enabling secure ldap samba4

Michael Wood esiotrot at gmail.com
Mon Aug 23 03:14:43 MDT 2010


On 23 August 2010 10:49, Lukasz Zalewski <lukas at dcs.qmul.ac.uk> wrote:
> Michael,
> On 08/23/2010 07:44 AM, Michael Wood wrote:
>> I cannot use stunnel as a workaround (by itself), because the above
>> ldap_modify_s() is not permitted by Samba unless the connection is
>> encrypted.
> Have you tried without tls? I have run my password change only with gssapi
> (and i somehow recall that with simple bind too) without the tls/ssl (simply
> because i have not got round setting up the certs stuff) and it worked.

Yes, when I tried it with GSSAPI everything worked, but I am not clear
on how best to do it with GSSAPI.  This is for a web form for users to
change their password, so I don't want to do a kinit every time a user
submits the form.  If I do a kinit once up front with a different
"password change" user then maybe that would be fine, (because Samba
doesn't mind if you authenticate as one user and then change another
user's password as long as you have their old password) but then I
don't know how the ticket would get refreshed etc.

I decided that using TLS or SSL would be doing it in a way that I am
familiar with.  I know how it works.  With Kerberos I'm not so sure.

I have tried without TLS.  If you bind with an admin user, the
password change works.  If you bind with a normal user, samba rejects
the ldap_modify_s().  I can't remember the exact error message, but as
far as I remember it was to do with requiring encryption.

Thanks for the suggestion.  Perhaps if you could explain how to do it
with GSSAPI that would be the best option.  Otherwise I'll just have
to use an admin user without encryption and then use stunnel or
something like that.

Michael Wood <esiotrot at gmail.com>

More information about the samba-technical mailing list