Bestattungen Vitt - Thomas Reitelbach
2024-May-27 15:27 UTC
[Samba] Security Implications of "ldap server require strong auth"?
Am 27.05.2024 16:25, schrieb Rowland Penny via samba:> On Mon, 27 May 2024 15:57:52 +0200 > Bestattungen Vitt - Thomas Reitelbach via samba <samba at lists.samba.org> > wrote: > >> Hello Samba Team, >> >> I hope someone with more expertise than me can englighten me to the >> following "problem": >> >> I'm on my way to implement Nextcloud LDAP Authentication against my >> existing Samba Active Directory via the LDAP Auth Plugin in >> Nextcloud. I have had trouble with the configuration of the >> Auth-Plugin in Nextcloud because it could not bind to the ldap >> directory. After some investigation I learned, that the nextcloud >> ldap auth plugin does not support "strong authentication", which >> seems to be enforced by samba by default. >> Further investigation led me to the solution to use the [global] >> option "ldap server require strong auth = no" in smb.conf. With this >> option set, the ldap plugin is working and my Domain users can >> authenticate to nextcloud with their Domain account. >> >> But before I implement this in my production system I need to know >> the security implications of this samba parameter. I must admit that >> I don't really understand the risc for a real-life scenario. Also, >> I'm not very experienced with ldap, so please, can you help me a bit? >> >> Samba: 4.17.12-Debian (stock debian version) >> Nextcloud Hub 8 (29.0.0.1) >> >> Cheers >> Thomas Reitelbach >> > > It is quite simple, 'ldap server require strong auth = no' allows > simple binds over ldap, 'ldap server require strong auth = yes' (the > default) requires ldaps.Hi Rowland, thank you for your reply and your time. I am aware that this option enables "simple binds". But what does this mean for network security? Maybe I don't understand the meaning of "simple binds" -> does it mean, credentials will be sent unencrypted over the network and can easily be sniffed by anyone who has access to a network scanner/analyzer? Maybe it's a stupid question, but what I have found with my google search does not give me a clue if this option can be safely used in a corporate network with at least a bit of security awareness or not. Usually the samba teams choices for "default" parameters are very sensitive and with security in mind. This makes me think it might be a bad idea to use "ldap server require strong auth = no". Cheers Thomas -- Bestattungen Vitt oHG Inhaber Willi & Thomas Reitelbach Rochusstra?e 176 53123 Bonn-Duisdorf Registergericht: Amtsgericht Bonn, HRA 7958 Facebook: http://www.facebook.de/bestattungenvitt Gedenkportal: http://begleiten.bestattungen-vitt.de Internet: http://www.bestattungen-vitt.de Telefon: 0228 - 62 68 68 Fax: 0228 - 978 30 36
Rowland Penny
2024-May-27 15:46 UTC
[Samba] Security Implications of "ldap server require strong auth"?
On Mon, 27 May 2024 17:27:30 +0200 Bestattungen Vitt - Thomas Reitelbach via samba <samba at lists.samba.org> wrote:> Am 27.05.2024 16:25, schrieb Rowland Penny via samba: > > On Mon, 27 May 2024 15:57:52 +0200 > > Bestattungen Vitt - Thomas Reitelbach via samba > > <samba at lists.samba.org> wrote: > > > >> Hello Samba Team, > >> > >> I hope someone with more expertise than me can englighten me to the > >> following "problem": > >> > >> I'm on my way to implement Nextcloud LDAP Authentication against my > >> existing Samba Active Directory via the LDAP Auth Plugin in > >> Nextcloud. I have had trouble with the configuration of the > >> Auth-Plugin in Nextcloud because it could not bind to the ldap > >> directory. After some investigation I learned, that the nextcloud > >> ldap auth plugin does not support "strong authentication", which > >> seems to be enforced by samba by default. > >> Further investigation led me to the solution to use the [global] > >> option "ldap server require strong auth = no" in smb.conf. With > >> this option set, the ldap plugin is working and my Domain users can > >> authenticate to nextcloud with their Domain account. > >> > >> But before I implement this in my production system I need to know > >> the security implications of this samba parameter. I must admit > >> that I don't really understand the risc for a real-life scenario. > >> Also, I'm not very experienced with ldap, so please, can you help > >> me a bit? > >> > >> Samba: 4.17.12-Debian (stock debian version) > >> Nextcloud Hub 8 (29.0.0.1) > >> > >> Cheers > >> Thomas Reitelbach > >> > > > > It is quite simple, 'ldap server require strong auth = no' allows > > simple binds over ldap, 'ldap server require strong auth = yes' (the > > default) requires ldaps. > > Hi Rowland, > > thank you for your reply and your time. > I am aware that this option enables "simple binds". But what does > this mean for network security? Maybe I don't understand the meaning > of "simple binds" -> does it mean, credentials will be sent > unencrypted over the network and can easily be sniffed by anyone who > has access to a network scanner/analyzer?Yes.> Maybe it's a stupid question, but what I have found with my google > search does not give me a clue if this option can be safely used in a > corporate network with at least a bit of security awareness or not. > > Usually the samba teams choices for "default" parameters are very > sensitive and with security in mind. This makes me think it might be > a bad idea to use "ldap server require strong auth = no".Again, yes To use ldaps requires certificates and basically opens a closed tunnel between either end, your ldap request then goes down this tunnel and no one can intercept it. Is it possible to use kerberos instead ? That is even more secure. Rowland
Christian Pedaschus
2024-May-27 15:47 UTC
[Samba] Security Implications of "ldap server require strong auth"?
Hello Thomas, yes, it means exactly what you described. If your LDAP server run's on the same box as Samba, no problem. If it runs on another network host, then you most probably want ldaps or some other sort of network encryption like wireguard (VPN). Regards, Christian Am Mo., 27. Mai 2024 um 17:28 Uhr schrieb Bestattungen Vitt - Thomas Reitelbach via samba <samba at lists.samba.org>:> Am 27.05.2024 16:25, schrieb Rowland Penny via samba: > > On Mon, 27 May 2024 15:57:52 +0200 > > Bestattungen Vitt - Thomas Reitelbach via samba <samba at lists.samba.org> > > wrote: > > > >> Hello Samba Team, > >> > >> I hope someone with more expertise than me can englighten me to the > >> following "problem": > >> > >> I'm on my way to implement Nextcloud LDAP Authentication against my > >> existing Samba Active Directory via the LDAP Auth Plugin in > >> Nextcloud. I have had trouble with the configuration of the > >> Auth-Plugin in Nextcloud because it could not bind to the ldap > >> directory. After some investigation I learned, that the nextcloud > >> ldap auth plugin does not support "strong authentication", which > >> seems to be enforced by samba by default. > >> Further investigation led me to the solution to use the [global] > >> option "ldap server require strong auth = no" in smb.conf. With this > >> option set, the ldap plugin is working and my Domain users can > >> authenticate to nextcloud with their Domain account. > >> > >> But before I implement this in my production system I need to know > >> the security implications of this samba parameter. I must admit that > >> I don't really understand the risc for a real-life scenario. Also, > >> I'm not very experienced with ldap, so please, can you help me a bit? > >> > >> Samba: 4.17.12-Debian (stock debian version) > >> Nextcloud Hub 8 (29.0.0.1) > >> > >> Cheers > >> Thomas Reitelbach > >> > > > > It is quite simple, 'ldap server require strong auth = no' allows > > simple binds over ldap, 'ldap server require strong auth = yes' (the > > default) requires ldaps. > > Hi Rowland, > > thank you for your reply and your time. > I am aware that this option enables "simple binds". But what does this > mean for network security? Maybe I don't understand the meaning of > "simple binds" -> does it mean, credentials will be sent unencrypted > over the network and can easily be sniffed by anyone who has access to a > network scanner/analyzer? > Maybe it's a stupid question, but what I have found with my google > search does not give me a clue if this option can be safely used in a > corporate network with at least a bit of security awareness or not. > > Usually the samba teams choices for "default" parameters are very > sensitive and with security in mind. This makes me think it might be a > bad idea to use "ldap server require strong auth = no". > > Cheers > Thomas > > -- > Bestattungen Vitt oHG > Inhaber Willi & Thomas Reitelbach > Rochusstra?e 176 > 53123 Bonn-Duisdorf > Registergericht: Amtsgericht Bonn, HRA 7958 > > Facebook: http://www.facebook.de/bestattungenvitt > Gedenkportal: http://begleiten.bestattungen-vitt.de > Internet: http://www.bestattungen-vitt.de > > Telefon: 0228 - 62 68 68 > Fax: 0228 - 978 30 36 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Reasonably Related Threads
- Security Implications of "ldap server require strong auth"?
- Security Implications of "ldap server require strong auth"?
- Security Implications of "ldap server require strong auth"?
- Security Implications of "ldap server require strong auth"?
- Security Implications of "ldap server require strong auth"?