samba - Mar 2018 - Samba, AD and devices compatibility...

Mandi! Andrew Bartlett via samba
  In chel di` si favelave...
> > This mean that the printer try to auth in LDAP 'plain' (no
SSL, no
> > TLS), and so samba refuse that?
> No, it means that Samba is refusing to accept a NTLM or Kerberos
> authenticated connection without SIGN or SEAL negotiated, as an
> attacker could take over an unprotected network connection and do evil
> things with it.
> See 'ldap server require strong auth'.
Ok, so i suppose i've to test 'ldap server require strong auth', but
probably set it to 'NO', that lead cleraly to a very unsecure
configuration.


Because speaking with hardware vendor is sometime very difficult, how
can i ask them some clue in 'windows lingo'?

Eg, i suppose that original windows server 2000 was not signed and
sealed, and sometime in windows server os version this became
mandatory.

Eg, i can speak like: your printer seems not compatible with windows
server 2008R2, because does not sign and seal auth: tehre's a firmware
revision that...


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

On Wed, 2018-03-14 at 12:01 +0100, Marco Gaiarin via samba
wrote:
> Mandi! Andrew Bartlett via samba
>   In chel di` si favelave...
> 
> > > This mean that the printer try to auth in LDAP 'plain'
(no SSL, no
> > > TLS), and so samba refuse that?
> > No, it means that Samba is refusing to accept a NTLM or Kerberos
> > authenticated connection without SIGN or SEAL negotiated, as an
> > attacker could take over an unprotected network connection and do evil
> > things with it.
> > See 'ldap server require strong auth'.
> 
> Ok, so i suppose i've to test 'ldap server require strong
auth', but
> probably set it to 'NO', that lead cleraly to a very unsecure
> configuration.
> 
> 
> Because speaking with hardware vendor is sometime very difficult, how
> can i ask them some clue in 'windows lingo'?
> 
> Eg, i suppose that original windows server 2000 was not signed and
> sealed, and sometime in windows server os version this became
> mandatory.
> 
> Eg, i can speak like: your printer seems not compatible with windows
> server 2008R2, because does not sign and seal auth: tehre's a firmware
> revision that...
It is a bit like setting this:

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements

If they say 'just use SSL', then the allow_sasl_over_tls part of that
option is to address this issue:

https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry

We (and likely they) don't support the channel bindings (patches
welcome!), but the protocol flaw (no link between the SSL and the
NTLM/Kerberos handshake inside) is the one we are trying to avoid. 

The manpage is vague because we fixed our implementation before they
did the above. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Mandi! Andrew Bartlett via samba
  In chel di` si favelave...

Ok, i coma back to an old thread, because vendor finally reply.


Little fast-rewind: i own some Konica-Minolta BizHub multifunction
printers/copiers, and i need to ''bind'' it to my new AD domain.

But authentication does not work, seems bacause that printer try to use
SASL over plain LDAP (no SSL nor TLS).

After writing to the vendor (ahem, writing to my local reseller, that
write to the vendor) the answer was:
> the information provided, are not sufficient to provide a solution.
> About the AD /Kerberos Problem, the listed "tcpdump" just shows
the TGS (Ticket Granting Ticket) request and response.
> There is no details about the AS (authentication service) request.
Therefore it's difficult to find the problem cause.
>
> Maybe the LDAP part is easier to solve. Although the TCP dump does not show
much details it indicates the problem:
> "bindResponse(3) strongAuthRequired (SASL:[GSS-SPNEGO]: Sign or Seal
are required"
> Basically the LDAP Server requires a secured connection.
>
> This is related to following SAMBA settings:
> >ldap server require strong auth (G)
> >
> >The ldap server require strong auth defines whether the ldap server
requires ldap traffic to be signed or signed and encrypted (sealed). Possible
>values are no, allow_sasl_over_tls and yes.
> >
> >A value of no allows simple and sasl binds over all transports.
> >
> >A value of allow_sasl_over_tls allows simple and sasl binds (without
sign or seal) over TLS encrypted connections. Unencrypted connections only
>allow sasl binds with sign or seal.
> >
> >A value of yes allows only simple binds over TLS encrypted connections.
Unencrypted connections only allow sasl binds with sign or seal.
> > Default: ldap server require strong auth = yes

So, doing some tests:

AD, 'ldap server require strong auth = yes' (default)
  8  32.680120   10.5.1.202 -> 10.5.1.25    TCP 74 40253→389 [SYN] Seq=0
Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=121046256 TSecr=0 WS=16
  9  32.680132    10.5.1.25 -> 10.5.1.202   TCP 74 389→40253 [SYN, ACK] Seq=0
Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=361876476 TSecr=121046256
WS=128
 10  32.680292   10.5.1.202 -> 10.5.1.25    TCP 66 40253→389 [ACK] Seq=1
Ack=1 Win=5840 Len=0 TSval=121046257 TSecr=361876476
 11  32.685230   10.5.1.202 -> 10.5.1.25    LDAP 80 bindRequest(1)
"<ROOT>" simple
 12  32.685240    10.5.1.25 -> 10.5.1.202   TCP 66 389→40253 [ACK] Seq=1
Ack=15 Win=29056 Len=0 TSval=361876477 TSecr=121046258
 13  32.686723    10.5.1.25 -> 10.5.1.202   LDAP 80 bindResponse(1) success 
 14  32.686854   10.5.1.202 -> 10.5.1.25    TCP 66 40253→389 [ACK] Seq=15
Ack=15 Win=5840 Len=0 TSval=121046258 TSecr=361876478
 15  32.694734   10.5.1.202 -> 10.5.1.25    LDAP 183 searchRequest(2)
"<ROOT>" baseObject
 16  32.695277    10.5.1.25 -> 10.5.1.202   LDAP 219 searchResEntry(2)
"<ROOT>"  | searchResDone(2) success
 17  32.722454   10.5.1.202 -> 10.5.1.25    TCP 1514 [TCP segment of a
reassembled PDU]
 18  32.722455   10.5.1.202 -> 10.5.1.25    LDAP 107 bindRequest(3)
"<ROOT>" sasl
 19  32.722466    10.5.1.25 -> 10.5.1.202   TCP 66 389→40253 [ACK] Seq=168
Ack=1621 Win=31872 Len=0 TSval=361876486 TSecr=121046263
 20  32.723143    10.5.1.25 -> 10.5.1.202   LDAP 315 bindResponse(3)
strongAuthRequired (SASL:[GSS-SPNEGO]: Sign or Seal are required.)
 21  32.729426   10.5.1.202 -> 10.5.1.25    LDAP 73 unbindRequest(4) 
 22  32.729474   10.5.1.202 -> 10.5.1.25    TCP 66 40253→389 [FIN, ACK]
Seq=1628 Ack=417 Win=7984 Len=0 TSval=121046266 TSecr=361876487
 23  32.729547    10.5.1.25 -> 10.5.1.202   TCP 66 389→40253 [FIN, ACK]
Seq=417 Ack=1629 Win=31872 Len=0 TSval=361876488 TSecr=121046266
 24  32.729714   10.5.1.202 -> 10.5.1.25    TCP 66 40253→389 [ACK] Seq=1629
Ack=418 Win=7984 Len=0 TSval=121046266 TSecr=361876488


AD, 'ldap server require strong auth = allow_sasl_over_tls'
113 2995.932618   10.5.1.202 -> 10.5.1.25    TCP 74 40245→389 [SYN] Seq=0
Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=120908056 TSecr=0 WS=16
114 2995.932639    10.5.1.25 -> 10.5.1.202   TCP 74 389→40245 [SYN, ACK]
Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=361656202 TSecr=120908056
WS=128
115 2995.932785   10.5.1.202 -> 10.5.1.25    TCP 66 40245→389 [ACK] Seq=1
Ack=1 Win=5840 Len=0 TSval=120908056 TSecr=361656202
116 2995.937504   10.5.1.202 -> 10.5.1.25    LDAP 80 bindRequest(1)
"<ROOT>" simple
117 2995.937516    10.5.1.25 -> 10.5.1.202   TCP 66 389→40245 [ACK] Seq=1
Ack=15 Win=29056 Len=0 TSval=361656204 TSecr=120908057
118 2995.939099    10.5.1.25 -> 10.5.1.202   LDAP 80 bindResponse(1) success 
119 2995.939241   10.5.1.202 -> 10.5.1.25    TCP 66 40245→389 [ACK] Seq=15
Ack=15 Win=5840 Len=0 TSval=120908057 TSecr=361656204
120 2995.958568   10.5.1.202 -> 10.5.1.25    LDAP 183 searchRequest(2)
"<ROOT>" baseObject
121 2995.958945    10.5.1.25 -> 10.5.1.202   LDAP 219 searchResEntry(2)
"<ROOT>"  | searchResDone(2) success
122 2995.997247   10.5.1.202 -> 10.5.1.25    TCP 66 40245→389 [ACK] Seq=132
Ack=168 Win=6912 Len=0 TSval=120908069 TSecr=361656209
123 2996.119036   10.5.1.202 -> 10.5.1.25    LDAP 1555 bindRequest(3)
"<ROOT>" sasl
124 2996.119051    10.5.1.25 -> 10.5.1.202   TCP 66 389→40245 [ACK] Seq=168
Ack=1621 Win=32000 Len=0 TSval=361656249 TSecr=120908093
125 2996.119914    10.5.1.25 -> 10.5.1.202   LDAP 316 bindResponse(3)
strongAuthRequired (SASL:[GSS-SPNEGO]: not allowed if TLS is used.)
126 2996.120093   10.5.1.202 -> 10.5.1.25    TCP 66 40245→389 [ACK] Seq=1621
Ack=418 Win=7984 Len=0 TSval=120908093 TSecr=361656249
127 2996.120355   10.5.1.202 -> 10.5.1.25    LDAP 73 unbindRequest(4) 
128 2996.120434   10.5.1.202 -> 10.5.1.25    TCP 66 40245→389 [FIN, ACK]
Seq=1628 Ack=418 Win=7984 Len=0 TSval=120908093 TSecr=361656249
129 2996.120456    10.5.1.25 -> 10.5.1.202   TCP 66 389→40245 [FIN, ACK]
Seq=418 Ack=1629 Win=32000 Len=0 TSval=361656249 TSecr=120908093
130 2996.120591   10.5.1.202 -> 10.5.1.25    TCP 66 40245→389 [ACK] Seq=1629
Ack=419 Win=7984 Len=0 TSval=120908093 TSecr=361656249

AD, 'ldap server require strong auth = no'
  1   0.000000   10.5.1.202 -> 10.5.1.25    TCP 74 40258→389 [SYN] Seq=0
Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=121084503 TSecr=0 WS=16
  2   0.000019    10.5.1.25 -> 10.5.1.202   TCP 74 389→40258 [SYN, ACK] Seq=0
Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=361924284 TSecr=121084503
WS=128
  3   0.000179   10.5.1.202 -> 10.5.1.25    TCP 66 40258→389 [ACK] Seq=1
Ack=1 Win=5840 Len=0 TSval=121084503 TSecr=361924284
  4   0.003849   10.5.1.202 -> 10.5.1.25    LDAP 80 bindRequest(1)
"<ROOT>" simple
  5   0.003857    10.5.1.25 -> 10.5.1.202   TCP 66 389→40258 [ACK] Seq=1
Ack=15 Win=29056 Len=0 TSval=361924285 TSecr=121084504
  6   0.005388    10.5.1.25 -> 10.5.1.202   LDAP 80 bindResponse(1) success 
  7   0.005536   10.5.1.202 -> 10.5.1.25    TCP 66 40258→389 [ACK] Seq=15
Ack=15 Win=5840 Len=0 TSval=121084504 TSecr=361924285
  8   0.023918   10.5.1.202 -> 10.5.1.25    LDAP 183 searchRequest(2)
"<ROOT>" baseObject
  9   0.024364    10.5.1.25 -> 10.5.1.202   LDAP 219 searchResEntry(2)
"<ROOT>"  | searchResDone(2) success
 10   0.063587   10.5.1.202 -> 10.5.1.25    TCP 66 40258→389 [ACK] Seq=132
Ack=168 Win=6912 Len=0 TSval=121084516 TSecr=361924290
 11   0.074684   10.5.1.202 -> 10.5.1.25    LDAP 1555 bindRequest(3)
"<ROOT>" sasl
 12   0.074698    10.5.1.25 -> 10.5.1.202   TCP 66 389→40258 [ACK] Seq=168
Ack=1621 Win=32000 Len=0 TSval=361924302 TSecr=121084518
 13   0.079764    10.5.1.25 -> 10.5.1.202   LDAP 270 bindResponse(3) success 
 14   0.079974   10.5.1.202 -> 10.5.1.25    TCP 66 40258→389 [ACK] Seq=1621
Ack=372 Win=7984 Len=0 TSval=121084519 TSecr=361924304
 15   0.085792   10.5.1.202 -> 10.5.1.25    LDAP 402 searchRequest(4)
"dc=ad,dc=fvg,dc=lnf,dc=it" wholeSubtree
 16   0.086364    10.5.1.25 -> 10.5.1.202   LDAP 574 searchResEntry(4)
"CN=gaio,OU=Roaming,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it"
| searchResRef(4)  | searchResRef(4)  | searchResRef(4)  | se
 17   0.087354   10.5.1.202 -> 10.5.1.25    LDAP 73 unbindRequest(5) 
 18   0.087401   10.5.1.202 -> 10.5.1.25    TCP 66 40258→389 [FIN, ACK]
Seq=1964 Ack=880 Win=9056 Len=0 TSval=121084520 TSecr=361924305
 19   0.087467    10.5.1.25 -> 10.5.1.202   TCP 66 389→40258 [FIN, ACK]
Seq=880 Ack=1965 Win=34944 Len=0 TSval=361924306 TSecr=121084520
 20   0.087621   10.5.1.202 -> 10.5.1.25    TCP 66 40258→389 [ACK] Seq=1965
Ack=881 Win=9056 Len=0 TSval=121084520 TSecr=361924306

and last configuration work. So seems that the only option compatible
with that MFP is the less secure 'ldap server require strong auth no'.


There's some way to ''tight'' that configuration , eg permit
'ldap server require strong auth no' only by some hosts?
Or some other smb.conf options that i've missed?


Konica Minolta support write also:
> The information you provided is almost the solution for LDAP:
> > The multifunction should:
> > a) or negotiate TLS on port 389
> > b) or use LDAPS on port 686
> 
> When LDAP over SSL is required, why not configuring the device to do so.
While configuring the External Server for LDAP, just enable SSL (default LDAP
Port is 636).
> 
>
https://manuals.konicaminolta.eu/bizhub-C554-C454-C364-C284-C224/EN/contents/id08-0369.html
but this is not the case, because in 'LDAP mode' the MFP bind with the
DN ''flatted'', eg:

 86 2791.507328   10.5.1.202 -> 10.5.1.25    TCP 74 40242→389 [SYN] Seq=0
Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=120867170 TSecr=0 WS=16
 87 2791.507353    10.5.1.25 -> 10.5.1.202   TCP 74 389→40242 [SYN, ACK]
Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=361605096 TSecr=120867170
WS=128
 88 2791.507509   10.5.1.202 -> 10.5.1.25    TCP 66 40242→389 [ACK] Seq=1
Ack=1 Win=5840 Len=0 TSval=120867171 TSecr=361605096
 89 2791.513273   10.5.1.202 -> 10.5.1.25    LDAP 80 bindRequest(1)
"<ROOT>" simple
 90 2791.513292    10.5.1.25 -> 10.5.1.202   TCP 66 389→40242 [ACK] Seq=1
Ack=15 Win=29056 Len=0 TSval=361605097 TSecr=120867172
 91 2791.514788    10.5.1.25 -> 10.5.1.202   LDAP 80 bindResponse(1) success 
 92 2791.514937   10.5.1.202 -> 10.5.1.25    TCP 66 40242→389 [ACK] Seq=15
Ack=15 Win=5840 Len=0 TSval=120867172 TSecr=361605098
 93 2791.528171   10.5.1.202 -> 10.5.1.25    LDAP 183 searchRequest(2)
"<ROOT>" baseObject
 94 2791.528518    10.5.1.25 -> 10.5.1.202   LDAP 219 searchResEntry(2)
"<ROOT>"  | searchResDone(2) success
 95 2791.528914   10.5.1.202 -> 10.5.1.25    LDAP 124 bindRequest(3)
"uid=gaio,DC=ad,DC=fvg,DC=lnf,DC=it" simple

and 'uid=gaio,DC=ad,DC=fvg,DC=lnf,DC=it' is not a valid DN.

Right?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)