[Samba] ldb-tools and ldaps after badlock

Stefan Kania stefan at kania-online.de
Tue Jun 14 08:04:39 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am 11.06.2016 um 22:07 schrieb Andrew Bartlett:
> On Fri, 2016-06-10 at 19:37 +0200, Stefan Kania wrote:
>> Hello everybody,
>> 
>> since the patch for all the badlock bugs it is not possible to
>> access a Samba 4 ADDC-database with ldb-tools. Everytime I try
>> it, I get the following error:
> 
Thank you Andrew,

I always thought ldaps ist better then ldap with kerberos, but you are
right the kerberos-principal is better checked then a self signed
certificate. Now it is working with the following commands

kinit administrator
ldbsearch -H ldap://addc.example.net "cb=administrator" -k yes

Thank you

Stefan
> ...
> 
>> When I add: ---------------------- tls verify peer = no_check 
>> ---------------------- to smb.conf I will get the following
>> error:
>> 
>> 
>> 
>> root at addc-02:~# ldbsearch -H ldaps://addc-02.example2.net -U 
>> administrat or Password for [EXAMPLE2\administrator]: Failed to
>> bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED - 
>> <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <> Failed to
>> connect to 'ldaps://addc-02.example2.net' with backend 'ldaps':
>> (null) Failed to connect to ldaps://addc-02.example2.net -
>> (null)
>> 
>> Only If I put the line -------------- ldap server require strong
>> auth = no --------------- to smb.conf, everything is workin
>> again. BUT as I understand these two paramters, I will go back to
>> the old behavior and a man in the middle attack ist possible.
>> 
>> Is there a solution to keep the securtiy high AND still use the
>> ldb -tool s? I couldn't find anything in any documentation.
> 
> Just don't use ldaps://, instead use Kerberos (-k yes).  I know it 
> seems strange, but direct encryption with Kerberos is more secure
> than LDAP over SSL/TLS.
> 
> Therefore, we only accept simple binds over ldaps:// by default.
> 
> Andrew Bartlett
> 


- -- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre
E-Mail. Weiter Informationen unter http://www.gnupg.org

Mein Schl├╝ssel liegt auf

hkp://subkeys.pgp.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAldfupcACgkQ2JOGcNAHDTZ+CACfSukOLts5eURwyP+7vJDY3c4s
e+0AoIU9d4AaSaaDe+BZII+t+0skzauA
=cjNL
-----END PGP SIGNATURE-----



More information about the samba-technical mailing list