[Samba] Samba, AD and devices compatibility...

Andrew Bartlett abartlet at samba.org
Fri Mar 16 00:49:56 UTC 2018

On Wed, 2018-03-14 at 12:01 +0100, Marco Gaiarin via samba wrote:
> Mandi! Andrew Bartlett via samba
>   In chel di` si favelave...
> > > This mean that the printer try to auth in LDAP 'plain' (no SSL, no
> > > TLS), and so samba refuse that?
> > No, it means that Samba is refusing to accept a NTLM or Kerberos
> > authenticated connection without SIGN or SEAL negotiated, as an
> > attacker could take over an unprotected network connection and do evil
> > things with it.
> > See 'ldap server require strong auth'.
> Ok, so i suppose i've to test 'ldap server require strong auth', but
> probably set it to 'NO', that lead cleraly to a very unsecure
> configuration.
> Because speaking with hardware vendor is sometime very difficult, how
> can i ask them some clue in 'windows lingo'?
> Eg, i suppose that original windows server 2000 was not signed and
> sealed, and sometime in windows server os version this became
> mandatory.
> Eg, i can speak like: your printer seems not compatible with windows
> server 2008R2, because does not sign and seal auth: tehre's a firmware
> revision that...

It is a bit like setting this:


If they say 'just use SSL', then the allow_sasl_over_tls part of that
option is to address this issue:


We (and likely they) don't support the channel bindings (patches
welcome!), but the protocol flaw (no link between the SSL and the
NTLM/Kerberos handshake inside) is the one we are trying to avoid. 

The manpage is vague because we fixed our implementation before they
did the above. 

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list