[Samba] ldb-tools and ldaps after badlock

Stefan Kania stefan at kania-online.de
Fri Jun 10 17:37:05 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hello everybody,

since the patch for all the badlock bugs it is not possible to access
a Samba 4 ADDC-database with ldb-tools. Everytime I try it, I get the
following error:

root at addc-02:~# ldbsearch -H ldaps://addc-02.example2.net -U administrat
or
TLS failed to missing crlfile  - with 'tls verify peer =
as_strict_as_possible'

When I add:
- ----------------------
tls verify peer = no_check
- ----------------------
to smb.conf I will get the following error:



root at addc-02:~# ldbsearch -H ldaps://addc-02.example2.net -U administrat
or
Password for [EXAMPLE2\administrator]:
Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED -
<SASL:[GSS-SPNEGO]: Sign or Seal are required.> <>
Failed to connect to 'ldaps://addc-02.example2.net' with backend
'ldaps': (null)
Failed to connect to ldaps://addc-02.example2.net - (null)

Only If I put the line
- --------------
ldap server require strong auth = no
- ---------------
to smb.conf, everything is workin again. BUT as I understand these two
paramters, I will go back to the old behavior and a man in the middle
attack ist possible.

Is there a solution to keep the securtiy high AND still use the ldb-tool
s?
I couldn't find anything in any documentation.

Stefan

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlda+sEACgkQ2JOGcNAHDTaxOgCdGrRAdXykih/CCpXJr4o6loZR
YnwAoKj6kqAmpUslWMbfY0IKXdxT6MtO
=foKL
-----END PGP SIGNATURE-----



More information about the samba mailing list