'net' code and LDAP traffic encryption

Steve Langasek vorlon at netexpress.net
Fri May 16 00:26:05 GMT 2003

On Thu, May 15, 2003 at 10:10:29AM -0700, Dave Snoopy wrote:
> A while ago I compiled and used the 'net' tool in
> Samba 3.0 Alpha 17. It's a nice tool, especially in
> that I don't have to install SASL to connect to an ADS
> server. I guess this is due to the function
> ads_sasl_gssapi_bind in sasl.c, and it's explicit use
> of GSSAPI (thus bypassing SASL).

In what sense is this "bypassing" SASL?  Samba is explicitly choosing
a specific SASL mechanism (GSSAPI), but the underlying protocol still
uses SASL.

> However, I've also noticed that unlike LDAP tools
> which do use SASL to authenticate (like openldap's
> ldapsearch program), the LDAP network traffic is *not*
> encrypted with Samba's 'net' tool. Does anyone know
> why? Is there a way to turn traffic encryption on? If
> so, what does it involve? The OpenLDAP guys just told
> me to use SASL and not bypass anything, which I'd
> prefer not to do due to some DNS problems I encounter
> otherwise. :)

I don't think Samba supports Sign&Seal yet for GSSAPI.  I note a comment
in ads_sasl_gssapi_bind() that suggests Sign & Seal have been
deliberately disabled, though I don't know exactly why.  Possibly a side
effect of the "DNS problems" you mention. :)

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030515/01ada537/attachment.bin

More information about the samba-technical mailing list