Hi... thanks Andrew, I will read about SASL/GSSAPI/Kerberos. Regarding question 2, is it possible to disable deprecated versions of Tls? Regards El 26/11/21 a las 01:09, Andrew Bartlett escribi?:> On Thu, 2021-11-25 at 17:02 -0300, Marcos Ariel Negrini via samba > wrote: >> 1- The LDAP port(389) is obviously not encrypted, I was looking for >> >> information about the possibility of disabling it on the internal >> >> network(the workstation network), but I read on several sites that >> this >> >> is not suitable. Can I force all the LDAP communication against the >> >> servers to be LDAPS? > You don't want that. LDAPS is actually less secure, you want LDAP > (389) with SASL/GSSAPI/Kerberos encryption. > > Blocking 389 will break everything. LDAPS is only helpful for the > simple bind case, where that is better than plaintext. > > See 'ldap server require strong auth' for some details, but in short > because Samba doesn't implement the channel bindings for LDAPS, and > unless all clients send them, NTLM/Kerberos over LDAPS is vulnerable to > relay attacks. > > Andrew Bartlett >
On 26-11-2021 13:14, Marcos Ariel Negrini via samba wrote:> Hi... thanks Andrew, I will read about SASL/GSSAPI/Kerberos. > Regarding question 2, is it possible to disable deprecated versions of > Tls? > RegardsSomething like this? tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3> > El 26/11/21 a las 01:09, Andrew Bartlett escribi?: >> On Thu, 2021-11-25 at 17:02 -0300, Marcos Ariel Negrini via samba >> wrote: >>> 1- The LDAP port(389) is obviously not encrypted, I was looking for >>> >>> information about the possibility of disabling it on the internal >>> >>> network(the workstation network), but I read on several sites that >>> this >>> >>> is not suitable. Can I force all the LDAP communication against the >>> >>> servers to be LDAPS? >> You don't want that.? LDAPS is actually less secure, you want LDAP >> (389) with SASL/GSSAPI/Kerberos encryption. >> >> Blocking 389 will break everything.? LDAPS is only helpful for the >> simple bind case, where that is better than plaintext. >> >> See 'ldap server require strong auth' for some details, but in short >> because Samba doesn't implement the channel bindings for LDAPS, and >> unless all clients send them, NTLM/Kerberos over LDAPS is vulnerable to >> relay attacks. >> >> Andrew Bartlett >> >
On Fri, 2021-11-26 at 09:14 -0300, Marcos Ariel Negrini via samba wrote:> Hi... thanks Andrew, I will read about SASL/GSSAPI/Kerberos. > Regarding question 2, is it possible to disable deprecated versions of Tls? > RegardsAs others have mentioned see the "tls priority" option in smb.conf I've just added this: https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC#Restricting_TLS_ciphers But I would love this expanded with clear tested examples and keywords to attract the search engines. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Hello Andrew... From what Kees commented... I found the configuration options... for what I needed to do the configuration that worked for me was tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1 Regards Marcos Ariel Negrini El 26/11/21 a las 15:38, Andrew Bartlett escribi?:> On Fri, 2021-11-26 at 09:14 -0300, Marcos Ariel Negrini via samba > wrote: >> Hi... thanks Andrew, I will read about SASL/GSSAPI/Kerberos. >> Regarding question 2, is it possible to disable deprecated versions of Tls? >> Regards > As others have mentioned see the "tls priority" option in smb.conf > > I've just added this: > > https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC#Restricting_TLS_ciphers > > But I would love this expanded with clear tested examples and keywords > to attract the search engines. > > Andrew Bartlett