Andrea Cucciarre'
2020-Nov-09 13:28 UTC
[Samba] How to configure samba domain member to use LDAPS instead of LDAP
My customer complain that in the AD DC they see the following insecure communication coming from the Samba server (DC member): "The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a cleartext (non-SSL/TLS-encrypted) LDAP connection." So Samba does an insecure LDAP bind and they are asking how to change Samba so that it does it in a secure way. Any tuning or suggestion to achieve it? Thanks Andrea On 11/9/2020 1:03 PM, Rowland penny via samba wrote:> On 09/11/2020 11:45, Andrea Cucciarre' via samba wrote: >> >> is there any documented procedure to configure a samba domain member >> (AD windows domain) to use LDAPS instead of LDAP > The only documentation I know of is here: > > https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC > > > But it is meant for a DC. > > Are you talking about using ldaps with ldap searches ? If so, then > don't, use kerberos instead, it is even more secure. > > Rowland > > >
Andrea Cucciarre'
2020-Nov-09 13:48 UTC
[Samba] How to configure samba domain member to use LDAPS instead of LDAP
I have found out the smb.conf options: ldap ssl, ldap ssl ads. Moreover it seems the samba I'm using is not compiled with the SSL option: /opt/samba/sbin/smbd -b | grep -i with ?? WITH_UTMP ?? HAVE_KRB5_ENCTYPE_TO_STRING_WITH_KRB5_CONTEXT_ARG --with Options: ?? WITH_ADS ?? WITH_AUTOMOUNT ?? WITH_DNS_UPDATES ?? WITH_PAM ?? WITH_PAM_MODULES ?? WITH_PTHREADPOOL ?? WITH_QUOTAS ?? WITH_SYSLOG ?? WITH_WINBIND ?? TIME_WITH_SYS_TIME Do you believe that using a Samba compiled with SSL will address it? Regards Andrea Cucciarre' Global Technical Support Manager Cloudian Inc. On 11/9/2020 2:28 PM, Andrea Cucciarre' wrote:> My customer complain that in the AD DC they see the following insecure > communication coming from the Samba server (DC member): > > "The following client performed a SASL > (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing > (integrity verification), or performed a simple bind over a cleartext > (non-SSL/TLS-encrypted) LDAP connection." > > So Samba does an insecure LDAP bind and they are asking how to change > Samba so that it does it in a secure way. > Any tuning or suggestion to achieve it? > > Thanks > Andrea > > > On 11/9/2020 1:03 PM, Rowland penny via samba wrote: >> On 09/11/2020 11:45, Andrea Cucciarre' via samba wrote: >>> >>> is there any documented procedure to configure a samba domain member >>> (AD windows domain) to use LDAPS instead of LDAP >> The only documentation I know of is here: >> >> https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC >> >> >> But it is meant for a DC. >> >> Are you talking about using ldaps with ldap searches ? If so, then >> don't, use kerberos instead, it is even more secure. >> >> Rowland >> >> >> >
Rowland penny
2020-Nov-09 14:13 UTC
[Samba] How to configure samba domain member to use LDAPS instead of LDAP
On 09/11/2020 13:28, Andrea Cucciarre' wrote:> My customer complain that in the AD DC they see the following insecure > communication coming from the Samba server (DC member): > > "The following client performed a SASL > (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing > (integrity verification), or performed a simple bind over a cleartext > (non-SSL/TLS-encrypted) LDAP connection." > > So Samba does an insecure LDAP bind and they are asking how to change > Samba so that it does it in a secure way. > Any tuning or suggestion to achieve it?OK, I think you want to see something like this instead: GSSAPI Connection will be cryptographically signed Try adding 'server signing = mandatory' to the DC smb.conf (provided it is a Samba DC, otherwise there is probably a registry key that does the same). Rowland
Andrea Cucciarre'
2020-Nov-09 14:31 UTC
[Samba] How to configure samba domain member to use LDAPS instead of LDAP
The DC is a Windows AD DC. Could you please clarify why i should change setting in the Windows DC instead of the Samba server, which is the one that does the insecure ldap bind? Regards Andrea Cucciarre' On 11/9/2020 3:13 PM, Rowland penny via samba wrote:> On 09/11/2020 13:28, Andrea Cucciarre' wrote: >> My customer complain that in the AD DC they see the following >> insecure communication coming from the Samba server (DC member): >> >> "The following client performed a SASL >> (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing >> (integrity verification), or performed a simple bind over a cleartext >> (non-SSL/TLS-encrypted) LDAP connection." >> >> So Samba does an insecure LDAP bind and they are asking how to change >> Samba so that it does it in a secure way. >> Any tuning or suggestion to achieve it? > > OK, I think you want to see something like this instead: > > GSSAPI Connection will be cryptographically signed > > Try adding 'server signing = mandatory' to the DC smb.conf (provided > it is a Samba DC, otherwise there is probably a registry key that does > the same). > > Rowland > > >