain SASL, and so i'ma bit confused on what > 'sign and seal' mean. ;) >Yes it works because you have turned SSL off and you want to make things a bit more secure, to do this, you need to turn SSL back on. If you do this, your printer will need to support SSL but it sounds like it doesn't. Rowland
Mandi! Rowland Penny via samba In chel di` si favelave...> Yes it works because you have turned SSL off and you want to make > things a bit more secure, to do this, you need to turn SSL back on. If > you do this, your printer will need to support SSL but it sounds like > it doesn't.Ahem... i was convinced that you and Andrew are speaking about samba, and not about what have the MFP manufacturer do. ;( Reading all the sentences with the correct perspective, all is now clear. Sorry. ;) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Fri, 2018-05-11 at 11:26 +0200, Marco Gaiarin via samba wrote:> Mandi! Rowland Penny via samba > In chel di` si favelave... > > > I think that is what Andrew is trying to tell you, the printer needs to > > support SASL over TLS/SSL or it will never work. I don't think there is > > anything you can do, but I am surprised that the print doesn't already > > support it, after all, it isn't something new ;-) > > Mi confusion grow. ;-) > > As stated in my previous email, MFP printer works with this tshark > dump: > > AD, 'ldap server require strong auth = no' > 11 0.074684 10.5.1.202 -> 10.5.1.25 LDAP 1555 bindRequest(3) "<ROOT>" sasl > 12 0.074698 10.5.1.25 -> 10.5.1.202 TCP 66 389→40258 [ACK] Seq=168 Ack=1621 Win=32000 Len=0 TSval=361924302 TSecr=121084518 > 13 0.079764 10.5.1.25 -> 10.5.1.202 LDAP 270 bindResponse(3) success > > and clearly this is an example of SASL over PLAIN LDAP, no TLS nor > SSL, because i can ''see'' the query (if it was TLS/SSL, i'll see the > SSL/TLS handshake and the only 'data'.) > > So seems that my MFP use plain SASL, and so i'ma bit confused on what > 'sign and seal' mean. ;)This is expected. What this means is that the MFP is sending the kerberos ticket but not signing the subsequent connection. Such a ticket is vulnerable to theft and re-use, so we try not to allow that. Not as bad as simple binds without SSL, but not good either. Allowing this over SSL falls on the same issue, because we don't trust that clients actually check their SSL certs and because the theft could be in the reverse direction (from somewhere else). The only real way to ensure a ticket belongs with this data session is if it cryptographically bound to the session, by signing or encrypting (sealing) all the subsequent packets with it. There is only one more 'out' we don't implement yet, which is a 'channel bindings' between the SSL connection and the Kerberos packet, but I doubt the MFP is using that. I hope this clarifies things, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Mandi! Andrew Bartlett via samba In chel di` si favelave...> I hope this clarifies things,Super-clear! Thanks! -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)