Thank you,
I've seen that commit. But even that seemed to be a STARTTLS inside a
plain ldap connection (389).
On Wed, Mar 8, 2023 at 6:49?PM Andrew Bartlett <abartlet at samba.org>
wrote:>
> On Wed, 2023-03-08 at 12:58 +0000, jose.celestino--- via samba wrote:
> > Hi,
> >
> > We have a samba installation (4.17.5) where a winbindd is part of an
> > AD domain and used to authenticate radius (radiator) logins.
> >
> > The thing is, the AD administration is closing port 386 on the
> > password server and only allowing requests on 636 (ldaps).
> >
> > I don't seem to be able to change the winbindd to use the ldaps
port.
> > Tried
> >
> > ldap ssl = start tls
> > ldap ssl ads = yes
> > tls enabled = yes
> >
> > but both the net join and the ntlm_auth go to port 386 and will cease
> > to work as soon as that is disabled.
>
> This won't work, for the cases were LDAP is used. This is typically
> for idmap_ad operations and similar. Samba uses, just as windows
> clients do, a Kerberos secured connection on port 389, when it contacts
> the AD DC.
>
> In the past efforts were made to allow connections wrapped with TLS
> safely, but this was abandoned.
>
> There are a number of issues, in particular the need to implement
> 'channel bindings', to tie our inner Kerberos authentication to the
> outer TLS tunnel.
>
> If this is absolutely critical, then a development effort could be
> started to finish that work.
>
> The removal is here:
> https://bugzilla.samba.org/show_bug.cgi?id=14462
>
> Sorry,
>
> Andrew Bartlett
>
>
> --
> Andrew Bartlett (he/him) https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
>
> Samba Development and Support, Catalyst.Net Limited
>
> Catalyst.Net Ltd - a Catalyst IT group company - Expert Open Source
> Solutions
>
>