samba - Jun 2022 - GPO on a DC

On Fri, 2022-06-24 at 17:00 +0000, samba-ml-en wrote:
> They talk about AD talk (Dc to DC) (where as I mentioned - there is
> some reading too on the web on the topic) anyway AD needs LDAP to
> work and such traffic will always use LDAP (replication etc...).
> LDAPS' use in my project would be for an application where you would
> want traffic encrypted because no other mean to protect the traffic
> in transit is available. Anyway, I gather that when you set tls
> enabled=yes
> samba (or samba-gpupdate) tries to use LDAPS (connect to LDAP and
> server redirect to LDAPS) whereas this should be at the clients
> request. Again my understanding....
I am no expert here, but my understanding is that if you use ldapsearch
or ldbsearch with kerberos (its called GSSAPI by ldapsearch), then the
data is encrypted end to end just like ldaps.

Windows was going to enforce ldaps, but, unless I missed it, it has
never happened, doesn't this tell you something ?

If I am getting this wrong, I am sure Andrew will put me right.

Rowland

Please do not 'CC' me, just send posts to the lists.

Rowland,

Like in my code
 pwd="$(printf "%s" "$1" | cut -f 2 -d
"%")"
 printf "%s" "$pwd" | kinit  "$(printf "%s"
"$1" | cut -f 2 -d "\\" | cut -f 1 -d "%")"
> /dev/null 2>&1
 lines="$(ldapsearch -b
"CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=ad2,DC=domain,DC=eu"
-H ldap://localhost | grep adminContextMenu | cut -f 2 -d ":" | cut -f
1 -d ",")"
 kdestroy

but it means you need to have kerberos and integrate it in the application. One
example pfsense user manager (auth firewall users, or vpn users if you want too)

host:tristsnpa43.ad2.domain.eu
port:636 for example or 389 for ldap
transport: SSL/TLS or cleartext (if I remove TLS form smb.conf........ well
clear text, with hashes on the wire)
> I am no expert here, but my understanding is that if you use ldapsearch
> or ldbsearch with kerberos (its called GSSAPI by ldapsearch), then the
> data is encrypted end to end just like ldaps.
Yes what I was saying, a bit like smtp :-)
> Windows was going to enforce ldaps, but, unless I missed it, it has
> never happened, doesn't this tell you something ?

Sorry, you get both, old habit, just in case you need to reply in private.
> Please do not 'CC' me, just send posts to the lists.
Wish you a great evening and I hope we find out a cause for the problem I have
with GPOs, ldap/ldaps is probably another issue with samba.


Eric