samba - Nov 2020 - How to configure samba domain member to use LDAPS instead of LDAP

The DC is a Windows AD DC.
Could you please clarify why i should change setting in the Windows DC 
instead of the Samba server, which is the one that does the insecure 
ldap bind?

Regards
Andrea Cucciarre'


On 11/9/2020 3:13 PM, Rowland penny via samba wrote:
> On 09/11/2020 13:28, Andrea Cucciarre' wrote:
>> My customer complain that in the AD DC they see the following 
>> insecure communication coming from the Samba server (DC member):
>>
>> "The following client performed a SASL 
>> (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing 
>> (integrity verification), or performed a simple bind over a cleartext 
>> (non-SSL/TLS-encrypted) LDAP connection."
>>
>> So Samba does an insecure LDAP bind and they are asking how to change 
>> Samba so that it does it in a secure way.
>> Any tuning or suggestion to achieve it?
>
> OK, I think you want to see something like this instead:
>
> GSSAPI Connection will be cryptographically signed
>
> Try adding 'server signing = mandatory' to the DC smb.conf
(provided
> it is a Samba DC, otherwise there is probably a registry key that does 
> the same).
>
> Rowland
>
>
>

What version of Samba is this and do you have "server schannel = no"
set
in its smb.conf?


Regards

Christian

Am 09.11.20 um 15:31 schrieb Andrea Cucciarre' via
samba:
> The DC is a Windows AD DC.
> Could you please clarify why i should change setting in the Windows DC 
> instead of the Samba server, which is the one that does the insecure 
> ldap bind?
> 
> Regards
> Andrea Cucciarre'
> 
> 
> On 11/9/2020 3:13 PM, Rowland penny via samba wrote:
>> On 09/11/2020 13:28, Andrea Cucciarre' wrote:
>>> My customer complain that in the AD DC they see the following 
>>> insecure communication coming from the Samba server (DC member):
>>>
>>> "The following client performed a SASL 
>>> (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting
signing
>>> (integrity verification), or performed a simple bind over a
cleartext
>>> (non-SSL/TLS-encrypted) LDAP connection."
>>>
>>> So Samba does an insecure LDAP bind and they are asking how to
change
>>> Samba so that it does it in a secure way.
>>> Any tuning or suggestion to achieve it?
>>
>> OK, I think you want to see something like this instead:
>>
>> GSSAPI Connection will be cryptographically signed
>>
>> Try adding 'server signing = mandatory' to the DC smb.conf
(provided
>> it is a Samba DC, otherwise there is probably a registry key that does 
>> the same).
>>
>> Rowland
>>
>>
>>
> 
> 
-- 
Dr. Christian Naumer
Unit Head Bioprocess Development

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Subscribe to BRAIN's Newsletter:
http://www.brain-biotech.com/de/newsletter

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

On 09/11/2020 14:31, Andrea Cucciarre' wrote:
> The DC is a Windows AD DC.
> Could you please clarify why i should change setting in the Windows DC 
> instead of the Samba server, which is the one that does the insecure 
> ldap bind?
>
> Regards
> Andrea Cucciarre'
>
>
> On 11/9/2020 3:13 PM, Rowland penny via samba wrote:
>> On 09/11/2020 13:28, Andrea Cucciarre' wrote:
>>> My customer complain that in the AD DC they see the following 
>>> insecure communication coming from the Samba server (DC member):
>>>
>>> "The following client performed a SASL 
>>> (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting 
>>> signing (integrity verification), or performed a simple bind over a
>>> cleartext (non-SSL/TLS-encrypted) LDAP connection."
>>>
>>> So Samba does an insecure LDAP bind and they are asking how to 
>>> change Samba so that it does it in a secure way.
>>> Any tuning or suggestion to achieve it?
>>
>> OK, I think you want to see something like this instead:
>>
>> GSSAPI Connection will be cryptographically signed
>>
>> Try adding 'server signing = mandatory' to the DC smb.conf
(provided
>> it is a Samba DC, otherwise there is probably a registry key that 
>> does the same).
>>
>> Rowland
>>
>>
>>
>
One word 'Negotiation' ?

The server tells the client it must 'sign' the connection.

Rowland

On Mon, Nov 9, 2020 at 9:43 AM cn--- via samba <samba at lists.samba.org>
wrote:
> What version of Samba is this and do you have "server schannel =
no" set
> in its smb.conf?
>
>
> Regards
>
> Christian
>
> Am 09.11.20 um 15:31 schrieb Andrea Cucciarre' via samba:
> > The DC is a Windows AD DC.
> > Could you please clarify why i should change setting in the Windows DC
> > instead of the Samba server, which is the one that does the insecure
> > ldap bind?
> >
> > Regards
> > Andrea Cucciarre'
> >
> >
> > On 11/9/2020 3:13 PM, Rowland penny via samba wrote:
> >> On 09/11/2020 13:28, Andrea Cucciarre' wrote:
> >>> My customer complain that in the AD DC they see the following
> >>> insecure communication coming from the Samba server (DC
member):
> >>>
> >>> "The following client performed a SASL
> >>> (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting
signing
> >>> (integrity verification), or performed a simple bind over a
cleartext
> >>> (non-SSL/TLS-encrypted) LDAP connection."
> >>>
> >>> So Samba does an insecure LDAP bind and they are asking how to
change
> >>> Samba so that it does it in a secure way.
> >>> Any tuning or suggestion to achieve it?
> >>
> >> OK, I think you want to see something like this instead:
> >>
> >> GSSAPI Connection will be cryptographically signed
> >>
> >> Try adding 'server signing = mandatory' to the DC smb.conf
(provided
> >> it is a Samba DC, otherwise there is probably a registry key that
does
> >> the same).
> >>
> >> Rowland
> >>
> >>
> >>
> >
> >
>
> --
> Dr. Christian Naumer
> Unit Head Bioprocess Development
>
> B.R.A.I.N Aktiengesellschaft
> Darmstaedter Str. 34-36, D-64673 Zwingenberg
> e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
> fon +49-6251-9331-30  /   fax +49-6251-9331-11
>
> Subscribe to BRAIN's Newsletter:
> http://www.brain-biotech.com/de/newsletter
>
> Sitz der Gesellschaft: Zwingenberg/Bergstrasse
> Registergericht AG Darmstadt, HRB 24758
> Vorstand: Adriaan Moelker (Vorstandsvorsitzender),
> Lukas Linnig
> Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

I think that we may need to see the smb.conf of the problem server.

Am 09.11.20 um 15:42 schrieb cn--- via samba:
> What version of Samba is this and do you have "server schannel =
no" set
> in its smb.conf?
It might also be some thing like this option "client ldap sasl 
wrapping". So it would really help to see the entire smb.conf


Regards

Christian
> 
> 
> Regards
> 
> Christian
> 
> Am 09.11.20 um 15:31 schrieb Andrea Cucciarre' via samba:
>> The DC is a Windows AD DC.
>> Could you please clarify why i should change setting in the Windows DC 
>> instead of the Samba server, which is the one that does the insecure 
>> ldap bind?
>>
>> Regards
>> Andrea Cucciarre'
>>
>>
>> On 11/9/2020 3:13 PM, Rowland penny via samba wrote:
>>> On 09/11/2020 13:28, Andrea Cucciarre' wrote:
>>>> My customer complain that in the AD DC they see the following 
>>>> insecure communication coming from the Samba server (DC
member):
>>>>
>>>> "The following client performed a SASL 
>>>> (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting 
>>>> signing (integrity verification), or performed a simple bind
over a
>>>> cleartext (non-SSL/TLS-encrypted) LDAP connection."
>>>>
>>>> So Samba does an insecure LDAP bind and they are asking how to 
>>>> change Samba so that it does it in a secure way.
>>>> Any tuning or suggestion to achieve it?
>>>
>>> OK, I think you want to see something like this instead:
>>>
>>> GSSAPI Connection will be cryptographically signed
>>>
>>> Try adding 'server signing = mandatory' to the DC smb.conf
(provided
>>> it is a Samba DC, otherwise there is probably a registry key that 
>>> does the same).
>>>
>>> Rowland
>>>
>>>
>>>
>>
>>
> 
-- 
Dr. Christian Naumer
Unit Head Bioprocess Development

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Subscribe to BRAIN's Newsletter:
http://www.brain-biotech.com/de/newsletter

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen