[Samba] Issue with LDAPS & Winbind

Timothy Gwynne gwynne.timothy at gmail.com
Mon Jan 15 16:52:35 UTC 2018

Rowland, hopefully this explains it. I am not a security expert by any
means, so correct me if I am incorrect in these assumptions!

My understanding is that standard LDAP authentication without any
encryption will send passwords and user information  (usernames, groups
they're a part of etc) over plain text. This means that a user on the
network could potentially sniff the packets and see the passwords and user

In fact, I was able myself to see the user information (not passwords,
though they may be there somewhere) in the network traffic via WireShark.
My understanding is that with LDAPS, the traffic is encrypted and this
information is not viewable by someone on the network.

I have tried "client ldap sasl wrapping = seal" as suggested by Volker, and
that does seem to work and provide some kind of encryption of the LDAP
traffic using SASL. I'm just not sure if it is as strong as TLS, my
understanding is it is not.

Are my assumptions/information correct?

My ultimate goal is to encrypt the LDAP traffic using TLS. Is that possible
with Winbind and Samba?

Tim Gwynne
978-994-4272 <(978)%20994-4272>

More information about the samba mailing list