[Samba] Issue with LDAPS & Winbind
dcardon at tranquil.it
Tue Jan 16 18:26:44 UTC 2018
> Thank you for the information. I was under the impression that
> authentication was done through LDAP. I'm not sure what led me to this
> How can I confirm that indeed my Linux member server is authenticating
> with Kerberos, and that it is encrypted? Is Kerberos traffic always
On winbind I am not sure where it stores its service ticket. But on
Windows authentication would be done with kerberos too, you can check
with "klist" that you see that you have a service ticket for SPN
An you can check that your LocalSystem account also has SPN for ldap
connection using psexec
psexec -i -s cmd
> On Mon, Jan 15, 2018 at 10:37 AM, Denis Cardon <dcardon at tranquil.it
> <mailto:dcardon at tranquil.it>> wrote:
> Hi Timothy,
> Rowland, hopefully this explains it. I am not a security expert
> by any
> means, so correct me if I am incorrect in these assumptions!
> My understanding is that standard LDAP authentication without any
> encryption will send passwords and user information (usernames,
> they're a part of etc) over plain text. This means that a user
> on the
> network could potentially sniff the packets and see the
> passwords and user
> authentication on the domain is normally done through Kerberos, so
> there is no clear passwords going through.
> Actually once you have an account, users or machine accounts, you
> can query most of ldap, so MITM an ldap result is not the most
> interesting thing. And most MS-AD installation I've seen don't have
> a TLS cert installed and most Samba-AD still have their snake-oil
> certificate. And krbtgt accounts never had their password changed...
> In fact, I was able myself to see the user information (not
> though they may be there somewhere) in the network traffic via
> My understanding is that with LDAPS, the traffic is encrypted
> and this
> information is not viewable by someone on the network.
> I have tried "client ldap sasl wrapping = seal" as suggested by
> Volker, and
> that does seem to work and provide some kind of encryption of
> the LDAP
> traffic using SASL. I'm just not sure if it is as strong as TLS, my
> understanding is it is not.
> Are my assumptions/information correct?
> My ultimate goal is to encrypt the LDAP traffic using TLS. Is
> that possible
> with Winbind and Samba?
> You can have a TLS enabled LDAP connection from your favorite client
> app or web server to Samba. The issue that has been highlighted by
> Björn, unless I'm mistaken, was related to winbind run as a client.
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 184.108.40.206.55 <tel:%2B33%20%280%29%220.127.116.11.55>
> http://www.tranquil-it-systems.fr <http://www.tranquil-it-systems.fr>
> Tim Gwynne
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 18.104.22.168.55
More information about the samba