samba - May 2018 - Samba, AD and devices compatibility...

to my knowlidge, konica = xerox.

and this works fine imo but im not able to look this up now.
i did have xerox connected to my ldapS addc’s.

i can check this monday.

Greetz,
Louis
> Op 11 mei 2018 om 04:09 heeft Andrew Bartlett via samba <samba at
lists.samba.org> het volgende geschreven:
> 
>> On Thu, 2018-05-10 at 15:48 +0200, Marco Gaiarin via samba wrote:
>> Mandi! Andrew Bartlett via samba
>>  In chel di` si favelave...
>> 
>> Ok, i coma back to an old thread, because vendor finally reply.
> 
> Thanks!
> 
>> 
>> Little fast-rewind: i own some Konica-Minolta BizHub multifunction
>> printers/copiers, and i need to ''bind'' it to my new
AD domain.
>> 
>> But authentication does not work, seems bacause that printer try to use
>> SASL over plain LDAP (no SSL nor TLS).
>> 
>> After writing to the vendor (ahem, writing to my local reseller, that
>> write to the vendor) the answer was:
>> 
>>> the information provided, are not sufficient to provide a solution.
>>> About the AD /Kerberos Problem, the listed "tcpdump" just
shows the TGS (Ticket Granting Ticket) request and response.
>>> There is no details about the AS (authentication service) request.
Therefore it's difficult to find the problem cause.
>>> 
>>> Maybe the LDAP part is easier to solve. Although the TCP dump does
not show much details it indicates the problem:
>>> "bindResponse(3) strongAuthRequired (SASL:[GSS-SPNEGO]: Sign
or Seal are required"
>>> Basically the LDAP Server requires a secured connection.
>>> 
>>> This is related to following SAMBA settings:
>>>> ldap server require strong auth (G)
>>>> 
>>>> The ldap server require strong auth defines whether the ldap
server requires ldap traffic to be signed or signed and encrypted (sealed).
Possible >values are no, allow_sasl_over_tls and yes.
>>>> 
>>>> A value of no allows simple and sasl binds over all transports.
>>>> 
>>>> A value of allow_sasl_over_tls allows simple and sasl binds
(without sign or seal) over TLS encrypted connections. Unencrypted connections
only >allow sasl binds with sign or seal.
>>>> 
>>>> A value of yes allows only simple binds over TLS encrypted
connections. Unencrypted connections only allow sasl binds with sign or seal.
>>>> Default: ldap server require strong auth = yes
> 
> Correct.
> 
>> 
>> So, doing some tests:
>> 
>> AD, 'ldap server require strong auth = yes' (default)
>>  8  32.680120   10.5.1.202 -> 10.5.1.25    TCP 74 40253???389 [SYN]
Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=121046256 TSecr=0 WS=16
>>  9  32.680132    10.5.1.25 -> 10.5.1.202   TCP 74 389???40253 [SYN,
ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=361876476
TSecr=121046256 WS=128
>> 10  32.680292   10.5.1.202 -> 10.5.1.25    TCP 66 40253???389 [ACK]
Seq=1 Ack=1 Win=5840 Len=0 TSval=121046257 TSecr=361876476
>> 11  32.685230   10.5.1.202 -> 10.5.1.25    LDAP 80 bindRequest(1)
"<ROOT>" simple
>> 12  32.685240    10.5.1.25 -> 10.5.1.202   TCP 66 389???40253 [ACK]
Seq=1 Ack=15 Win=29056 Len=0 TSval=361876477 TSecr=121046258
>> 13  32.686723    10.5.1.25 -> 10.5.1.202   LDAP 80 bindResponse(1)
success
>> 14  32.686854   10.5.1.202 -> 10.5.1.25    TCP 66 40253???389 [ACK]
Seq=15 Ack=15 Win=5840 Len=0 TSval=121046258 TSecr=361876478
>> 15  32.694734   10.5.1.202 -> 10.5.1.25    LDAP 183 searchRequest(2)
"<ROOT>" baseObject
>> 16  32.695277    10.5.1.25 -> 10.5.1.202   LDAP 219
searchResEntry(2) "<ROOT>"  | searchResDone(2) success
>> 17  32.722454   10.5.1.202 -> 10.5.1.25    TCP 1514 [TCP segment of
a reassembled PDU]
>> 18  32.722455   10.5.1.202 -> 10.5.1.25    LDAP 107 bindRequest(3)
"<ROOT>" sasl
>> 19  32.722466    10.5.1.25 -> 10.5.1.202   TCP 66 389???40253 [ACK]
Seq=168 Ack=1621 Win=31872 Len=0 TSval=361876486 TSecr=121046263
>> 20  32.723143    10.5.1.25 -> 10.5.1.202   LDAP 315 bindResponse(3)
strongAuthRequired (SASL:[GSS-SPNEGO]: Sign or Seal are required.)
>> 21  32.729426   10.5.1.202 -> 10.5.1.25    LDAP 73 unbindRequest(4) 
>> 22  32.729474   10.5.1.202 -> 10.5.1.25    TCP 66 40253???389 [FIN,
ACK] Seq=1628 Ack=417 Win=7984 Len=0 TSval=121046266 TSecr=361876487
>> 23  32.729547    10.5.1.25 -> 10.5.1.202   TCP 66 389???40253 [FIN,
ACK] Seq=417 Ack=1629 Win=31872 Len=0 TSval=361876488 TSecr=121046266
>> 24  32.729714   10.5.1.202 -> 10.5.1.25    TCP 66 40253???389 [ACK]
Seq=1629 Ack=418 Win=7984 Len=0 TSval=121046266 TSecr=361876488
>> 
>> 
>> AD, 'ldap server require strong auth = allow_sasl_over_tls'
>> 113 2995.932618   10.5.1.202 -> 10.5.1.25    TCP 74 40245???389
[SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=120908056 TSecr=0 WS=16
>> 114 2995.932639    10.5.1.25 -> 10.5.1.202   TCP 74 389???40245
[SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=361656202
TSecr=120908056 WS=128
>> 115 2995.932785   10.5.1.202 -> 10.5.1.25    TCP 66 40245???389
[ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=120908056 TSecr=361656202
>> 116 2995.937504   10.5.1.202 -> 10.5.1.25    LDAP 80 bindRequest(1)
"<ROOT>" simple
>> 117 2995.937516    10.5.1.25 -> 10.5.1.202   TCP 66 389???40245
[ACK] Seq=1 Ack=15 Win=29056 Len=0 TSval=361656204 TSecr=120908057
>> 118 2995.939099    10.5.1.25 -> 10.5.1.202   LDAP 80 bindResponse(1)
success
>> 119 2995.939241   10.5.1.202 -> 10.5.1.25    TCP 66 40245???389
[ACK] Seq=15 Ack=15 Win=5840 Len=0 TSval=120908057 TSecr=361656204
>> 120 2995.958568   10.5.1.202 -> 10.5.1.25    LDAP 183
searchRequest(2) "<ROOT>" baseObject
>> 121 2995.958945    10.5.1.25 -> 10.5.1.202   LDAP 219
searchResEntry(2) "<ROOT>"  | searchResDone(2) success
>> 122 2995.997247   10.5.1.202 -> 10.5.1.25    TCP 66 40245???389
[ACK] Seq=132 Ack=168 Win=6912 Len=0 TSval=120908069 TSecr=361656209
>> 123 2996.119036   10.5.1.202 -> 10.5.1.25    LDAP 1555
bindRequest(3) "<ROOT>" sasl
>> 124 2996.119051    10.5.1.25 -> 10.5.1.202   TCP 66 389???40245
[ACK] Seq=168 Ack=1621 Win=32000 Len=0 TSval=361656249 TSecr=120908093
>> 125 2996.119914    10.5.1.25 -> 10.5.1.202   LDAP 316
bindResponse(3) strongAuthRequired (SASL:[GSS-SPNEGO]: not allowed if TLS is
used.)
>> 126 2996.120093   10.5.1.202 -> 10.5.1.25    TCP 66 40245???389
[ACK] Seq=1621 Ack=418 Win=7984 Len=0 TSval=120908093 TSecr=361656249
>> 127 2996.120355   10.5.1.202 -> 10.5.1.25    LDAP 73
unbindRequest(4)
>> 128 2996.120434   10.5.1.202 -> 10.5.1.25    TCP 66 40245???389
[FIN, ACK] Seq=1628 Ack=418 Win=7984 Len=0 TSval=120908093 TSecr=361656249
>> 129 2996.120456    10.5.1.25 -> 10.5.1.202   TCP 66 389???40245
[FIN, ACK] Seq=418 Ack=1629 Win=32000 Len=0 TSval=361656249 TSecr=120908093
>> 130 2996.120591   10.5.1.202 -> 10.5.1.25    TCP 66 40245???389
[ACK] Seq=1629 Ack=419 Win=7984 Len=0 TSval=120908093 TSecr=361656249
>> 
>> AD, 'ldap server require strong auth = no'
>>  1   0.000000   10.5.1.202 -> 10.5.1.25    TCP 74 40258???389 [SYN]
Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=121084503 TSecr=0 WS=16
>>  2   0.000019    10.5.1.25 -> 10.5.1.202   TCP 74 389???40258 [SYN,
ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=361924284
TSecr=121084503 WS=128
>>  3   0.000179   10.5.1.202 -> 10.5.1.25    TCP 66 40258???389 [ACK]
Seq=1 Ack=1 Win=5840 Len=0 TSval=121084503 TSecr=361924284
>>  4   0.003849   10.5.1.202 -> 10.5.1.25    LDAP 80 bindRequest(1)
"<ROOT>" simple
>>  5   0.003857    10.5.1.25 -> 10.5.1.202   TCP 66 389???40258 [ACK]
Seq=1 Ack=15 Win=29056 Len=0 TSval=361924285 TSecr=121084504
>>  6   0.005388    10.5.1.25 -> 10.5.1.202   LDAP 80 bindResponse(1)
success
>>  7   0.005536   10.5.1.202 -> 10.5.1.25    TCP 66 40258???389 [ACK]
Seq=15 Ack=15 Win=5840 Len=0 TSval=121084504 TSecr=361924285
>>  8   0.023918   10.5.1.202 -> 10.5.1.25    LDAP 183 searchRequest(2)
"<ROOT>" baseObject
>>  9   0.024364    10.5.1.25 -> 10.5.1.202   LDAP 219
searchResEntry(2) "<ROOT>"  | searchResDone(2) success
>> 10   0.063587   10.5.1.202 -> 10.5.1.25    TCP 66 40258???389 [ACK]
Seq=132 Ack=168 Win=6912 Len=0 TSval=121084516 TSecr=361924290
>> 11   0.074684   10.5.1.202 -> 10.5.1.25    LDAP 1555 bindRequest(3)
"<ROOT>" sasl
>> 12   0.074698    10.5.1.25 -> 10.5.1.202   TCP 66 389???40258 [ACK]
Seq=168 Ack=1621 Win=32000 Len=0 TSval=361924302 TSecr=121084518
>> 13   0.079764    10.5.1.25 -> 10.5.1.202   LDAP 270 bindResponse(3)
success
>> 14   0.079974   10.5.1.202 -> 10.5.1.25    TCP 66 40258???389 [ACK]
Seq=1621 Ack=372 Win=7984 Len=0 TSval=121084519 TSecr=361924304
>> 15   0.085792   10.5.1.202 -> 10.5.1.25    LDAP 402 searchRequest(4)
"dc=ad,dc=fvg,dc=lnf,dc=it" wholeSubtree
>> 16   0.086364    10.5.1.25 -> 10.5.1.202   LDAP 574
searchResEntry(4)
"CN=gaio,OU=Roaming,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it"
| searchResRef(4)  | searchResRef(4)  | searchResRef(4)  | se
>> 17   0.087354   10.5.1.202 -> 10.5.1.25    LDAP 73 unbindRequest(5) 
>> 18   0.087401   10.5.1.202 -> 10.5.1.25    TCP 66 40258???389 [FIN,
ACK] Seq=1964 Ack=880 Win=9056 Len=0 TSval=121084520 TSecr=361924305
>> 19   0.087467    10.5.1.25 -> 10.5.1.202   TCP 66 389???40258 [FIN,
ACK] Seq=880 Ack=1965 Win=34944 Len=0 TSval=361924306 TSecr=121084520
>> 20   0.087621   10.5.1.202 -> 10.5.1.25    TCP 66 40258???389 [ACK]
Seq=1965 Ack=881 Win=9056 Len=0 TSval=121084520 TSecr=361924306
>> 
>> and last configuration work. So seems that the only option compatible
>> with that MFP is the less secure 'ldap server require strong auth
>> no'.
>> 
>> 
>> There's some way to ''tight'' that configuration ,
eg permit 'ldap server require strong auth >> no' only by some
hosts?
>> Or some other smb.conf options that i've missed?
> 
> Nothing at this stage.  The issue is that they need to do fully signed
> or sealed Kerberos SASL. 
> 
> I agree that a per-IP or per-client whitelist would be a good idea. 
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT   
> https://catalyst.net.nz/services/samba
> 
> 
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>