[Samba] ldb-tools and ldaps after badlock
Andrew Bartlett
abartlet at samba.org
Sat Jun 11 20:07:35 UTC 2016
On Fri, 2016-06-10 at 19:37 +0200, Stefan Kania wrote:
> Hello everybody,
>
> since the patch for all the badlock bugs it is not possible to access
> a Samba 4 ADDC-database with ldb-tools. Everytime I try it, I get the
> following error:
...
> When I add:
> ----------------------
> tls verify peer = no_check
> ----------------------
> to smb.conf I will get the following error:
>
>
>
> root at addc-02:~# ldbsearch -H ldaps://addc-02.example2.net -U
> administrat
> or
> Password for [EXAMPLE2\administrator]:
> Failed to bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED -
> <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <>
> Failed to connect to 'ldaps://addc-02.example2.net' with backend
> 'ldaps': (null)
> Failed to connect to ldaps://addc-02.example2.net - (null)
>
> Only If I put the line
> --------------
> ldap server require strong auth = no
> ---------------
> to smb.conf, everything is workin again. BUT as I understand these
> two
> paramters, I will go back to the old behavior and a man in the middle
> attack ist possible.
>
> Is there a solution to keep the securtiy high AND still use the ldb
> -tool
> s?
> I couldn't find anything in any documentation.
Just don't use ldaps://, instead use Kerberos (-k yes). I know it
seems strange, but direct encryption with Kerberos is more secure than
LDAP over SSL/TLS.
Therefore, we only accept simple binds over ldaps:// by default.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list