[Samba] winbindd with LDAPS
Kees van Vloten
keesvanvloten at gmail.com
Wed Mar 8 13:54:57 UTC 2023
Op 08-03-2023 om 14:49 schreef Rowland Penny via samba:
>
>
> On 08/03/2023 12:58, jose.celestino--- via samba wrote:
>> Hi,
>>
>> We have a samba installation (4.17.5) where a winbindd is part of an
>> AD domain and used to authenticate radius (radiator) logins.
>>
>> The thing is, the AD administration is closing port 386 on the
>> password server and only allowing requests on 636 (ldaps).
>>
>> I don't seem to be able to change the winbindd to use the ldaps port.
>> Tried
>>
>> ldap ssl = start tls
>> ldap ssl ads = yes
>> tls enabled = yes
>>
>> but both the net join and the ntlm_auth go to port 386 and will cease
>> to work as soon as that is disabled.
>>
>> Winbindd only works on 389 or am I missing something?
>>
>> Thank you.
>>
>
> If I remember correctly (and someone will surely put my right if I
> don't remember correctly), winbind doesn't use ldap, it use RPC.
> Unless you are using an old NT4-style domain based on ldap, you
> probably will not notice any difference.
> The other thing is, I thought that a lot of the ldap calls on AD start
> off on port 389 and get 'ported' to 636
It is my impression that calls on 389 switch to tls encryption in the
same session with "starttls", in that case they will remain on 389 (but
anyway that does not answer the original question).
>
>
> Rowland
>
>
>
More information about the samba
mailing list