Hi everyone, I have installed a Samba AD DC version 4.2.11-20 in a Centos 6.7 machine and joined it in an existing domain. Everything seems working fine except I can't bind to it using LDAP simple authentication. When I try to perform a simple ldapsearch I get the following response: ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required. That is weird as I have not set the certificates and haven't had configured nothing to use LDAPS. Looking in the documentation it says that by default Samba 4 does not use LDAPS and to configure it you need to provide the certificates. So, why is this DC is asking me to use LDAPS? Is there some samba-tool command I can run to debug or some hidden option to disable it? I really appreciate any help you can provide. Felipe Izaguirre *Computer Scientist Student and Sysadmin*
On 27/07/16 20:59, Felipe Izaguirre wrote:> Hi everyone, > > I have installed a Samba AD DC version 4.2.11-20 in a Centos 6.7 machine > and joined it in an existing domain. Everything seems working fine except I > can't bind to it using LDAP simple authentication. When I try to perform a > simple ldapsearch I get the following response: > > ldap_bind: Strong(er) authentication required (8) > additional info: BindSimple: Transport encryption required. > > That is weird as I have not set the certificates and haven't had configured > nothing to use LDAPS. Looking in the documentation it says that by default > Samba 4 does not use LDAPS and to configure it you need to provide the > certificates. > So, why is this DC is asking me to use LDAPS? Is there some samba-tool > command I can run to debug or some hidden option to disable it? > > I really appreciate any help you can provide. > > > > Felipe Izaguirre > *Computer Scientist Student and Sysadmin*try adding 'ldap server require strong auth =no' to smb.conf, see here for more info: https://wiki.samba.org/index.php/Samba_4.4_Features_added/changed#ldap_server_require_strong_auth_.28G.29 Rowland
As of 4.2.11: https://www.samba.org/samba/security/CVE-2016-2112.html ==================New smb.conf option ================== ldap server require strong auth (G) The ldap server require strong auth defines whether the ldap server requires ldap traffic to be signed or signed and encrypted (sealed). Possible values are no, allow_sasl_over_tls and yes. A value of no allows simple and sasl binds over all transports. A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal) over TLS encrypted connections. Unencrypted connections only allow sasl binds with sign or seal. A value of yes allows only simple binds over TLS encrypted connections. Unencrypted connections only allow sasl binds with sign or seal. Default: ldap server require strong auth = yes In short, "ldap server require strong auth = no" Kris Lou klou at themusiclink.net
IMHO, in short, learn to use encrypted connections. 2016-07-27 22:38 GMT+02:00 Kris Lou <klou at themusiclink.net>:> As of 4.2.11: https://www.samba.org/samba/security/CVE-2016-2112.html > > ==================> New smb.conf option > ==================> > ldap server require strong auth (G) > > The ldap server require strong auth defines whether the > ldap server requires ldap traffic to be signed or > signed and encrypted (sealed). Possible values are no, > allow_sasl_over_tls and yes. > > A value of no allows simple and sasl binds over all transports. > > A value of allow_sasl_over_tls allows simple and sasl binds > (without sign or seal) > over TLS encrypted connections. Unencrypted connections only > allow sasl binds with sign or seal. > > A value of yes allows only simple binds over TLS encrypted connections. > Unencrypted connections only allow sasl binds with sign or seal. > > Default: ldap server require strong auth = yes > > > In short, "ldap server require strong auth = no" > > > Kris Lou > klou at themusiclink.net > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >