[Samba] Auth Systems Security mini-audit

Jim jcllings at tsunamicomm.net
Mon Jan 20 04:15:01 GMT 2003

Being a responsible sort of guy, I want to check and make sure I have 
some decent encryption settings  for my authentication systems.  Namely 
Samba PDC (2.2.7a) with an LDAP backend that also authenticates Linux 
clients (which I've finally gotten running the way I want :-)).

According to some documentation I've found, the samba ports are 
137/udp,138/udp and 139/tcp.  Samba changes rapidly though so can anyone 
verify that this is still the case?  Will it still be the case when 3.0 
comes out?

LDAP runs on 636 and 389.  I believe mine is configured to run both 
ldaps and ldap on 636.  How can I check this?

/etc/services says:

> [root at enigma etc]# cat /etc/services | grep bios
> netbios-ns      137/tcp                         # NETBIOS Name Service
> netbios-ns      137/udp
> netbios-dgm     138/tcp                         # NETBIOS Datagram Service
> netbios-dgm     138/udp
> netbios-ssn     139/tcp                         # NETBIOS session service
> netbios-ssn     139/udp
> [root at enigma etc]# cat /etc/services | grep ldap
> ldap            389/tcp
> ldap            389/udp
> ldaps           636/tcp                         # LDAP over SSL
> ldaps           636/udp                         # LDAP over SSL
> [root at enigma etc]# 

However the startup script says:

 >[root at enigma samba]# service ldap stop;service ldap start
 >Stopping slapd:                                                 [  OK ]
 >Starting slapd (ldap + ldaps):                                  [  OK ]

and the tutorial I used for setup says:

 >Once you restart the server, TLS will be used on the standard LDAP 
port >of 389. The LDAP server will handle TLS and unencrypted traffic on 
the >same port.

What exactly does enableing start_tls in smb.conf do?  Does it encrypt 
communications to the client or to the ldap server or both?  My 
understanding is that communicatons for the purpose of authentication 
between the client machine and the Samba machine are encrypted by 
default.  I note that if I enable start_tls in Samba, I suddently have 
no access.  It is also my understanding that, generally speaking, if the 
systems that need to communicate are located on the same system that no 
encryption is required.  Can anyone verify this?


Jim C.

More information about the samba mailing list