Andrea Cucciarre
2024-May-17 08:27 UTC
[Samba] Setting up Samba as a Domain Member when AD DC is set to enforced LDAP Signing
Hello, I have configured a Samba server (Version 4.15.13-Ubuntu) as an Active Directory domain member, and it joined successfully to the domain and it's working fine, I have used the following Samba wiki: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member Now, my customer decided to enforce the LDAP signing in the Active Directory DC. I can't find any specific setting for that in the wiki or in the smb.conf man page for my scenario where Samb is not a DC. So does a Samba Domain Member need some special (different from default) setting when LDAP signing is enforced in the Active Directory DC? Thanks Andrea
Rowland Penny
2024-May-17 10:47 UTC
[Samba] Setting up Samba as a Domain Member when AD DC is set to enforced LDAP Signing
On Fri, 17 May 2024 10:27:12 +0200 Andrea Cucciarre via samba <samba at lists.samba.org> wrote:> Hello, > > I have configured a Samba server (Version 4.15.13-Ubuntu) as an Active > Directory domain member, and it joined successfully to the domain and > it's working fine, I have used the following Samba wiki: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > Now, my customer decided to enforce the LDAP signing in the Active > Directory DC. > I can't find any specific setting for that in the wiki or in the > smb.conf man page for my scenario where Samb is not a DC. > So does a Samba Domain Member need some special (different from > default) setting when LDAP signing is enforced in the Active > Directory DC? > > Thanks > AndreaI don't think there is anything you can set on a Samba Unix domain member, it will have little or nothing to do with any arbitrary ldap searches run on it. You might like to read this: https://wiki.samba.org/index.php/Hardening_Samba_as_an_AD_DC Where it says this: Microsoft has chosen a different path to addressing this issue, and instead would like AD clients to include a session-specific value in the NTLMv2 response, known a channel binding. Samba doesn't set this as a client nor does it check this as a server, at this time. I know that doesn't directly to do with ldap, but I hope it points you in the right direction, whatever ldap searches or modifications you do, they must be done securely. Rowland