samba - Jan 2018 - Issue with LDAPS & Winbind

Denis,

Thank you for the information. I was under the impression that
authentication was done through LDAP. I'm not sure what led me to this
belief/understanding.

How can I confirm that indeed my Linux member server is authenticating with
Kerberos, and that it is encrypted? Is Kerberos traffic always encrypted?

Thanks,
Tim

On Mon, Jan 15, 2018 at 10:37 AM, Denis Cardon <dcardon at tranquil.it>
wrote:
> Hi Timothy,
>
> Rowland, hopefully this explains it. I am not a security expert by any
>> means, so correct me if I am incorrect in these assumptions!
>>
>> My understanding is that standard LDAP authentication without any
>> encryption will send passwords and user information  (usernames, groups
>> they're a part of etc) over plain text. This means that a user on
the
>> network could potentially sniff the packets and see the passwords and
user
>> information.
>>
>
> authentication on the domain is normally done through Kerberos, so there
> is no clear passwords going through.
>
> Actually once you have an account, users or machine accounts, you can
> query most of ldap, so MITM an ldap result is not the most interesting
> thing. And most MS-AD installation I've seen don't have a TLS cert
> installed and most Samba-AD still have their snake-oil certificate. And
> krbtgt accounts never had their password changed...
>
> In fact, I was able myself to see the user information (not passwords,
>> though they may be there somewhere) in the network traffic via
WireShark.
>> My understanding is that with LDAPS, the traffic is encrypted and this
>> information is not viewable by someone on the network.
>>
>> I have tried "client ldap sasl wrapping = seal" as suggested
by Volker,
>> and
>> that does seem to work and provide some kind of encryption of the LDAP
>> traffic using SASL. I'm just not sure if it is as strong as TLS, my
>> understanding is it is not.
>>
>> Are my assumptions/information correct?
>>
>> My ultimate goal is to encrypt the LDAP traffic using TLS. Is that
>> possible
>> with Winbind and Samba?
>>
>
> You can have a TLS enabled LDAP connection from your favorite client app
> or web server to Samba. The issue that has been highlighted by Björn,
> unless I'm mistaken, was related to winbind run as a client.
>
> Cheers,
>
> Denis
>
>
>
>>
>>
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 2.40.97.57.55
> http://www.tranquil-it-systems.fr
>
>

-- 
Tim Gwynne
978-994-4272

Hi Tim,
> Thank you for the information. I was under the impression that
> authentication was done through LDAP. I'm not sure what led me to this
> belief/understanding.
>
> How can I confirm that indeed my Linux member server is authenticating
> with Kerberos, and that it is encrypted? Is Kerberos traffic always
> encrypted?
On winbind I am not sure where it stores its service ticket. But on 
Windows authentication would be done with kerberos too, you can check 
with "klist" that you see that you have a service ticket for SPN 
ldap/dcname.mydomain.lan.
An you can check that your LocalSystem account also has SPN for ldap 
connection using psexec
   psexec -i -s cmd
      klist

Cheers,

Denis
>
> Thanks,
> Tim
>
> On Mon, Jan 15, 2018 at 10:37 AM, Denis Cardon <dcardon at tranquil.it
> <mailto:dcardon at tranquil.it>> wrote:
>
>     Hi Timothy,
>
>         Rowland, hopefully this explains it. I am not a security expert
>         by any
>         means, so correct me if I am incorrect in these assumptions!
>
>         My understanding is that standard LDAP authentication without any
>         encryption will send passwords and user information  (usernames,
>         groups
>         they're a part of etc) over plain text. This means that a user
>         on the
>         network could potentially sniff the packets and see the
>         passwords and user
>         information.
>
>
>     authentication on the domain is normally done through Kerberos, so
>     there is no clear passwords going through.
>
>     Actually once you have an account, users or machine accounts, you
>     can query most of ldap, so MITM an ldap result is not the most
>     interesting thing. And most MS-AD installation I've seen don't
have
>     a TLS cert installed and most Samba-AD still have their snake-oil
>     certificate. And krbtgt accounts never had their password changed...
>
>         In fact, I was able myself to see the user information (not
>         passwords,
>         though they may be there somewhere) in the network traffic via
>         WireShark.
>         My understanding is that with LDAPS, the traffic is encrypted
>         and this
>         information is not viewable by someone on the network.
>
>         I have tried "client ldap sasl wrapping = seal" as
suggested by
>         Volker, and
>         that does seem to work and provide some kind of encryption of
>         the LDAP
>         traffic using SASL. I'm just not sure if it is as strong as
TLS, my
>         understanding is it is not.
>
>         Are my assumptions/information correct?
>
>         My ultimate goal is to encrypt the LDAP traffic using TLS. Is
>         that possible
>         with Winbind and Samba?
>
>
>     You can have a TLS enabled LDAP connection from your favorite client
>     app or web server to Samba. The issue that has been highlighted by
>     Björn, unless I'm mistaken, was related to winbind run as a client.
>
>     Cheers,
>
>     Denis
>
>
>
>
>
>     --
>     Denis Cardon
>     Tranquil IT Systems
>     Les Espaces Jules Verne, bâtiment A
>     12 avenue Jules Verne
>     44230 Saint Sébastien sur Loire
>     tel : +33 (0) 2.40.97.57.55 <tel:%2B33%20%280%29%202.40.97.57.55>
>     http://www.tranquil-it-systems.fr
<http://www.tranquil-it-systems.fr>
>
>
>
>
> --
> Tim Gwynne
> 978-994-4272
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr