I have an Ubuntu 14.04 member server which runs winbind, krb5, and samba. Without encryption, I am able to use winbind to get all the info I neeed. i.e. winbind -g works winbind -u works I am trying to now get LDAPS working, but when I run a command nothing happens winbind -g does nothing (no errors) winbind -u does nothing (no errors). On the Windows DC, I can see TLS traffic happening between the Windows DC and Ubuntu machine, but of course it does not seem to be fully working. here is smb.conf: [global] workgroup = TIMDOMAIN realm = TIMDOMAIN.LOCAL netbios name = UBUNTUWEE server string = %h server (Samba %v, Ubuntu) dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 panic action = /usr/share/samba/panic-action %d security = ADS ldap ssl = start tls ldap ssl ads = yes domain master = no template shell = /bin/bash template homedir = /home/%D/%U winbind enum groups = yes winbind enum users = yes winbind use default domain = yes usershare allow guests = yes I've tried this config without ldap ssl = start tls and just ldap ssl ads and the traffic seems to be the exact same. Here is ldap.conf: TLS_CACERT /etc/ssl/certs/ca.cer ca.cer contains my CA root certificate in Base-64 X509 format. -- Tim Gwynne 978-994-4272
On Tue, 9 Jan 2018 11:08:19 -0800 Timothy Gwynne via samba <samba at lists.samba.org> wrote:> I have an Ubuntu 14.04 member server which runs winbind, krb5, and > samba. Without encryption, I am able to use winbind to get all the > info I neeed. i.e. > > winbind -g works > winbind -u worksI am very sure it doesn't ;-) I think you mean 'wbinfo' instead> > I am trying to now get LDAPS working, but when I run a command nothing > happens > > winbind -g does nothing (no errors) > winbind -u does nothing (no errors). > > On the Windows DC, I can see TLS traffic happening between the > Windows DC and Ubuntu machine, but of course it does not seem to be > fully working. > > here is smb.conf: > > > [global] > > > workgroup = TIMDOMAIN > realm = TIMDOMAIN.LOCAL > netbios name = UBUNTUWEE > server string = %h server (Samba %v, Ubuntu) > dns proxy = no > log file = /var/log/samba/log.%m > max log size = 1000 > panic action = /usr/share/samba/panic-action %d > security = ADS > ldap ssl = start tls > ldap ssl ads = yes > domain master = no > template shell = /bin/bash > template homedir = /home/%D/%U > winbind enum groups = yes > winbind enum users = yes > winbind use default domain = yes > usershare allow guests = yes > > I've tried this config without ldap ssl = start tls and just ldap ssl > ads and the traffic seems to be the exact same. > > Here is ldap.conf: > > TLS_CACERT /etc/ssl/certs/ca.cer > > ca.cer contains my CA root certificate in Base-64 X509 format. >I am trying to understand just what you are trying to achieve, you do not normally use ldap for authentication, that is what winbind is for. Please explain why you are trying this. Rowland
On 2018-01-09 at 11:08 -0800 Timothy Gwynne via samba sent off:> ...according to https://bugzilla.samba.org/show_bug.cgi?id=13124#c5 ldap ssl ads does not work reliably anymore, you might try the mentioned "client ldap sasl wrapping = plain" setting. You will make the setup not more secure in the end though. But the ldap ssl ads parameter might soon go away anyway. Björn
Thank you Bjorn. Is there any way to reliably configure LDAPS via Winbind & Samba currently that would increase security? On Wed, Jan 10, 2018 at 11:14 AM, Björn JACKE <bj at sernet.de> wrote:> On 2018-01-09 at 11:08 -0800 Timothy Gwynne via samba sent off: > > ... > > according to https://bugzilla.samba.org/show_bug.cgi?id=13124#c5 ldap ssl > ads > does not work reliably anymore, you might try the mentioned "client ldap > sasl > wrapping = plain" setting. You will make the setup not more secure in the > end > though. But the ldap ssl ads parameter might soon go away anyway. > > Björn >-- Tim Gwynne 978-994-4272