[Samba] Issue with LDAPS & Winbind

Timothy Gwynne gwynne.timothy at gmail.com
Tue Jan 16 17:37:09 UTC 2018


Thank you for the information. I was under the impression that
authentication was done through LDAP. I'm not sure what led me to this

How can I confirm that indeed my Linux member server is authenticating with
Kerberos, and that it is encrypted? Is Kerberos traffic always encrypted?


On Mon, Jan 15, 2018 at 10:37 AM, Denis Cardon <dcardon at tranquil.it> wrote:

> Hi Timothy,
> Rowland, hopefully this explains it. I am not a security expert by any
>> means, so correct me if I am incorrect in these assumptions!
>> My understanding is that standard LDAP authentication without any
>> encryption will send passwords and user information  (usernames, groups
>> they're a part of etc) over plain text. This means that a user on the
>> network could potentially sniff the packets and see the passwords and user
>> information.
> authentication on the domain is normally done through Kerberos, so there
> is no clear passwords going through.
> Actually once you have an account, users or machine accounts, you can
> query most of ldap, so MITM an ldap result is not the most interesting
> thing. And most MS-AD installation I've seen don't have a TLS cert
> installed and most Samba-AD still have their snake-oil certificate. And
> krbtgt accounts never had their password changed...
> In fact, I was able myself to see the user information (not passwords,
>> though they may be there somewhere) in the network traffic via WireShark.
>> My understanding is that with LDAPS, the traffic is encrypted and this
>> information is not viewable by someone on the network.
>> I have tried "client ldap sasl wrapping = seal" as suggested by Volker,
>> and
>> that does seem to work and provide some kind of encryption of the LDAP
>> traffic using SASL. I'm just not sure if it is as strong as TLS, my
>> understanding is it is not.
>> Are my assumptions/information correct?
>> My ultimate goal is to encrypt the LDAP traffic using TLS. Is that
>> possible
>> with Winbind and Samba?
> You can have a TLS enabled LDAP connection from your favorite client app
> or web server to Samba. The issue that has been highlighted by Björn,
> unless I'm mistaken, was related to winbind run as a client.
> Cheers,
> Denis
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0)
> http://www.tranquil-it-systems.fr

Tim Gwynne

More information about the samba mailing list