On Thu, 2021-11-25 at 17:02 -0300, Marcos Ariel Negrini via samba wrote:> > 1- The LDAP port(389) is obviously not encrypted, I was looking for > > information about the possibility of disabling it on the internal > > network(the workstation network), but I read on several sites that > this > > is not suitable. Can I force all the LDAP communication against the > > servers to be LDAPS?You don't want that. LDAPS is actually less secure, you want LDAP (389) with SASL/GSSAPI/Kerberos encryption. Blocking 389 will break everything. LDAPS is only helpful for the simple bind case, where that is better than plaintext. See 'ldap server require strong auth' for some details, but in short because Samba doesn't implement the channel bindings for LDAPS, and unless all clients send them, NTLM/Kerberos over LDAPS is vulnerable to relay attacks. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
Hi... thanks Andrew, I will read about SASL/GSSAPI/Kerberos. Regarding question 2, is it possible to disable deprecated versions of Tls? Regards El 26/11/21 a las 01:09, Andrew Bartlett escribi?:> On Thu, 2021-11-25 at 17:02 -0300, Marcos Ariel Negrini via samba > wrote: >> 1- The LDAP port(389) is obviously not encrypted, I was looking for >> >> information about the possibility of disabling it on the internal >> >> network(the workstation network), but I read on several sites that >> this >> >> is not suitable. Can I force all the LDAP communication against the >> >> servers to be LDAPS? > You don't want that. LDAPS is actually less secure, you want LDAP > (389) with SASL/GSSAPI/Kerberos encryption. > > Blocking 389 will break everything. LDAPS is only helpful for the > simple bind case, where that is better than plaintext. > > See 'ldap server require strong auth' for some details, but in short > because Samba doesn't implement the channel bindings for LDAPS, and > unless all clients send them, NTLM/Kerberos over LDAPS is vulnerable to > relay attacks. > > Andrew Bartlett >