thr3ads.net - samba - [Samba] Samba, AD and devices compatibility... [Mar 2018]

If this information is useful, please help other people find it:
Share via:

Marco Gaiarin

2018-Mar-13 11:17 UTC

[Samba] Samba, AD and devices compatibility...

I'm trying to test/move some of my LDAP-enabled devices from my actual
OpenLDAP server(s) to my new samba AD domain.

For now, i'm poking with printers, and i'm testing a Konica-Minolta
BizHub C224e.

Defining user autentication to external source, i can set (between
LDAP, NTLM, NDS, ...) 'Active Directory', and i can/must provide the
domain naime.

After that, DNS and kerberos seems to work, but actual auth no:

  1   0.000000   10.5.1.202 -> 10.5.1.25    TCP 74 51004→88 [SYN] Seq=0
Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=89369296 TSecr=0 WS=16
  2   0.000026    10.5.1.25 -> 10.5.1.202   TCP 74 88→51004 [SYN, ACK] Seq=0
Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=2012173857 TSecr=89369296
WS=128
  3   0.000163   10.5.1.202 -> 10.5.1.25    TCP 66 51004→88 [ACK] Seq=1 Ack=1
Win=5840 Len=0 TSval=89369296 TSecr=2012173857
  4   0.000470   10.5.1.202 -> 10.5.1.25    KRB5 1546 TGS-REQ
  5   0.000479    10.5.1.25 -> 10.5.1.202   TCP 66 88→51004 [ACK] Seq=1
Ack=1481 Win=32000 Len=0 TSval=2012173857 TSecr=89369296
  6   0.004955    10.5.1.25 -> 10.5.1.202   KRB5 1569 TGS-REP
  7   0.005283   10.5.1.202 -> 10.5.1.25    TCP 66 51004→88 [ACK] Seq=1481
Ack=1449 Win=8736 Len=0 TSval=89369297 TSecr=2012173858
  8   0.005301   10.5.1.202 -> 10.5.1.25    TCP 66 51004→88 [ACK] Seq=1481
Ack=1504 Win=8736 Len=0 TSval=89369297 TSecr=2012173858
  9   0.005485   10.5.1.202 -> 10.5.1.25    TCP 66 51004→88 [FIN, ACK]
Seq=1481 Ack=1504 Win=8736 Len=0 TSval=89369297 TSecr=2012173858
 10   0.005559    10.5.1.25 -> 10.5.1.202   TCP 66 88→51004 [FIN, ACK]
Seq=1504 Ack=1482 Win=32000 Len=0 TSval=2012173859 TSecr=89369297
 11   0.005700   10.5.1.202 -> 10.5.1.25    TCP 66 51004→88 [ACK] Seq=1482
Ack=1505 Win=8736 Len=0 TSval=89369297 TSecr=2012173859
[...]
 91 1263.249013   10.5.1.202 -> 10.5.1.25    TCP 74 40994→389 [SYN] Seq=0
Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=89621945 TSecr=0 WS=16
 92 1263.249030    10.5.1.25 -> 10.5.1.202   TCP 74 389→40994 [SYN, ACK]
Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=2012489669 TSecr=89621945
WS=128
 93 1263.249188   10.5.1.202 -> 10.5.1.25    TCP 66 40994→389 [ACK] Seq=1
Ack=1 Win=5840 Len=0 TSval=89621946 TSecr=2012489669
 94 1263.254227   10.5.1.202 -> 10.5.1.25    LDAP 80 bindRequest(1)
"<ROOT>" simple
 95 1263.254236    10.5.1.25 -> 10.5.1.202   TCP 66 389→40994 [ACK] Seq=1
Ack=15 Win=29056 Len=0 TSval=2012489671 TSecr=89621947
 96 1263.255860    10.5.1.25 -> 10.5.1.202   LDAP 80 bindResponse(1) success 
 97 1263.256002   10.5.1.202 -> 10.5.1.25    TCP 66 40994→389 [ACK] Seq=15
Ack=15 Win=5840 Len=0 TSval=89621947 TSecr=2012489671
 98 1263.303918   10.5.1.202 -> 10.5.1.25    LDAP 183 searchRequest(2)
"<ROOT>" baseObject
 99 1263.304298    10.5.1.25 -> 10.5.1.202   LDAP 219 searchResEntry(2)
"<ROOT>"  | searchResDone(2) success
100 1263.304474   10.5.1.202 -> 10.5.1.25    TCP 66 40994→389 [ACK] Seq=132
Ack=168 Win=6912 Len=0 TSval=89621957 TSecr=2012489683
101 1263.335183   10.5.1.202 -> 10.5.1.25    LDAP 1515 bindRequest(3)
"<ROOT>" sasl
102 1263.335197    10.5.1.25 -> 10.5.1.202   TCP 66 389→40994 [ACK] Seq=168
Ack=1581 Win=31872 Len=0 TSval=2012489691 TSecr=89621963
103 1263.335947    10.5.1.25 -> 10.5.1.202   LDAP 315 bindResponse(3)
strongAuthRequired (SASL:[GSS-SPNEGO]: Sign or Seal are required.)
104 1263.347943   10.5.1.202 -> 10.5.1.25    LDAP 73 unbindRequest(4) 
105 1263.348287   10.5.1.202 -> 10.5.1.25    TCP 66 40994→389 [FIN, ACK]
Seq=1588 Ack=417 Win=7984 Len=0 TSval=89621965 TSecr=2012489691
106 1263.348307    10.5.1.25 -> 10.5.1.202   TCP 66 389→40994 [FIN, ACK]
Seq=417 Ack=1589 Win=31872 Len=0 TSval=2012489694 TSecr=89621965
107 1263.348460   10.5.1.202 -> 10.5.1.25    TCP 66 40994→389 [ACK] Seq=1589
Ack=418 Win=7984 Len=0 TSval=89621965 TSecr=2012489694

This mean that the printer try to auth in LDAP 'plain' (no SSL, no
TLS), and so samba refuse that?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Andrew Bartlett

2018-Mar-13 17:59 UTC

head link

[Samba] Samba, AD and devices compatibility...

On Tue, 2018-03-13 at 12:17 +0100, Marco Gaiarin via samba
wrote:> I'm trying to test/move some of my LDAP-enabled devices from my actual
> OpenLDAP server(s) to my new samba AD domain.
> 
> For now, i'm poking with printers, and i'm testing a Konica-Minolta
> BizHub C224e.
> 
> Defining user autentication to external source, i can set (between
> LDAP, NTLM, NDS, ...) 'Active Directory', and i can/must provide
the
> domain naime.
> 
> After that, DNS and kerberos seems to work, but actual auth no:
> This mean that the printer try to auth in LDAP 'plain' (no SSL, no
> TLS), and so samba refuse that?
No, it means that Samba is refusing to accept a NTLM or Kerberos
authenticated connection without SIGN or SEAL negotiated, as an
attacker could take over an unprotected network connection and do evil
things with it.

See 'ldap server require strong auth'.

I hope this helps,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Marco Gaiarin

2018-Mar-14 11:01 UTC

head link

[Samba] Samba, AD and devices compatibility...

Mandi! Andrew Bartlett via samba
  In chel di` si favelave...
> > This mean that the printer try to auth in LDAP 'plain' (no
SSL, no
> > TLS), and so samba refuse that?
> No, it means that Samba is refusing to accept a NTLM or Kerberos
> authenticated connection without SIGN or SEAL negotiated, as an
> attacker could take over an unprotected network connection and do evil
> things with it.
> See 'ldap server require strong auth'.
Ok, so i suppose i've to test 'ldap server require strong auth', but
probably set it to 'NO', that lead cleraly to a very unsecure
configuration.


Because speaking with hardware vendor is sometime very difficult, how
can i ask them some clue in 'windows lingo'?

Eg, i suppose that original windows server 2000 was not signed and
sealed, and sometime in windows server os version this became
mandatory.

Eg, i can speak like: your printer seems not compatible with windows
server 2008R2, because does not sign and seal auth: tehre's a firmware
revision that...


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Seemingly Similar Threads

Search for more seemingly similar threads

samba - Mar 2018 - Samba, AD and devices compatibility...

[Samba] Samba, AD and devices compatibility...

[Samba] Samba, AD and devices compatibility...

[Samba] Samba, AD and devices compatibility...

Seemingly Similar Threads