[Samba] Winbind traffic not encrypted

Brian Candler b.candler at pobox.com
Fri Dec 2 09:16:01 UTC 2016 

On 22/11/2016 15:48, Rowland Penny wrote:
> How about this ??:
>
>         client ldap sasl wrapping (G)
>
>             The client ldap sasl wrapping defines whether ldap traffic will be
>             signed or signed and encrypted (sealed). Possible values are plain,
>             sign and seal.
Thank you for the pointer. I tried setting:

[global]
         client ldap sasl wrapping = seal

on the Samba4 domain controller, then "service samba-ad-dc restart". 
However it still permits unencrypted traffic:

09:01:30.005341 IP 192.168.56.33.37066 > 192.168.56.32.389: Flags [P.], 
seq 2745:3145, ack 459, win 237, options [nop,nop,TS val 29855 ecr 
29855], length 400
     0x0000:  4500 01c4 a690 4000 4006 a111 c0a8 3821 E..... at .@.....8!
     0x0010:  c0a8 3820 90ca 0185 f6c0 dcd8 6b8e 4a3c ..8.........k.J<
     0x0020:  8018 00ed f348 0000 0101 080a 0000 749f .....H........t.
     0x0030:  0000 749f 0000 018c 0504 04ff 000c 000c ..t.............
     0x0040:  0000 0000 2c37 cd75 7747 403e be8e be38 ....,7.uwG@>...8
     0x0050:  c19d 2f17 3082 016c 0201 0563 8201 1f04 ../.0..l...c....
     0x0060:  1764 633d 4144 2c64 633d 4558 414d 504c .dc=AD,dc=EXAMPL
     0x0070:  452c 6463 3d4e 4554 0a01 020a 0100 0201 E,dc=NET........
     0x0080:  0002 010f 0101 00a0 81c1 a181 91a3 1b04 ................
     0x0090:  0e73 414d 4163 636f 756e 7454 7970 6504 .sAMAccountType.
     0x00a0:  0938 3035 3330 3633 3638 a31b 040e 7341 .805306368....sA
     0x00b0:  4d41 6363 6f75 6e74 5479 7065 0409 3830 MAccountType..80
     0x00c0:  3533 3036 3336 39a3 1b04 0e73 414d 4163 5306369....sAMAc
     0x00d0:  636f 756e 7454 7970 6504 0938 3035 3330 countType..80530
     0x00e0:  3633 3730 a31b 040e 7341 4d41 6363 6f75 6370....sAMAccou
     0x00f0:  6e74 5479 7065 0409 3236 3834 3335 3435 ntType..26843545
     0x0100:  36a3 1b04 0e73 414d 4163 636f 756e 7454 6....sAMAccountT
     0x0110:  7970 6504 0935 3336 3837 3039 3132 a12b ype..536870912.+
     0x0120:  a329 0409 6f62 6a65 6374 5369 6404 1c01 .)..objectSid...
     0x0130:  0500 0000 0000 0515 0000 00c8 16e0 3b4e ..............;N
     0x0140:  0eeb a937 55a7 8752 0400 0030 3104 0e73 ...7U..R...01..s
     0x0150:  414d 4163 636f 756e 7454 7970 6504 096f AMAccountType..o
     0x0160:  626a 6563 7453 6964 0409 7569 644e 756d bjectSid..uidNum
     0x0170:  6265 7204 0967 6964 4e75 6d62 6572 a044 ber..gidNumber.D
     0x0180:  301b 0417 312e 322e 3834 302e 3131 3335 0...1.2.840.1135
     0x0190:  3536 2e31 2e34 2e31 3333 3904 0030 2504 56.1.4.1339..0%.
     0x01a0:  1631 2e32 2e38 3430 2e31 3133 3535 362e .1.2.840.113556.
     0x01b0:  312e 342e 3331 3901 01ff 0408 3006 0202 1.4.319.....0...
     0x01c0:  01f4 0400                                ....
09:01:30.009058 IP 192.168.56.32.389 > 192.168.56.33.37066: Flags [P.], 
seq 459:714, ack 3145, win 290, options [nop,nop,TS val 29856 ecr 
29855], length 255
     0x0000:  4500 0133 3ceb 4000 4006 0b48 c0a8 3820 E..3<. at .@..H..8.
     0x0010:  c0a8 3821 0185 90ca 6b8e 4a3c f6c0 de68 ..8!....k.J<...h
     0x0020:  8018 0122 f2b7 0000 0101 080a 0000 74a0 ..."..........t.
     0x0030:  0000 749f 0000 00fb 0504 05ff 000c 000c ..t.............
     0x0040:  0000 0000 3dd4 ea54 fb75 d765 830d 73a7 ....=..T.u.e..s.
     0x0050:  0e1f e4c1 3081 a902 0105 6481 a304 2943 ....0.....d...)C
     0x0060:  4e3d 7573 6572 322c 434e 3d55 7365 7273 N=user2,CN=Users
     0x0070:  2c44 433d 6164 2c44 433d 6578 616d 706c ,DC=ad,DC=exampl
     0x0080:  652c 4443 3d6e 6574 3076 302b 0409 6f62 e,DC=net0v0+..ob
     0x0090:  6a65 6374 5369 6431 1e04 1c01 0500 0000 jectSid1........
     0x00a0:  0000 0515 0000 00c8 16e0 3b4e 0eeb a937 ..........;N...7
     0x00b0:  55a7 8752 0400 0030 1d04 0e73 414d 4163 U..R...0...sAMAc
     0x00c0:  636f 756e 7454 7970 6531 0b04 0938 3035 countType1...805
     0x00d0:  3330 3633 3638 3013 0409 7569 644e 756d 3063680...uidNum
     0x00e0:  6265 7231 0604 0432 3030 3230 1304 0967 ber1...20020...g
     0x00f0:  6964 4e75 6d62 6572 3106 0404 3930 3032 idNumber1...9002
     0x0100:  3031 0201 0565 070a 0100 0400 0400 a023 01...e.........#
     0x0110:  3021 0416 312e 322e 3834 302e 3131 3335 0!..1.2.840.1135
     0x0120:  3536 2e31 2e34 2e33 3139 0407 3005 0201 56.1.4.319..0...
     0x0130:  0004 00                                  ...

So then I made the same change on the client side, and restarted 
winbind; and now the traffic *is* encrypted.  (As the name implies, it's 
a *client* setting)

However I would rather not leave this to the client's option. Is there a 
knob I can set on the server which says "you *must* encrypt, or else I 
won't talk to you?"

The smb.conf page says:

            This option is needed in the case of Domain Controllers 
enforcing the usage of signed LDAP
            connections (e.g. Windows 2000 SP3 or higher). LDAP sign and 
seal can be controlled with
            the registry key
"HKLM\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity" 
on the
            Windows server side.

But obviously the domain controller here is Samba4 running under Linux, 
so registry keys don't come into it.

I already have "ldap server require strong auth = yes" and "restrict 
anonymous = 2" on the server.

Thanks,

Brian.

More information about the samba mailing list