[Samba] Winbind traffic not encrypted
Rowland Penny
rpenny at samba.org
Tue Nov 22 15:48:50 UTC 2016
On Tue, 22 Nov 2016 15:19:34 +0000
Brian Candler via samba <samba at lists.samba.org> wrote:
> On 21/11/2016 17:21, Brian Candler wrote:
> > I'd quite like to be able to fetch a ticket using the keytab
>
> I found a solution to that part by using a different form of
> principal name with "hostname$"
>
> root at client-ad:~# kinit -k -t /etc/krb5.keytab
> 'CLIENT-AD$@AD.EXAMPLE.NET' root at client-ad:~# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: CLIENT-AD$@AD.EXAMPLE.NET
>
> Valid starting Expires Service principal
> 11/22/16 15:12:08 11/23/16 01:12:08
> krbtgt/AD.EXAMPLE.NET at AD.EXAMPLE.NET renew until 11/23/16 15:12:08
> root at client-ad:~# ldapsearch -Y GSSAPI -b dc=ad,dc=example,dc=net -h
> smb1.ad.example.net '(cn=client-ad)'
> SASL/GSSAPI authentication started
> SASL username: CLIENT-AD$@AD.EXAMPLE.NET
> SASL SSF: 56
> SASL data security layer installed.
> ... works OK
>
>
> > , but more importantly I want to get winbind to doing kerberized
> > LDAP (after which I'll be able to disable unencrypted LDAP
> > completely).
>
> This is still the case. It's clear from tcpdump that some of the
> exchange is not encrypted:
>
> 15:14:32.809585 IP 192.168.56.32.389 > 192.168.56.33.50240: Flags
> [P.], seq 459:680, ack 2989, win 290, options [nop,nop,TS val
> 13587257 ecr 13587256], length 221
> 0x0000: 4500 0111 2bcf 4000 4006 1c86 c0a8 3820 E...+. at .@.....8.
> 0x0010: c0a8 3821 0185 c440 f9d9 7ac4 29f0 2953 ..8!... at ..z.).)S
> 0x0020: 8018 0122 f295 0000 0101 080a 00cf 5339 ..."..........S9
> 0x0030: 00cf 5338 0000 00d9 0504 05ff 000c 000c ..S8............
> 0x0040: 0000 0000 142f 5669 574f 3a0e e150 1889 ...../ViWO:..P..
> 0x0050: 99ab 8cca 3081 8702 0105 6481 8104 2943 ....0.....d...)C
> 0x0060: 4e3d 7573 6572 322c 434e 3d55 7365 7273 N=user2,CN=Users
> 0x0070: 2c44 433d 6164 2c44 433d 6578 616d 706c ,DC=ad,DC=exampl
> 0x0080: 652c 4443 3d6e 6574 3054 3019 040a 6c6f e,DC=net0T0...lo
> 0x0090: 6769 6e53 6865 6c6c 310b 0409 2f62 696e ginShell1.../bin
> 0x00a0: 2f62 6173 6830 2204 1175 6e69 7848 6f6d /bash0"..unixHom
> 0x00b0: 6544 6972 6563 746f 7279 310d 040b 2f68 eDirectory1.../h
> 0x00c0: 6f6d 652f 7573 6572 3230 1304 0967 6964 ome/user20...gid
> 0x00d0: 4e75 6d62 6572 3106 0404 3930 3032 3031 Number1...900201
> 0x00e0: 0201 0565 070a 0100 0400 0400 a023 3021 ...e.........#0!
> 0x00f0: 0416 312e 322e 3834 302e 3131 3335 3536 ..1.2.840.113556
> 0x0100: 2e31 2e34 2e33 3139 0407 3005 0201 0004 .1.4.319..0.....
>
> I did fine https://www.samba.org/samba/security/CVE-2016-2112.html
> and I've made sure that smb.conf on the server contains
>
> restrict anonymous = 2
> ldap server require strong auth = yes
>
> (although I believe the latter should be default now). I've also
> confirmed that anonymous binds are rejected, as are simple binds
> without TLS.
>
> However tcpdump shows that winbind is somehow making an unencrypted
> connection - possibly using Kerberos to authenticate but not set up
> transport security?
>
> Regards,
>
> Brian.
>
>
How about this ??:
client ldap sasl wrapping (G)
The client ldap sasl wrapping defines whether ldap traffic will be
signed or signed and encrypted (sealed). Possible values are plain,
sign and seal.
The values sign and seal are only available if Samba has been
compiled against a modern OpenLDAP version (2.3.x or higher).
This option is needed in the case of Domain Controllers enforcing
the usage of signed LDAP connections (e.g. Windows 2000 SP3 or
higher). LDAP sign and seal can be controlled with the registry key
"HKLM\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity"
on the Windows server side.
Depending on the used KRB5 library (MIT and older Heimdal versions)
it is possible that the message "integrity only" is not supported.
In this case, sign is just an alias for seal.
The default value is sign. That implies synchronizing the time with
the KDC in the case of using Kerberos.
Default: client ldap sasl wrapping = sign
Taken from 'man smb.conf' on 4.5.1
Rowland
More information about the samba
mailing list