samba - Nov 2020 - How to configure samba domain member to use LDAPS instead of LDAP

Am 09.11.20 um 15:42 schrieb cn--- via samba:
> What version of Samba is this and do you have "server schannel =
no" set
> in its smb.conf?
It might also be some thing like this option "client ldap sasl 
wrapping". So it would really help to see the entire smb.conf


Regards

Christian
> 
> 
> Regards
> 
> Christian
> 
> Am 09.11.20 um 15:31 schrieb Andrea Cucciarre' via samba:
>> The DC is a Windows AD DC.
>> Could you please clarify why i should change setting in the Windows DC 
>> instead of the Samba server, which is the one that does the insecure 
>> ldap bind?
>>
>> Regards
>> Andrea Cucciarre'
>>
>>
>> On 11/9/2020 3:13 PM, Rowland penny via samba wrote:
>>> On 09/11/2020 13:28, Andrea Cucciarre' wrote:
>>>> My customer complain that in the AD DC they see the following 
>>>> insecure communication coming from the Samba server (DC
member):
>>>>
>>>> "The following client performed a SASL 
>>>> (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting 
>>>> signing (integrity verification), or performed a simple bind
over a
>>>> cleartext (non-SSL/TLS-encrypted) LDAP connection."
>>>>
>>>> So Samba does an insecure LDAP bind and they are asking how to 
>>>> change Samba so that it does it in a secure way.
>>>> Any tuning or suggestion to achieve it?
>>>
>>> OK, I think you want to see something like this instead:
>>>
>>> GSSAPI Connection will be cryptographically signed
>>>
>>> Try adding 'server signing = mandatory' to the DC smb.conf
(provided
>>> it is a Samba DC, otherwise there is probably a registry key that 
>>> does the same).
>>>
>>> Rowland
>>>
>>>
>>>
>>
>>
> 
-- 
Dr. Christian Naumer
Unit Head Bioprocess Development

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Subscribe to BRAIN's Newsletter:
http://www.brain-biotech.com/de/newsletter

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

I will provide the whole smb.conf, but I can anticipate that I don't 
have any setting for server schannel, while client ldap sasl wrapping = 
plain

Regards
Andrea Cucciarre'



On 11/9/2020 3:48 PM, cn--- via samba wrote:
> Am 09.11.20 um 15:42 schrieb cn--- via samba:
>> What version of Samba is this and do you have "server schannel =
no"
>> set in its smb.conf?
> It might also be some thing like this option "client ldap sasl 
> wrapping". So it would really help to see the entire smb.conf
>
>
> Regards
>
> Christian
>
>>
>>
>> Regards
>>
>> Christian
>>
>> Am 09.11.20 um 15:31 schrieb Andrea Cucciarre' via samba:
>>> The DC is a Windows AD DC.
>>> Could you please clarify why i should change setting in the Windows
>>> DC instead of the Samba server, which is the one that does the 
>>> insecure ldap bind?
>>>
>>> Regards
>>> Andrea Cucciarre'
>>>
>>>
>>> On 11/9/2020 3:13 PM, Rowland penny via samba wrote:
>>>> On 09/11/2020 13:28, Andrea Cucciarre' wrote:
>>>>> My customer complain that in the AD DC they see the
following
>>>>> insecure communication coming from the Samba server (DC
member):
>>>>>
>>>>> "The following client performed a SASL 
>>>>> (Negotiate/Kerberos/NTLM/Digest) LDAP bind without
requesting
>>>>> signing (integrity verification), or performed a simple
bind over
>>>>> a cleartext (non-SSL/TLS-encrypted) LDAP connection."
>>>>>
>>>>> So Samba does an insecure LDAP bind and they are asking how
to
>>>>> change Samba so that it does it in a secure way.
>>>>> Any tuning or suggestion to achieve it?
>>>>
>>>> OK, I think you want to see something like this instead:
>>>>
>>>> GSSAPI Connection will be cryptographically signed
>>>>
>>>> Try adding 'server signing = mandatory' to the DC
smb.conf
>>>> (provided it is a Samba DC, otherwise there is probably a
registry
>>>> key that does the same).
>>>>
>>>> Rowland
>>>>
>>>>
>>>>
>>>
>>>
>>
>

On Mon, Nov 9, 2020 at 10:05 AM Andrea Cucciarre' via samba <
samba at lists.samba.org> wrote:
> I will provide the whole smb.conf, but I can anticipate that I don't
> have any setting for server schannel, while client ldap sasl wrapping >
plain
>
> Well, that's your problem. Signing is explicitly disabled. Remove that
line (default is "sign").