Mandi! Andrew Bartlett via samba In chel di` si favelave...> > There's some way to ''tight'' that configuration , eg permit 'ldap server require strong auth > > no' only by some hosts? > > Or some other smb.conf options that i've missed?> Nothing at this stage.Ok.> The issue is that they need to do fully signed or sealed Kerberos SASL.Sorry, but i've really a bit of confusion in this field... You forgot a 'not' somwhere in this sentence? ;-) I've understood that 'sign or seal' mean SASL over TLS/SSL, and my printer suport only SASL, so it is not 'sign and sealed'...> I agree that a per-IP or per-client whitelist would be a good idea.I suppose that a trick like: include = /etc/samba/smb.conf.%I does not work for LDAP, but only for SMB part... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Fri, 11 May 2018 09:58:11 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Andrew Bartlett via samba > In chel di` si favelave... > > > > There's some way to ''tight'' that configuration , eg permit > > > 'ldap server require strong auth = no' only by some hosts? > > > Or some other smb.conf options that i've missed? > > > Nothing at this stage. > > Ok. > > > > The issue is that they need to do fully signed or sealed Kerberos > > SASL. > > Sorry, but i've really a bit of confusion in this field... You forgot > a 'not' somwhere in this sentence? ;-) > > I've understood that 'sign or seal' mean SASL over TLS/SSL, and my > printer suport only SASL, so it is not 'sign and sealed'... > >I think that is what Andrew is trying to tell you, the printer needs to support SASL over TLS/SSL or it will never work. I don't think there is anything you can do, but I am surprised that the print doesn't already support it, after all, it isn't something new ;-) Rowland
Mandi! Rowland Penny via samba In chel di` si favelave...> I think that is what Andrew is trying to tell you, the printer needs to > support SASL over TLS/SSL or it will never work. I don't think there is > anything you can do, but I am surprised that the print doesn't already > support it, after all, it isn't something new ;-)Mi confusion grow. ;-) As stated in my previous email, MFP printer works with this tshark dump: AD, 'ldap server require strong auth = no' 1 0.000000 10.5.1.202 -> 10.5.1.25 TCP 74 40258→389 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=121084503 TSecr=0 WS=16 2 0.000019 10.5.1.25 -> 10.5.1.202 TCP 74 389→40258 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=361924284 TSecr=121084503 WS=128 3 0.000179 10.5.1.202 -> 10.5.1.25 TCP 66 40258→389 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=121084503 TSecr=361924284 4 0.003849 10.5.1.202 -> 10.5.1.25 LDAP 80 bindRequest(1) "<ROOT>" simple 5 0.003857 10.5.1.25 -> 10.5.1.202 TCP 66 389→40258 [ACK] Seq=1 Ack=15 Win=29056 Len=0 TSval=361924285 TSecr=121084504 6 0.005388 10.5.1.25 -> 10.5.1.202 LDAP 80 bindResponse(1) success 7 0.005536 10.5.1.202 -> 10.5.1.25 TCP 66 40258→389 [ACK] Seq=15 Ack=15 Win=5840 Len=0 TSval=121084504 TSecr=361924285 8 0.023918 10.5.1.202 -> 10.5.1.25 LDAP 183 searchRequest(2) "<ROOT>" baseObject 9 0.024364 10.5.1.25 -> 10.5.1.202 LDAP 219 searchResEntry(2) "<ROOT>" | searchResDone(2) success 10 0.063587 10.5.1.202 -> 10.5.1.25 TCP 66 40258→389 [ACK] Seq=132 Ack=168 Win=6912 Len=0 TSval=121084516 TSecr=361924290 11 0.074684 10.5.1.202 -> 10.5.1.25 LDAP 1555 bindRequest(3) "<ROOT>" sasl 12 0.074698 10.5.1.25 -> 10.5.1.202 TCP 66 389→40258 [ACK] Seq=168 Ack=1621 Win=32000 Len=0 TSval=361924302 TSecr=121084518 13 0.079764 10.5.1.25 -> 10.5.1.202 LDAP 270 bindResponse(3) success 14 0.079974 10.5.1.202 -> 10.5.1.25 TCP 66 40258→389 [ACK] Seq=1621 Ack=372 Win=7984 Len=0 TSval=121084519 TSecr=361924304 15 0.085792 10.5.1.202 -> 10.5.1.25 LDAP 402 searchRequest(4) "dc=ad,dc=fvg,dc=lnf,dc=it" wholeSubtree 16 0.086364 10.5.1.25 -> 10.5.1.202 LDAP 574 searchResEntry(4) "CN=gaio,OU=Roaming,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it" | searchResRef(4) | searchResRef(4) | searchResRef(4) | se 17 0.087354 10.5.1.202 -> 10.5.1.25 LDAP 73 unbindRequest(5) 18 0.087401 10.5.1.202 -> 10.5.1.25 TCP 66 40258→389 [FIN, ACK] Seq=1964 Ack=880 Win=9056 Len=0 TSval=121084520 TSecr=361924305 19 0.087467 10.5.1.25 -> 10.5.1.202 TCP 66 389→40258 [FIN, ACK] Seq=880 Ack=1965 Win=34944 Len=0 TSval=361924306 TSecr=121084520 20 0.087621 10.5.1.202 -> 10.5.1.25 TCP 66 40258→389 [ACK] Seq=1965 Ack=881 Win=9056 Len=0 TSval=121084520 TSecr=361924306 and clearly this is an example of SASL over PLAIN LDAP, no TLS nor SSL, because i can ''see'' the query (if it was TLS/SSL, i'll see the SSL/TLS handshake and the only 'data'.) So seems that my MFP use plain SASL, and so i'ma bit confused on what 'sign and seal' mean. ;) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> > I agree that a per-IP or per-client whitelist would be a good idea. > I suppose that a trick like: > include = /etc/samba/smb.conf.%I > does not work for LDAP, but only for SMB part...OK, i give it a try, and effectively does not work. ;-( -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Fri, 2018-05-11 at 09:13 +0100, Rowland Penny via samba wrote:> On Fri, 11 May 2018 09:58:11 +0200 > Marco Gaiarin via samba <samba at lists.samba.org> wrote: > > > Mandi! Andrew Bartlett via samba > > In chel di` si favelave... > > > > > > There's some way to ''tight'' that configuration , eg permit > > > > 'ldap server require strong auth = no' only by some hosts? > > > > Or some other smb.conf options that i've missed? > > > Nothing at this stage. > > > > Ok. > > > > > > > The issue is that they need to do fully signed or sealed Kerberos > > > SASL. > > > > Sorry, but i've really a bit of confusion in this field... You forgot > > a 'not' somwhere in this sentence? ;-) > > > > I've understood that 'sign or seal' mean SASL over TLS/SSL, and my > > printer suport only SASL, so it is not 'sign and sealed'... > > > > > > I think that is what Andrew is trying to tell you, the printer needs to > support SASL over TLS/SSL or it will never work.Not quite. While that combination sounds really secure, without the channel binding that we don't implement yet, it is actually almost as bad as not using TLS/SSL. We prefer SASL using the SASL mech to do the signing and sealing.> I don't think there is > anything you can do, but I am surprised that the print doesn't already > support it, after all, it isn't something new ;-)That is the real issue here. Finding combinations that don't suck security wise and are supported by printers. The long term solution on the Samba end will likely be a 'printer account exception' scheme, where an account with few real privileges can be made exempt from these things (which matter for more for Domain Admins). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba