samba - Nov 2020 - How to configure samba domain member to use LDAPS instead of LDAP

Hello,

is there any documented procedure to configure a samba domain member (AD 
windows domain) to use LDAPS instead of LDAP

Thanks
Andrea

On 09/11/2020 11:45, Andrea Cucciarre' via samba
wrote:
>
> is there any documented procedure to configure a samba domain member 
> (AD windows domain) to use LDAPS instead of LDAP
The only documentation I know of is here:

https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC

But it is meant for a DC.

Are you talking about using ldaps with ldap searches ? If so, then 
don't, use kerberos instead, it is even more secure.

Rowland

My customer complain that in the AD DC they see the following insecure 
communication coming from the Samba server (DC member):

"The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest)
LDAP bind without requesting signing (integrity verification), or performed a
simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection."

So Samba does an insecure LDAP bind and they are asking how to change Samba so
that it does it in a secure way.
Any tuning or suggestion to achieve it?

Thanks
Andrea


On 11/9/2020 1:03 PM, Rowland penny via samba wrote:
> On 09/11/2020 11:45, Andrea Cucciarre' via samba wrote:
>>
>> is there any documented procedure to configure a samba domain member 
>> (AD windows domain) to use LDAPS instead of LDAP
> The only documentation I know of is here:
>
>
https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
>
>
> But it is meant for a DC.
>
> Are you talking about using ldaps with ldap searches ? If so, then 
> don't, use kerberos instead, it is even more secure.
>
> Rowland
>
>
>