[Samba] Samba, AD and devices compatibility...

Marco Gaiarin gaio at sv.lnf.it
Thu May 10 13:48:40 UTC 2018 

Mandi! Andrew Bartlett via samba
  In chel di` si favelave...

Ok, i coma back to an old thread, because vendor finally reply.


Little fast-rewind: i own some Konica-Minolta BizHub multifunction
printers/copiers, and i need to ''bind'' it to my new AD domain.

But authentication does not work, seems bacause that printer try to use
SASL over plain LDAP (no SSL nor TLS).

After writing to the vendor (ahem, writing to my local reseller, that
write to the vendor) the answer was:

> the information provided, are not sufficient to provide a solution.
> About the AD /Kerberos Problem, the listed "tcpdump" just shows the TGS (Ticket Granting Ticket) request and response.
> There is no details about the AS (authentication service) request. Therefore it's difficult to find the problem cause.
>
> Maybe the LDAP part is easier to solve. Although the TCP dump does not show much details it indicates the problem:
> "bindResponse(3) strongAuthRequired (SASL:[GSS-SPNEGO]: Sign or Seal are required"
> Basically the LDAP Server requires a secured connection.
>
> This is related to following SAMBA settings:
> >ldap server require strong auth (G)
> >
> >The ldap server require strong auth defines whether the ldap server requires ldap traffic to be signed or signed and encrypted (sealed). Possible >values are no, allow_sasl_over_tls and yes.
> >
> >A value of no allows simple and sasl binds over all transports.
> >
> >A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal) over TLS encrypted connections. Unencrypted connections only >allow sasl binds with sign or seal.
> >
> >A value of yes allows only simple binds over TLS encrypted connections. Unencrypted connections only allow sasl binds with sign or seal.
> > Default: ldap server require strong auth = yes


So, doing some tests:

AD, 'ldap server require strong auth = yes' (default)
  8  32.680120   10.5.1.202 -> 10.5.1.25    TCP 74 40253→389 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=121046256 TSecr=0 WS=16
  9  32.680132    10.5.1.25 -> 10.5.1.202   TCP 74 389→40253 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=361876476 TSecr=121046256 WS=128
 10  32.680292   10.5.1.202 -> 10.5.1.25    TCP 66 40253→389 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=121046257 TSecr=361876476
 11  32.685230   10.5.1.202 -> 10.5.1.25    LDAP 80 bindRequest(1) "<ROOT>" simple 
 12  32.685240    10.5.1.25 -> 10.5.1.202   TCP 66 389→40253 [ACK] Seq=1 Ack=15 Win=29056 Len=0 TSval=361876477 TSecr=121046258
 13  32.686723    10.5.1.25 -> 10.5.1.202   LDAP 80 bindResponse(1) success 
 14  32.686854   10.5.1.202 -> 10.5.1.25    TCP 66 40253→389 [ACK] Seq=15 Ack=15 Win=5840 Len=0 TSval=121046258 TSecr=361876478
 15  32.694734   10.5.1.202 -> 10.5.1.25    LDAP 183 searchRequest(2) "<ROOT>" baseObject 
 16  32.695277    10.5.1.25 -> 10.5.1.202   LDAP 219 searchResEntry(2) "<ROOT>"  | searchResDone(2) success 
 17  32.722454   10.5.1.202 -> 10.5.1.25    TCP 1514 [TCP segment of a reassembled PDU]
 18  32.722455   10.5.1.202 -> 10.5.1.25    LDAP 107 bindRequest(3) "<ROOT>" sasl 
 19  32.722466    10.5.1.25 -> 10.5.1.202   TCP 66 389→40253 [ACK] Seq=168 Ack=1621 Win=31872 Len=0 TSval=361876486 TSecr=121046263
 20  32.723143    10.5.1.25 -> 10.5.1.202   LDAP 315 bindResponse(3) strongAuthRequired (SASL:[GSS-SPNEGO]: Sign or Seal are required.) 
 21  32.729426   10.5.1.202 -> 10.5.1.25    LDAP 73 unbindRequest(4) 
 22  32.729474   10.5.1.202 -> 10.5.1.25    TCP 66 40253→389 [FIN, ACK] Seq=1628 Ack=417 Win=7984 Len=0 TSval=121046266 TSecr=361876487
 23  32.729547    10.5.1.25 -> 10.5.1.202   TCP 66 389→40253 [FIN, ACK] Seq=417 Ack=1629 Win=31872 Len=0 TSval=361876488 TSecr=121046266
 24  32.729714   10.5.1.202 -> 10.5.1.25    TCP 66 40253→389 [ACK] Seq=1629 Ack=418 Win=7984 Len=0 TSval=121046266 TSecr=361876488


AD, 'ldap server require strong auth = allow_sasl_over_tls'
113 2995.932618   10.5.1.202 -> 10.5.1.25    TCP 74 40245→389 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=120908056 TSecr=0 WS=16
114 2995.932639    10.5.1.25 -> 10.5.1.202   TCP 74 389→40245 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=361656202 TSecr=120908056 WS=128
115 2995.932785   10.5.1.202 -> 10.5.1.25    TCP 66 40245→389 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=120908056 TSecr=361656202
116 2995.937504   10.5.1.202 -> 10.5.1.25    LDAP 80 bindRequest(1) "<ROOT>" simple 
117 2995.937516    10.5.1.25 -> 10.5.1.202   TCP 66 389→40245 [ACK] Seq=1 Ack=15 Win=29056 Len=0 TSval=361656204 TSecr=120908057
118 2995.939099    10.5.1.25 -> 10.5.1.202   LDAP 80 bindResponse(1) success 
119 2995.939241   10.5.1.202 -> 10.5.1.25    TCP 66 40245→389 [ACK] Seq=15 Ack=15 Win=5840 Len=0 TSval=120908057 TSecr=361656204
120 2995.958568   10.5.1.202 -> 10.5.1.25    LDAP 183 searchRequest(2) "<ROOT>" baseObject 
121 2995.958945    10.5.1.25 -> 10.5.1.202   LDAP 219 searchResEntry(2) "<ROOT>"  | searchResDone(2) success 
122 2995.997247   10.5.1.202 -> 10.5.1.25    TCP 66 40245→389 [ACK] Seq=132 Ack=168 Win=6912 Len=0 TSval=120908069 TSecr=361656209
123 2996.119036   10.5.1.202 -> 10.5.1.25    LDAP 1555 bindRequest(3) "<ROOT>" sasl 
124 2996.119051    10.5.1.25 -> 10.5.1.202   TCP 66 389→40245 [ACK] Seq=168 Ack=1621 Win=32000 Len=0 TSval=361656249 TSecr=120908093
125 2996.119914    10.5.1.25 -> 10.5.1.202   LDAP 316 bindResponse(3) strongAuthRequired (SASL:[GSS-SPNEGO]: not allowed if TLS is used.) 
126 2996.120093   10.5.1.202 -> 10.5.1.25    TCP 66 40245→389 [ACK] Seq=1621 Ack=418 Win=7984 Len=0 TSval=120908093 TSecr=361656249
127 2996.120355   10.5.1.202 -> 10.5.1.25    LDAP 73 unbindRequest(4) 
128 2996.120434   10.5.1.202 -> 10.5.1.25    TCP 66 40245→389 [FIN, ACK] Seq=1628 Ack=418 Win=7984 Len=0 TSval=120908093 TSecr=361656249
129 2996.120456    10.5.1.25 -> 10.5.1.202   TCP 66 389→40245 [FIN, ACK] Seq=418 Ack=1629 Win=32000 Len=0 TSval=361656249 TSecr=120908093
130 2996.120591   10.5.1.202 -> 10.5.1.25    TCP 66 40245→389 [ACK] Seq=1629 Ack=419 Win=7984 Len=0 TSval=120908093 TSecr=361656249

AD, 'ldap server require strong auth = no'
  1   0.000000   10.5.1.202 -> 10.5.1.25    TCP 74 40258→389 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=121084503 TSecr=0 WS=16
  2   0.000019    10.5.1.25 -> 10.5.1.202   TCP 74 389→40258 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=361924284 TSecr=121084503 WS=128
  3   0.000179   10.5.1.202 -> 10.5.1.25    TCP 66 40258→389 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=121084503 TSecr=361924284
  4   0.003849   10.5.1.202 -> 10.5.1.25    LDAP 80 bindRequest(1) "<ROOT>" simple 
  5   0.003857    10.5.1.25 -> 10.5.1.202   TCP 66 389→40258 [ACK] Seq=1 Ack=15 Win=29056 Len=0 TSval=361924285 TSecr=121084504
  6   0.005388    10.5.1.25 -> 10.5.1.202   LDAP 80 bindResponse(1) success 
  7   0.005536   10.5.1.202 -> 10.5.1.25    TCP 66 40258→389 [ACK] Seq=15 Ack=15 Win=5840 Len=0 TSval=121084504 TSecr=361924285
  8   0.023918   10.5.1.202 -> 10.5.1.25    LDAP 183 searchRequest(2) "<ROOT>" baseObject 
  9   0.024364    10.5.1.25 -> 10.5.1.202   LDAP 219 searchResEntry(2) "<ROOT>"  | searchResDone(2) success 
 10   0.063587   10.5.1.202 -> 10.5.1.25    TCP 66 40258→389 [ACK] Seq=132 Ack=168 Win=6912 Len=0 TSval=121084516 TSecr=361924290
 11   0.074684   10.5.1.202 -> 10.5.1.25    LDAP 1555 bindRequest(3) "<ROOT>" sasl 
 12   0.074698    10.5.1.25 -> 10.5.1.202   TCP 66 389→40258 [ACK] Seq=168 Ack=1621 Win=32000 Len=0 TSval=361924302 TSecr=121084518
 13   0.079764    10.5.1.25 -> 10.5.1.202   LDAP 270 bindResponse(3) success 
 14   0.079974   10.5.1.202 -> 10.5.1.25    TCP 66 40258→389 [ACK] Seq=1621 Ack=372 Win=7984 Len=0 TSval=121084519 TSecr=361924304
 15   0.085792   10.5.1.202 -> 10.5.1.25    LDAP 402 searchRequest(4) "dc=ad,dc=fvg,dc=lnf,dc=it" wholeSubtree 
 16   0.086364    10.5.1.25 -> 10.5.1.202   LDAP 574 searchResEntry(4) "CN=gaio,OU=Roaming,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it"  | searchResRef(4)  | searchResRef(4)  | searchResRef(4)  | se
 17   0.087354   10.5.1.202 -> 10.5.1.25    LDAP 73 unbindRequest(5) 
 18   0.087401   10.5.1.202 -> 10.5.1.25    TCP 66 40258→389 [FIN, ACK] Seq=1964 Ack=880 Win=9056 Len=0 TSval=121084520 TSecr=361924305
 19   0.087467    10.5.1.25 -> 10.5.1.202   TCP 66 389→40258 [FIN, ACK] Seq=880 Ack=1965 Win=34944 Len=0 TSval=361924306 TSecr=121084520
 20   0.087621   10.5.1.202 -> 10.5.1.25    TCP 66 40258→389 [ACK] Seq=1965 Ack=881 Win=9056 Len=0 TSval=121084520 TSecr=361924306

and last configuration work. So seems that the only option compatible
with that MFP is the less secure 'ldap server require strong auth =
no'.


There's some way to ''tight'' that configuration , eg permit 'ldap server require strong auth =
no' only by some hosts?
Or some other smb.conf options that i've missed?


Konica Minolta support write also:

> The information you provided is almost the solution for LDAP:
> > The multifunction should:
> > a) or negotiate TLS on port 389
> > b) or use LDAPS on port 686
> 
> When LDAP over SSL is required, why not configuring the device to do so. While configuring the External Server for LDAP, just enable SSL (default LDAP Port is 636).
> 
> https://manuals.konicaminolta.eu/bizhub-C554-C454-C364-C284-C224/EN/contents/id08-0369.html

but this is not the case, because in 'LDAP mode' the MFP bind with the
DN ''flatted'', eg:

 86 2791.507328   10.5.1.202 -> 10.5.1.25    TCP 74 40242→389 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=120867170 TSecr=0 WS=16
 87 2791.507353    10.5.1.25 -> 10.5.1.202   TCP 74 389→40242 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=361605096 TSecr=120867170 WS=128
 88 2791.507509   10.5.1.202 -> 10.5.1.25    TCP 66 40242→389 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=120867171 TSecr=361605096
 89 2791.513273   10.5.1.202 -> 10.5.1.25    LDAP 80 bindRequest(1) "<ROOT>" simple 
 90 2791.513292    10.5.1.25 -> 10.5.1.202   TCP 66 389→40242 [ACK] Seq=1 Ack=15 Win=29056 Len=0 TSval=361605097 TSecr=120867172
 91 2791.514788    10.5.1.25 -> 10.5.1.202   LDAP 80 bindResponse(1) success 
 92 2791.514937   10.5.1.202 -> 10.5.1.25    TCP 66 40242→389 [ACK] Seq=15 Ack=15 Win=5840 Len=0 TSval=120867172 TSecr=361605098
 93 2791.528171   10.5.1.202 -> 10.5.1.25    LDAP 183 searchRequest(2) "<ROOT>" baseObject 
 94 2791.528518    10.5.1.25 -> 10.5.1.202   LDAP 219 searchResEntry(2) "<ROOT>"  | searchResDone(2) success 
 95 2791.528914   10.5.1.202 -> 10.5.1.25    LDAP 124 bindRequest(3) "uid=gaio,DC=ad,DC=fvg,DC=lnf,DC=it" simple 

and 'uid=gaio,DC=ad,DC=fvg,DC=lnf,DC=it' is not a valid DN.

Right?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

More information about the samba mailing list