[Samba] ldb-tools and ldaps after badlock
Stefan Kania
stefan at kania-online.de
Tue Jun 14 08:04:39 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Am 11.06.2016 um 22:07 schrieb Andrew Bartlett:
> On Fri, 2016-06-10 at 19:37 +0200, Stefan Kania wrote:
>> Hello everybody,
>>
>> since the patch for all the badlock bugs it is not possible to
>> access a Samba 4 ADDC-database with ldb-tools. Everytime I try
>> it, I get the following error:
>
Thank you Andrew,
I always thought ldaps ist better then ldap with kerberos, but you are
right the kerberos-principal is better checked then a self signed
certificate. Now it is working with the following commands
kinit administrator
ldbsearch -H ldap://addc.example.net "cb=administrator" -k yes
Thank you
Stefan
> ...
>
>> When I add: ---------------------- tls verify peer = no_check
>> ---------------------- to smb.conf I will get the following
>> error:
>>
>>
>>
>> root at addc-02:~# ldbsearch -H ldaps://addc-02.example2.net -U
>> administrat or Password for [EXAMPLE2\administrator]: Failed to
>> bind - LDAP error 8 LDAP_STRONG_AUTH_REQUIRED -
>> <SASL:[GSS-SPNEGO]: Sign or Seal are required.> <> Failed to
>> connect to 'ldaps://addc-02.example2.net' with backend 'ldaps':
>> (null) Failed to connect to ldaps://addc-02.example2.net -
>> (null)
>>
>> Only If I put the line -------------- ldap server require strong
>> auth = no --------------- to smb.conf, everything is workin
>> again. BUT as I understand these two paramters, I will go back to
>> the old behavior and a man in the middle attack ist possible.
>>
>> Is there a solution to keep the securtiy high AND still use the
>> ldb -tool s? I couldn't find anything in any documentation.
>
> Just don't use ldaps://, instead use Kerberos (-k yes). I know it
> seems strange, but direct encryption with Kerberos is more secure
> than LDAP over SSL/TLS.
>
> Therefore, we only accept simple binds over ldaps:// by default.
>
> Andrew Bartlett
>
- --
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre
E-Mail. Weiter Informationen unter http://www.gnupg.org
Mein Schlüssel liegt auf
hkp://subkeys.pgp.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAldfupcACgkQ2JOGcNAHDTZ+CACfSukOLts5eURwyP+7vJDY3c4s
e+0AoIU9d4AaSaaDe+BZII+t+0skzauA
=cjNL
-----END PGP SIGNATURE-----
More information about the samba
mailing list