[Samba] Issue with LDAPS & Winbind
Denis Cardon
dcardon at tranquil.it
Tue Jan 16 18:26:44 UTC 2018
Hi Tim,
> Thank you for the information. I was under the impression that
> authentication was done through LDAP. I'm not sure what led me to this
> belief/understanding.
>
> How can I confirm that indeed my Linux member server is authenticating
> with Kerberos, and that it is encrypted? Is Kerberos traffic always
> encrypted?
On winbind I am not sure where it stores its service ticket. But on
Windows authentication would be done with kerberos too, you can check
with "klist" that you see that you have a service ticket for SPN
ldap/dcname.mydomain.lan.
An you can check that your LocalSystem account also has SPN for ldap
connection using psexec
psexec -i -s cmd
klist
Cheers,
Denis
>
> Thanks,
> Tim
>
> On Mon, Jan 15, 2018 at 10:37 AM, Denis Cardon <dcardon at tranquil.it
> <mailto:dcardon at tranquil.it>> wrote:
>
> Hi Timothy,
>
> Rowland, hopefully this explains it. I am not a security expert
> by any
> means, so correct me if I am incorrect in these assumptions!
>
> My understanding is that standard LDAP authentication without any
> encryption will send passwords and user information (usernames,
> groups
> they're a part of etc) over plain text. This means that a user
> on the
> network could potentially sniff the packets and see the
> passwords and user
> information.
>
>
> authentication on the domain is normally done through Kerberos, so
> there is no clear passwords going through.
>
> Actually once you have an account, users or machine accounts, you
> can query most of ldap, so MITM an ldap result is not the most
> interesting thing. And most MS-AD installation I've seen don't have
> a TLS cert installed and most Samba-AD still have their snake-oil
> certificate. And krbtgt accounts never had their password changed...
>
> In fact, I was able myself to see the user information (not
> passwords,
> though they may be there somewhere) in the network traffic via
> WireShark.
> My understanding is that with LDAPS, the traffic is encrypted
> and this
> information is not viewable by someone on the network.
>
> I have tried "client ldap sasl wrapping = seal" as suggested by
> Volker, and
> that does seem to work and provide some kind of encryption of
> the LDAP
> traffic using SASL. I'm just not sure if it is as strong as TLS, my
> understanding is it is not.
>
> Are my assumptions/information correct?
>
> My ultimate goal is to encrypt the LDAP traffic using TLS. Is
> that possible
> with Winbind and Samba?
>
>
> You can have a TLS enabled LDAP connection from your favorite client
> app or web server to Samba. The issue that has been highlighted by
> Björn, unless I'm mistaken, was related to winbind run as a client.
>
> Cheers,
>
> Denis
>
>
>
>
>
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0) 2.40.97.57.55 <tel:%2B33%20%280%29%202.40.97.57.55>
> http://www.tranquil-it-systems.fr <http://www.tranquil-it-systems.fr>
>
>
>
>
> --
> Tim Gwynne
> 978-994-4272
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr
More information about the samba
mailing list