Hi, We have a samba installation (4.17.5) where a winbindd is part of an AD domain and used to authenticate radius (radiator) logins. The thing is, the AD administration is closing port 386 on the password server and only allowing requests on 636 (ldaps). I don't seem to be able to change the winbindd to use the ldaps port. Tried ldap ssl = start tls ldap ssl ads = yes tls enabled = yes but both the net join and the ntlm_auth go to port 386 and will cease to work as soon as that is disabled. Winbindd only works on 389 or am I missing something? Thank you.
On 08/03/2023 12:58, jose.celestino--- via samba wrote:> Hi, > > We have a samba installation (4.17.5) where a winbindd is part of an > AD domain and used to authenticate radius (radiator) logins. > > The thing is, the AD administration is closing port 386 on the > password server and only allowing requests on 636 (ldaps). > > I don't seem to be able to change the winbindd to use the ldaps port. Tried > > ldap ssl = start tls > ldap ssl ads = yes > tls enabled = yes > > but both the net join and the ntlm_auth go to port 386 and will cease > to work as soon as that is disabled. > > Winbindd only works on 389 or am I missing something? > > Thank you. >If I remember correctly (and someone will surely put my right if I don't remember correctly), winbind doesn't use ldap, it use RPC. Unless you are using an old NT4-style domain based on ldap, you probably will not notice any difference. The other thing is, I thought that a lot of the ldap calls on AD start off on port 389 and get 'ported' to 636 Rowland
On Wed, 2023-03-08 at 12:58 +0000, jose.celestino--- via samba wrote:> Hi, > > We have a samba installation (4.17.5) where a winbindd is part of an > AD domain and used to authenticate radius (radiator) logins. > > The thing is, the AD administration is closing port 386 on the > password server and only allowing requests on 636 (ldaps). > > I don't seem to be able to change the winbindd to use the ldaps port. > Tried > > ldap ssl = start tls > ldap ssl ads = yes > tls enabled = yes > > but both the net join and the ntlm_auth go to port 386 and will cease > to work as soon as that is disabled.This won't work, for the cases were LDAP is used. This is typically for idmap_ad operations and similar. Samba uses, just as windows clients do, a Kerberos secured connection on port 389, when it contacts the AD DC. In the past efforts were made to allow connections wrapped with TLS safely, but this was abandoned. There are a number of issues, in particular the need to implement 'channel bindings', to tie our inner Kerberos authentication to the outer TLS tunnel. If this is absolutely critical, then a development effort could be started to finish that work. The removal is here: https://bugzilla.samba.org/show_bug.cgi?id=14462 Sorry, Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst.Net Limited Catalyst.Net Ltd - a Catalyst IT group company - Expert Open Source Solutions