[Samba] ldap not using kerberos (winbind rid idmap)

Andrew Bartlett abartlet at samba.org
Sat Feb 4 21:10:51 GMT 2006


On Tue, 2006-01-24 at 13:51 +0100, Roman Sommer wrote:
> hi,
> 
> first of all - I am very sorry if this topic turned up in the mailing list
> before - I really did have a look at the archive and couldn't find anything
> like it.
> 
> Here's the problem. I set up an idmapping using the rid facility. It is
> working smoothly. I do have a question though. I logged some packets and
> realized the ldap queries are not encrypted. I wonder why since all the
> requiremens for a successful encryption are given. I do have a computer
> account in the Active Directory.. I can see a TGS-REQ and TGS-REP is fine
> too. In fact ldap even asks for available SASL mechanisms. After some
> negotiation it _successfully_ binds using GSS SPNEGO. But.. even after this
> successfully established encrypted bind it keeps querying in plain text. Is
> there anything I can do about it?

No for GSSAPI encryption.  Samba3 only manages to use GSSAPI for the
authentication step (and even then, we munge up the GSSAPI...).

There is an option to force on TLS (SSL), but your domain must support
it.

> For testing purposes I set "sasl_mech gssapi" in my ldap.conf but that
> didn't have any impact at all.

No, we don't consult that parameter.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20060205/14b72693/attachment.bin


More information about the samba mailing list