[Samba] Samba, AD and devices compatibility...

Andrew Bartlett abartlet at samba.org
Fri Mar 16 00:49:56 UTC 2018 

On Wed, 2018-03-14 at 12:01 +0100, Marco Gaiarin via samba wrote:
> Mandi! Andrew Bartlett via samba
>   In chel di` si favelave...
> 
> > > This mean that the printer try to auth in LDAP 'plain' (no SSL, no
> > > TLS), and so samba refuse that?
> > No, it means that Samba is refusing to accept a NTLM or Kerberos
> > authenticated connection without SIGN or SEAL negotiated, as an
> > attacker could take over an unprotected network connection and do evil
> > things with it.
> > See 'ldap server require strong auth'.
> 
> Ok, so i suppose i've to test 'ldap server require strong auth', but
> probably set it to 'NO', that lead cleraly to a very unsecure
> configuration.
> 
> 
> Because speaking with hardware vendor is sometime very difficult, how
> can i ask them some clue in 'windows lingo'?
> 
> Eg, i suppose that original windows server 2000 was not signed and
> sealed, and sometime in windows server os version this became
> mandatory.
> 
> Eg, i can speak like: your printer seems not compatible with windows
> server 2008R2, because does not sign and seal auth: tehre's a firmware
> revision that...

It is a bit like setting this:

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements

If they say 'just use SSL', then the allow_sasl_over_tls part of that
option is to address this issue:

https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry

We (and likely they) don't support the channel bindings (patches
welcome!), but the protocol flaw (no link between the SSL and the
NTLM/Kerberos handshake inside) is the one we are trying to avoid. 

The manpage is vague because we fixed our implementation before they
did the above. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list