'net' code and LDAP traffic encryption
Steve Langasek
vorlon at netexpress.net
Fri May 16 00:26:05 GMT 2003
On Thu, May 15, 2003 at 10:10:29AM -0700, Dave Snoopy wrote:
> A while ago I compiled and used the 'net' tool in
> Samba 3.0 Alpha 17. It's a nice tool, especially in
> that I don't have to install SASL to connect to an ADS
> server. I guess this is due to the function
> ads_sasl_gssapi_bind in sasl.c, and it's explicit use
> of GSSAPI (thus bypassing SASL).
In what sense is this "bypassing" SASL? Samba is explicitly choosing
a specific SASL mechanism (GSSAPI), but the underlying protocol still
uses SASL.
> However, I've also noticed that unlike LDAP tools
> which do use SASL to authenticate (like openldap's
> ldapsearch program), the LDAP network traffic is *not*
> encrypted with Samba's 'net' tool. Does anyone know
> why? Is there a way to turn traffic encryption on? If
> so, what does it involve? The OpenLDAP guys just told
> me to use SASL and not bypass anything, which I'd
> prefer not to do due to some DNS problems I encounter
> otherwise. :)
I don't think Samba supports Sign&Seal yet for GSSAPI. I note a comment
in ads_sasl_gssapi_bind() that suggests Sign & Seal have been
deliberately disabled, though I don't know exactly why. Possibly a side
effect of the "DNS problems" you mention. :)
--
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030515/01ada537/attachment.bin
More information about the samba-technical
mailing list