[Samba] ldap not using kerberos (winbind rid idmap)

Roman Sommer roman.sommer at gmail.com
Tue Jan 24 12:51:45 GMT 2006


first of all - I am very sorry if this topic turned up in the mailing list
before - I really did have a look at the archive and couldn't find anything
like it.

Here's the problem. I set up an idmapping using the rid facility. It is
working smoothly. I do have a question though. I logged some packets and
realized the ldap queries are not encrypted. I wonder why since all the
requiremens for a successful encryption are given. I do have a computer
account in the Active Directory.. I can see a TGS-REQ and TGS-REP is fine
too. In fact ldap even asks for available SASL mechanisms. After some
negotiation it _successfully_ binds using GSS SPNEGO. But.. even after this
successfully established encrypted bind it keeps querying in plain text. Is
there anything I can do about it?
For testing purposes I set "sasl_mech gssapi" in my ldap.conf but that
didn't have any impact at all.

regards, Roman

More information about the samba mailing list