[Samba] Issue with LDAPS & Winbind

Timothy Gwynne gwynne.timothy at gmail.com
Tue Jan 16 17:37:09 UTC 2018


Denis,

Thank you for the information. I was under the impression that
authentication was done through LDAP. I'm not sure what led me to this
belief/understanding.

How can I confirm that indeed my Linux member server is authenticating with
Kerberos, and that it is encrypted? Is Kerberos traffic always encrypted?

Thanks,
Tim

On Mon, Jan 15, 2018 at 10:37 AM, Denis Cardon <dcardon at tranquil.it> wrote:

> Hi Timothy,
>
> Rowland, hopefully this explains it. I am not a security expert by any
>> means, so correct me if I am incorrect in these assumptions!
>>
>> My understanding is that standard LDAP authentication without any
>> encryption will send passwords and user information  (usernames, groups
>> they're a part of etc) over plain text. This means that a user on the
>> network could potentially sniff the packets and see the passwords and user
>> information.
>>
>
> authentication on the domain is normally done through Kerberos, so there
> is no clear passwords going through.
>
> Actually once you have an account, users or machine accounts, you can
> query most of ldap, so MITM an ldap result is not the most interesting
> thing. And most MS-AD installation I've seen don't have a TLS cert
> installed and most Samba-AD still have their snake-oil certificate. And
> krbtgt accounts never had their password changed...
>
> In fact, I was able myself to see the user information (not passwords,
>> though they may be there somewhere) in the network traffic via WireShark.
>> My understanding is that with LDAPS, the traffic is encrypted and this
>> information is not viewable by someone on the network.
>>
>> I have tried "client ldap sasl wrapping = seal" as suggested by Volker,
>> and
>> that does seem to work and provide some kind of encryption of the LDAP
>> traffic using SASL. I'm just not sure if it is as strong as TLS, my
>> understanding is it is not.
>>
>> Are my assumptions/information correct?
>>
>> My ultimate goal is to encrypt the LDAP traffic using TLS. Is that
>> possible
>> with Winbind and Samba?
>>
>
> You can have a TLS enabled LDAP connection from your favorite client app
> or web server to Samba. The issue that has been highlighted by Björn,
> unless I'm mistaken, was related to winbind run as a client.
>
> Cheers,
>
> Denis
>
>
>
>>
>>
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 2.40.97.57.55
> http://www.tranquil-it-systems.fr
>
>


-- 
Tim Gwynne
978-994-4272


More information about the samba mailing list