cn at brain-biotech.de
2020-Nov-09 14:48 UTC
[Samba] How to configure samba domain member to use LDAPS instead of LDAP
Am 09.11.20 um 15:42 schrieb cn--- via samba:> What version of Samba is this and do you have "server schannel = no" set > in its smb.conf?It might also be some thing like this option "client ldap sasl wrapping". So it would really help to see the entire smb.conf Regards Christian> > > Regards > > Christian > > Am 09.11.20 um 15:31 schrieb Andrea Cucciarre' via samba: >> The DC is a Windows AD DC. >> Could you please clarify why i should change setting in the Windows DC >> instead of the Samba server, which is the one that does the insecure >> ldap bind? >> >> Regards >> Andrea Cucciarre' >> >> >> On 11/9/2020 3:13 PM, Rowland penny via samba wrote: >>> On 09/11/2020 13:28, Andrea Cucciarre' wrote: >>>> My customer complain that in the AD DC they see the following >>>> insecure communication coming from the Samba server (DC member): >>>> >>>> "The following client performed a SASL >>>> (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting >>>> signing (integrity verification), or performed a simple bind over a >>>> cleartext (non-SSL/TLS-encrypted) LDAP connection." >>>> >>>> So Samba does an insecure LDAP bind and they are asking how to >>>> change Samba so that it does it in a secure way. >>>> Any tuning or suggestion to achieve it? >>> >>> OK, I think you want to see something like this instead: >>> >>> GSSAPI Connection will be cryptographically signed >>> >>> Try adding 'server signing = mandatory' to the DC smb.conf (provided >>> it is a Samba DC, otherwise there is probably a registry key that >>> does the same). >>> >>> Rowland >>> >>> >>> >> >> >-- Dr. Christian Naumer Unit Head Bioprocess Development B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com fon +49-6251-9331-30 / fax +49-6251-9331-11 Subscribe to BRAIN's Newsletter: http://www.brain-biotech.com/de/newsletter Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Lukas Linnig Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
Andrea Cucciarre'
2020-Nov-09 15:04 UTC
[Samba] How to configure samba domain member to use LDAPS instead of LDAP
I will provide the whole smb.conf, but I can anticipate that I don't have any setting for server schannel, while client ldap sasl wrapping = plain Regards Andrea Cucciarre' On 11/9/2020 3:48 PM, cn--- via samba wrote:> Am 09.11.20 um 15:42 schrieb cn--- via samba: >> What version of Samba is this and do you have "server schannel = no" >> set in its smb.conf? > It might also be some thing like this option "client ldap sasl > wrapping". So it would really help to see the entire smb.conf > > > Regards > > Christian > >> >> >> Regards >> >> Christian >> >> Am 09.11.20 um 15:31 schrieb Andrea Cucciarre' via samba: >>> The DC is a Windows AD DC. >>> Could you please clarify why i should change setting in the Windows >>> DC instead of the Samba server, which is the one that does the >>> insecure ldap bind? >>> >>> Regards >>> Andrea Cucciarre' >>> >>> >>> On 11/9/2020 3:13 PM, Rowland penny via samba wrote: >>>> On 09/11/2020 13:28, Andrea Cucciarre' wrote: >>>>> My customer complain that in the AD DC they see the following >>>>> insecure communication coming from the Samba server (DC member): >>>>> >>>>> "The following client performed a SASL >>>>> (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting >>>>> signing (integrity verification), or performed a simple bind over >>>>> a cleartext (non-SSL/TLS-encrypted) LDAP connection." >>>>> >>>>> So Samba does an insecure LDAP bind and they are asking how to >>>>> change Samba so that it does it in a secure way. >>>>> Any tuning or suggestion to achieve it? >>>> >>>> OK, I think you want to see something like this instead: >>>> >>>> GSSAPI Connection will be cryptographically signed >>>> >>>> Try adding 'server signing = mandatory' to the DC smb.conf >>>> (provided it is a Samba DC, otherwise there is probably a registry >>>> key that does the same). >>>> >>>> Rowland >>>> >>>> >>>> >>> >>> >> >
Andrew Walker
2020-Nov-09 15:24 UTC
[Samba] How to configure samba domain member to use LDAPS instead of LDAP
On Mon, Nov 9, 2020 at 10:05 AM Andrea Cucciarre' via samba < samba at lists.samba.org> wrote:> I will provide the whole smb.conf, but I can anticipate that I don't > have any setting for server schannel, while client ldap sasl wrapping > plain > > Well, that's your problem. Signing is explicitly disabled. Remove thatline (default is "sign").
Possibly Parallel Threads
- How to configure samba domain member to use LDAPS instead of LDAP
- How to configure samba domain member to use LDAPS instead of LDAP
- How to configure samba domain member to use LDAPS instead of LDAP
- How to configure samba domain member to use LDAPS instead of LDAP
- How to configure samba domain member to use LDAPS instead of LDAP