[Samba] Samba, AD and devices compatibility...
Andrew Bartlett
abartlet at samba.org
Fri Mar 16 00:49:56 UTC 2018
On Wed, 2018-03-14 at 12:01 +0100, Marco Gaiarin via samba wrote:
> Mandi! Andrew Bartlett via samba
> In chel di` si favelave...
>
> > > This mean that the printer try to auth in LDAP 'plain' (no SSL, no
> > > TLS), and so samba refuse that?
> > No, it means that Samba is refusing to accept a NTLM or Kerberos
> > authenticated connection without SIGN or SEAL negotiated, as an
> > attacker could take over an unprotected network connection and do evil
> > things with it.
> > See 'ldap server require strong auth'.
>
> Ok, so i suppose i've to test 'ldap server require strong auth', but
> probably set it to 'NO', that lead cleraly to a very unsecure
> configuration.
>
>
> Because speaking with hardware vendor is sometime very difficult, how
> can i ask them some clue in 'windows lingo'?
>
> Eg, i suppose that original windows server 2000 was not signed and
> sealed, and sometime in windows server os version this became
> mandatory.
>
> Eg, i can speak like: your printer seems not compatible with windows
> server 2008R2, because does not sign and seal auth: tehre's a firmware
> revision that...
It is a bit like setting this:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements
If they say 'just use SSL', then the allow_sasl_over_tls part of that
option is to address this issue:
https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry
We (and likely they) don't support the channel bindings (patches
welcome!), but the protocol flaw (no link between the SSL and the
NTLM/Kerberos handshake inside) is the one we are trying to avoid.
The manpage is vague because we fixed our implementation before they
did the above.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list