[Samba] Winbind traffic not encrypted

Brian Candler b.candler at pobox.com
Tue Nov 22 15:19:34 UTC 2016 

On 21/11/2016 17:21, Brian Candler wrote:
> I'd quite like to be able to fetch a ticket using the keytab

I found a solution to that part by using a different form of principal 
name with "hostname$"

root at client-ad:~# kinit -k -t /etc/krb5.keytab 'CLIENT-AD$@AD.EXAMPLE.NET'
root at client-ad:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: CLIENT-AD$@AD.EXAMPLE.NET

Valid starting     Expires            Service principal
11/22/16 15:12:08  11/23/16 01:12:08 krbtgt/AD.EXAMPLE.NET at AD.EXAMPLE.NET
     renew until 11/23/16 15:12:08
root at client-ad:~# ldapsearch -Y GSSAPI -b dc=ad,dc=example,dc=net -h 
smb1.ad.example.net '(cn=client-ad)'
SASL/GSSAPI authentication started
SASL username: CLIENT-AD$@AD.EXAMPLE.NET
SASL SSF: 56
SASL data security layer installed.
... works OK


> , but more importantly I want to get winbind to doing kerberized LDAP 
> (after which I'll be able to disable unencrypted LDAP completely). 

This is still the case. It's clear from tcpdump that some of the 
exchange is not encrypted:

15:14:32.809585 IP 192.168.56.32.389 > 192.168.56.33.50240: Flags [P.], 
seq 459:680, ack 2989, win 290, options [nop,nop,TS val 13587257 ecr 
13587256], length 221
     0x0000:  4500 0111 2bcf 4000 4006 1c86 c0a8 3820 E...+. at .@.....8.
     0x0010:  c0a8 3821 0185 c440 f9d9 7ac4 29f0 2953 ..8!... at ..z.).)S
     0x0020:  8018 0122 f295 0000 0101 080a 00cf 5339 ..."..........S9
     0x0030:  00cf 5338 0000 00d9 0504 05ff 000c 000c ..S8............
     0x0040:  0000 0000 142f 5669 574f 3a0e e150 1889 ...../ViWO:..P..
     0x0050:  99ab 8cca 3081 8702 0105 6481 8104 2943 ....0.....d...)C
     0x0060:  4e3d 7573 6572 322c 434e 3d55 7365 7273 N=user2,CN=Users
     0x0070:  2c44 433d 6164 2c44 433d 6578 616d 706c ,DC=ad,DC=exampl
     0x0080:  652c 4443 3d6e 6574 3054 3019 040a 6c6f e,DC=net0T0...lo
     0x0090:  6769 6e53 6865 6c6c 310b 0409 2f62 696e ginShell1.../bin
     0x00a0:  2f62 6173 6830 2204 1175 6e69 7848 6f6d /bash0"..unixHom
     0x00b0:  6544 6972 6563 746f 7279 310d 040b 2f68 eDirectory1.../h
     0x00c0:  6f6d 652f 7573 6572 3230 1304 0967 6964 ome/user20...gid
     0x00d0:  4e75 6d62 6572 3106 0404 3930 3032 3031 Number1...900201
     0x00e0:  0201 0565 070a 0100 0400 0400 a023 3021 ...e.........#0!
     0x00f0:  0416 312e 322e 3834 302e 3131 3335 3536 ..1.2.840.113556
     0x0100:  2e31 2e34 2e33 3139 0407 3005 0201 0004 .1.4.319..0.....

I did fine https://www.samba.org/samba/security/CVE-2016-2112.html and 
I've made sure that smb.conf on the server contains

         restrict anonymous = 2
         ldap server require strong auth = yes

(although I believe the latter should be default now). I've also 
confirmed that anonymous binds are rejected, as are simple binds without 
TLS.

However tcpdump shows that winbind is somehow making an unencrypted 
connection - possibly using Kerberos to authenticate but not set up 
transport security?

Regards,

Brian.

More information about the samba mailing list