Andrea Cucciarre'
2020-Nov-09 14:31 UTC
[Samba] How to configure samba domain member to use LDAPS instead of LDAP
The DC is a Windows AD DC. Could you please clarify why i should change setting in the Windows DC instead of the Samba server, which is the one that does the insecure ldap bind? Regards Andrea Cucciarre' On 11/9/2020 3:13 PM, Rowland penny via samba wrote:> On 09/11/2020 13:28, Andrea Cucciarre' wrote: >> My customer complain that in the AD DC they see the following >> insecure communication coming from the Samba server (DC member): >> >> "The following client performed a SASL >> (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing >> (integrity verification), or performed a simple bind over a cleartext >> (non-SSL/TLS-encrypted) LDAP connection." >> >> So Samba does an insecure LDAP bind and they are asking how to change >> Samba so that it does it in a secure way. >> Any tuning or suggestion to achieve it? > > OK, I think you want to see something like this instead: > > GSSAPI Connection will be cryptographically signed > > Try adding 'server signing = mandatory' to the DC smb.conf (provided > it is a Samba DC, otherwise there is probably a registry key that does > the same). > > Rowland > > >
cn at brain-biotech.de
2020-Nov-09 14:42 UTC
[Samba] How to configure samba domain member to use LDAPS instead of LDAP
What version of Samba is this and do you have "server schannel = no" set in its smb.conf? Regards Christian Am 09.11.20 um 15:31 schrieb Andrea Cucciarre' via samba:> The DC is a Windows AD DC. > Could you please clarify why i should change setting in the Windows DC > instead of the Samba server, which is the one that does the insecure > ldap bind? > > Regards > Andrea Cucciarre' > > > On 11/9/2020 3:13 PM, Rowland penny via samba wrote: >> On 09/11/2020 13:28, Andrea Cucciarre' wrote: >>> My customer complain that in the AD DC they see the following >>> insecure communication coming from the Samba server (DC member): >>> >>> "The following client performed a SASL >>> (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing >>> (integrity verification), or performed a simple bind over a cleartext >>> (non-SSL/TLS-encrypted) LDAP connection." >>> >>> So Samba does an insecure LDAP bind and they are asking how to change >>> Samba so that it does it in a secure way. >>> Any tuning or suggestion to achieve it? >> >> OK, I think you want to see something like this instead: >> >> GSSAPI Connection will be cryptographically signed >> >> Try adding 'server signing = mandatory' to the DC smb.conf (provided >> it is a Samba DC, otherwise there is probably a registry key that does >> the same). >> >> Rowland >> >> >> > >-- Dr. Christian Naumer Unit Head Bioprocess Development B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com fon +49-6251-9331-30 / fax +49-6251-9331-11 Subscribe to BRAIN's Newsletter: http://www.brain-biotech.com/de/newsletter Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Lukas Linnig Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
Rowland penny
2020-Nov-09 14:44 UTC
[Samba] How to configure samba domain member to use LDAPS instead of LDAP
On 09/11/2020 14:31, Andrea Cucciarre' wrote:> The DC is a Windows AD DC. > Could you please clarify why i should change setting in the Windows DC > instead of the Samba server, which is the one that does the insecure > ldap bind? > > Regards > Andrea Cucciarre' > > > On 11/9/2020 3:13 PM, Rowland penny via samba wrote: >> On 09/11/2020 13:28, Andrea Cucciarre' wrote: >>> My customer complain that in the AD DC they see the following >>> insecure communication coming from the Samba server (DC member): >>> >>> "The following client performed a SASL >>> (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting >>> signing (integrity verification), or performed a simple bind over a >>> cleartext (non-SSL/TLS-encrypted) LDAP connection." >>> >>> So Samba does an insecure LDAP bind and they are asking how to >>> change Samba so that it does it in a secure way. >>> Any tuning or suggestion to achieve it? >> >> OK, I think you want to see something like this instead: >> >> GSSAPI Connection will be cryptographically signed >> >> Try adding 'server signing = mandatory' to the DC smb.conf (provided >> it is a Samba DC, otherwise there is probably a registry key that >> does the same). >> >> Rowland >> >> >> >One word 'Negotiation' ? The server tells the client it must 'sign' the connection. Rowland
Andrew Walker
2020-Nov-09 14:46 UTC
[Samba] How to configure samba domain member to use LDAPS instead of LDAP
On Mon, Nov 9, 2020 at 9:43 AM cn--- via samba <samba at lists.samba.org> wrote:> What version of Samba is this and do you have "server schannel = no" set > in its smb.conf? > > > Regards > > Christian > > Am 09.11.20 um 15:31 schrieb Andrea Cucciarre' via samba: > > The DC is a Windows AD DC. > > Could you please clarify why i should change setting in the Windows DC > > instead of the Samba server, which is the one that does the insecure > > ldap bind? > > > > Regards > > Andrea Cucciarre' > > > > > > On 11/9/2020 3:13 PM, Rowland penny via samba wrote: > >> On 09/11/2020 13:28, Andrea Cucciarre' wrote: > >>> My customer complain that in the AD DC they see the following > >>> insecure communication coming from the Samba server (DC member): > >>> > >>> "The following client performed a SASL > >>> (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing > >>> (integrity verification), or performed a simple bind over a cleartext > >>> (non-SSL/TLS-encrypted) LDAP connection." > >>> > >>> So Samba does an insecure LDAP bind and they are asking how to change > >>> Samba so that it does it in a secure way. > >>> Any tuning or suggestion to achieve it? > >> > >> OK, I think you want to see something like this instead: > >> > >> GSSAPI Connection will be cryptographically signed > >> > >> Try adding 'server signing = mandatory' to the DC smb.conf (provided > >> it is a Samba DC, otherwise there is probably a registry key that does > >> the same). > >> > >> Rowland > >> > >> > >> > > > > > > -- > Dr. Christian Naumer > Unit Head Bioprocess Development > > B.R.A.I.N Aktiengesellschaft > Darmstaedter Str. 34-36, D-64673 Zwingenberg > e-mail cn at brain-biotech.com, homepage www.brain-biotech.com > fon +49-6251-9331-30 / fax +49-6251-9331-11 > > Subscribe to BRAIN's Newsletter: > http://www.brain-biotech.com/de/newsletter > > Sitz der Gesellschaft: Zwingenberg/Bergstrasse > Registergericht AG Darmstadt, HRB 24758 > Vorstand: Adriaan Moelker (Vorstandsvorsitzender), > Lukas Linnig > Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaI think that we may need to see the smb.conf of the problem server.
cn at brain-biotech.de
2020-Nov-09 14:48 UTC
[Samba] How to configure samba domain member to use LDAPS instead of LDAP
Am 09.11.20 um 15:42 schrieb cn--- via samba:> What version of Samba is this and do you have "server schannel = no" set > in its smb.conf?It might also be some thing like this option "client ldap sasl wrapping". So it would really help to see the entire smb.conf Regards Christian> > > Regards > > Christian > > Am 09.11.20 um 15:31 schrieb Andrea Cucciarre' via samba: >> The DC is a Windows AD DC. >> Could you please clarify why i should change setting in the Windows DC >> instead of the Samba server, which is the one that does the insecure >> ldap bind? >> >> Regards >> Andrea Cucciarre' >> >> >> On 11/9/2020 3:13 PM, Rowland penny via samba wrote: >>> On 09/11/2020 13:28, Andrea Cucciarre' wrote: >>>> My customer complain that in the AD DC they see the following >>>> insecure communication coming from the Samba server (DC member): >>>> >>>> "The following client performed a SASL >>>> (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting >>>> signing (integrity verification), or performed a simple bind over a >>>> cleartext (non-SSL/TLS-encrypted) LDAP connection." >>>> >>>> So Samba does an insecure LDAP bind and they are asking how to >>>> change Samba so that it does it in a secure way. >>>> Any tuning or suggestion to achieve it? >>> >>> OK, I think you want to see something like this instead: >>> >>> GSSAPI Connection will be cryptographically signed >>> >>> Try adding 'server signing = mandatory' to the DC smb.conf (provided >>> it is a Samba DC, otherwise there is probably a registry key that >>> does the same). >>> >>> Rowland >>> >>> >>> >> >> >-- Dr. Christian Naumer Unit Head Bioprocess Development B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com fon +49-6251-9331-30 / fax +49-6251-9331-11 Subscribe to BRAIN's Newsletter: http://www.brain-biotech.com/de/newsletter Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Lukas Linnig Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen