That's too bad, I was trying to get the Vasco Identikey server working with samba4 as a backend for FIPS 140-2 compliant OTP, which will only bind with DIGEST-MD5. I guess I will have to join a Windows 2008 R2 to the domain as a domain controller. Thanks for clarifying, Arthur On 07/10/2015 04:38 AM, Andrew Bartlett wrote:> On Tue, 2015-07-07 at 15:10 -0500, Arthur Ramsey wrote: >> I've googled and I believe that SASL method DIGEST-MD5 is supported and >> I see it in the samba startup, but it doesn't work. >> >> ldapsearch -Y DIGEST-MD5 -h dc03.mediture.dom >> SASL/DIGEST-MD5 authentication started >> ldap_sasl_interactive_bind_s: Operations error (1) >> additional info: SASL:[DIGEST-MD5]: Failed to start authentication backend: NT_STATUS_INVALID_PARAMETER >> >> [root at dc03 ~]# samba -i -M single -d3 >> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf >> samba version 4.2.0 started. >> Copyright Andrew Tridgell and the Samba Team 1992-2014 >> GENSEC backend 'gssapi_spnego' registered >> GENSEC backend 'gssapi_krb5' registered >> GENSEC backend 'gssapi_krb5_sasl' registered >> GENSEC backend 'sasl-DIGEST-MD5' registered >> [...] >> Failed to start GENSEC SASL[DIGEST-MD5] server code: NT_STATUS_INVALID_PARAMETER >> >> I'm using samba 4.2.0 compiled from source using standard configuration >> options. Is there something I'm missing e.g. build dependency, runtime >> dependency, build option or configuration? > I'm sorry for the confusion. For Samba 4.3 DIGEST-MD5 has been removed, > it never worked as a client or as server. You will need to use NTLM or > Kerberos. > > Andrew Bartlett >
On Fri, 2015-07-10 at 11:45 -0500, Arthur Ramsey wrote:> That's too bad, I was trying to get the Vasco Identikey server working > with samba4 as a backend for FIPS 140-2 compliant OTP, which will only > bind with DIGEST-MD5. I guess I will have to join a Windows 2008 R2 to > the domain as a domain controller.Very interesting. This is the first use of DIGEST-MD5 that I've come across for AD. It would be great if it could be patched back in, but it would need tests this time, and to actually work. We may have to implement the server-side in Samba, if we can't push the pre-digested hash values into Cyrus SASL (or don't want to use it). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Yeah, I'm trying to setup the Indentikey server on Windows instead so it uses the Windows API instead of LDAP rather than setup a Windows 2008 R2 domain controller for LDAP w/ SASL DIGEST-MD5 authentication. It seems silly for them to use DIGEST-MD5, but that's what I stuck with for now. If samba4 could support DIGEST-MD5 that would be great. Thanks, Arthur On 07/10/2015 03:29 PM, Andrew Bartlett wrote:> On Fri, 2015-07-10 at 11:45 -0500, Arthur Ramsey wrote: >> That's too bad, I was trying to get the Vasco Identikey server working >> with samba4 as a backend for FIPS 140-2 compliant OTP, which will only >> bind with DIGEST-MD5. I guess I will have to join a Windows 2008 R2 to >> the domain as a domain controller. > Very interesting. This is the first use of DIGEST-MD5 that I've come > across for AD. > > It would be great if it could be patched back in, but it would need > tests this time, and to actually work. We may have to implement the > server-side in Samba, if we can't push the pre-digested hash values into > Cyrus SASL (or don't want to use it). > > Andrew Bartlett >-- Arthur Ramsey Systems Administrator Mediture arthur_ramsey at mediture.com 952.400.0323 This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at privacyofficer at mediture.com.