samba - Jan 2006 - ldap not using kerberos (winbind rid idmap)

hi,

first of all - I am very sorry if this topic turned up in the mailing list
before - I really did have a look at the archive and couldn't find anything
like it.

Here's the problem. I set up an idmapping using the rid facility. It is
working smoothly. I do have a question though. I logged some packets and
realized the ldap queries are not encrypted. I wonder why since all the
requiremens for a successful encryption are given. I do have a computer
account in the Active Directory.. I can see a TGS-REQ and TGS-REP is fine
too. In fact ldap even asks for available SASL mechanisms. After some
negotiation it _successfully_ binds using GSS SPNEGO. But.. even after this
successfully established encrypted bind it keeps querying in plain text. Is
there anything I can do about it?
For testing purposes I set "sasl_mech gssapi" in my ldap.conf but that
didn't have any impact at all.

regards, Roman

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Roman Sommer wrote:
> too. In fact ldap even asks for available SASL mechanisms. 
> After some negotiation it _successfully_ binds using GSS SPNEGO.
> But.. even after this successfully established encrypted bind it
> keeps querying in plain text. Is there anything I can do about it?
Try using the StartTLS support for Windows 2003 in Samba 3.0.21
and later.





cheers, jerry
====================================================================I live in a
Reply-to-All world.               -----------------------
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD2hVAIR7qMdg1EfYRAp2PAJ4ht+L8n0HEgwJeV7cuv7zDpyizQQCfTutD
MKVr6Z4kOU2glk7SKyM0808=k0gW
-----END PGP SIGNATURE-----

thanks for your reply.
I was more thinking in terms of "how to kerberize ldap queries" rather
than how to enable SSL/TLS :) Or is this setting supposed to enable
spnego encrypted queries?

regards, Roman


Gerald (Jerry) Carter wrote:
> Roman Sommer wrote:
> 
>>> too. In fact ldap even asks for available SASL mechanisms. 
>>> After some negotiation it _successfully_ binds using GSS SPNEGO.
>>> But.. even after this successfully established encrypted bind it
>>> keeps querying in plain text. Is there anything I can do about it?
> 
> Try using the StartTLS support for Windows 2003 in Samba 3.0.21
> and later.
> 
> 
> 
> 
> 
> cheers, jerry
> ====================================================================> I
live in a Reply-to-All world.               -----------------------
> Samba                                    ------- http://www.samba.org
> Centeris                         -----------  http://www.centeris.com

On Tue, 2006-01-24 at 13:51 +0100, Roman Sommer wrote:
> hi,
> 
> first of all - I am very sorry if this topic turned up in the mailing list
> before - I really did have a look at the archive and couldn't find
anything
> like it.
> 
> Here's the problem. I set up an idmapping using the rid facility. It is
> working smoothly. I do have a question though. I logged some packets and
> realized the ldap queries are not encrypted. I wonder why since all the
> requiremens for a successful encryption are given. I do have a computer
> account in the Active Directory.. I can see a TGS-REQ and TGS-REP is fine
> too. In fact ldap even asks for available SASL mechanisms. After some
> negotiation it _successfully_ binds using GSS SPNEGO. But.. even after this
> successfully established encrypted bind it keeps querying in plain text. Is
> there anything I can do about it?
No for GSSAPI encryption.  Samba3 only manages to use GSSAPI for the
authentication step (and even then, we munge up the GSSAPI...).

There is an option to force on TLS (SSL), but your domain must support
it.
> For testing purposes I set "sasl_mech gssapi" in my ldap.conf but
that
> didn't have any impact at all.
No, we don't consult that parameter.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20060205/14b72693/attachment.bin