I, perhaps amazingly, have FreeNAS working properly now. One of the issues was that I needed to set ldap server require strong auth = no on the Samba DC. So, what are the implications of doing that? Does authentication happen over LDAP, or just user/group enumeration? Is there a wiki page that covers that somewhere? [And how does Windows not suffer from the same security issues, if it's obviously not using signed/sealed LDAP?] TIA -Greg
On Wed, 2018-06-13 at 10:06 -0700, Gregory Sloop via samba wrote:> I, perhaps amazingly, have FreeNAS working properly now. > > One of the issues was that I needed to set ldap server require strong auth = no > on the Samba DC. > > So, what are the implications of doing that? > Does authentication happen over LDAP, or just user/group enumeration?Yes, LDAP is often used by clients for authentication (often via a simple bind)> Is there a wiki page that covers that somewhere? > [And how does Windows not suffer from the same security issues, if it's obviously not using signed/sealed LDAP?]In short, it does. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
ABvs> On Wed, 2018-06-13 at 10:06 -0700, Gregory Sloop via samba wrote:>> I, perhaps amazingly, have FreeNAS working properly now.>> One of the issues was that I needed to set ldap server require strong auth = no >> on the Samba DC.>> So, what are the implications of doing that? >> Does authentication happen over LDAP, or just user/group enumeration?ABvs> Yes, LDAP is often used by clients for authentication (often via a ABvs> simple bind)>> Is there a wiki page that covers that somewhere? >> [And how does Windows not suffer from the same security issues, if it's obviously not using signed/sealed LDAP?]ABvs> In short, it does. So, does that generally mean that if one was fine with the risks involved in using Windows across the LAN, that there would be no additional security exposure to doing the "same thing" with Samba and no LDAP sign/sealing? [Or is it more complicated than that?] Perhaps related: Are things more secure with Windows clients only? [i.e. Avoiding doing pure LDAP from non Windows clients.] [I've got some vague notion of how Windows clients handle things - but perhaps I ought to add some more actual knowledge to that vague collection.] Can someone point me to some good place to start reading to grok the big picture? -Greg