[Samba] Samba, AD and devices compatibility...
Andrew Bartlett
abartlet at samba.org
Fri May 11 02:07:12 UTC 2018
On Thu, 2018-05-10 at 15:48 +0200, Marco Gaiarin via samba wrote:
> Mandi! Andrew Bartlett via samba
> In chel di` si favelave...
>
> Ok, i coma back to an old thread, because vendor finally reply.
Thanks!
>
> Little fast-rewind: i own some Konica-Minolta BizHub multifunction
> printers/copiers, and i need to ''bind'' it to my new AD domain.
>
> But authentication does not work, seems bacause that printer try to use
> SASL over plain LDAP (no SSL nor TLS).
>
> After writing to the vendor (ahem, writing to my local reseller, that
> write to the vendor) the answer was:
>
> > the information provided, are not sufficient to provide a solution.
> > About the AD /Kerberos Problem, the listed "tcpdump" just shows the TGS (Ticket Granting Ticket) request and response.
> > There is no details about the AS (authentication service) request. Therefore it's difficult to find the problem cause.
> >
> > Maybe the LDAP part is easier to solve. Although the TCP dump does not show much details it indicates the problem:
> > "bindResponse(3) strongAuthRequired (SASL:[GSS-SPNEGO]: Sign or Seal are required"
> > Basically the LDAP Server requires a secured connection.
> >
> > This is related to following SAMBA settings:
> > > ldap server require strong auth (G)
> > >
> > > The ldap server require strong auth defines whether the ldap server requires ldap traffic to be signed or signed and encrypted (sealed). Possible >values are no, allow_sasl_over_tls and yes.
> > >
> > > A value of no allows simple and sasl binds over all transports.
> > >
> > > A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal) over TLS encrypted connections. Unencrypted connections only >allow sasl binds with sign or seal.
> > >
> > > A value of yes allows only simple binds over TLS encrypted connections. Unencrypted connections only allow sasl binds with sign or seal.
> > > Default: ldap server require strong auth = yes
Correct.
>
> So, doing some tests:
>
> AD, 'ldap server require strong auth = yes' (default)
> 8 32.680120 10.5.1.202 -> 10.5.1.25 TCP 74 40253→389 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=121046256 TSecr=0 WS=16
> 9 32.680132 10.5.1.25 -> 10.5.1.202 TCP 74 389→40253 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=361876476 TSecr=121046256 WS=128
> 10 32.680292 10.5.1.202 -> 10.5.1.25 TCP 66 40253→389 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=121046257 TSecr=361876476
> 11 32.685230 10.5.1.202 -> 10.5.1.25 LDAP 80 bindRequest(1) "<ROOT>" simple
> 12 32.685240 10.5.1.25 -> 10.5.1.202 TCP 66 389→40253 [ACK] Seq=1 Ack=15 Win=29056 Len=0 TSval=361876477 TSecr=121046258
> 13 32.686723 10.5.1.25 -> 10.5.1.202 LDAP 80 bindResponse(1) success
> 14 32.686854 10.5.1.202 -> 10.5.1.25 TCP 66 40253→389 [ACK] Seq=15 Ack=15 Win=5840 Len=0 TSval=121046258 TSecr=361876478
> 15 32.694734 10.5.1.202 -> 10.5.1.25 LDAP 183 searchRequest(2) "<ROOT>" baseObject
> 16 32.695277 10.5.1.25 -> 10.5.1.202 LDAP 219 searchResEntry(2) "<ROOT>" | searchResDone(2) success
> 17 32.722454 10.5.1.202 -> 10.5.1.25 TCP 1514 [TCP segment of a reassembled PDU]
> 18 32.722455 10.5.1.202 -> 10.5.1.25 LDAP 107 bindRequest(3) "<ROOT>" sasl
> 19 32.722466 10.5.1.25 -> 10.5.1.202 TCP 66 389→40253 [ACK] Seq=168 Ack=1621 Win=31872 Len=0 TSval=361876486 TSecr=121046263
> 20 32.723143 10.5.1.25 -> 10.5.1.202 LDAP 315 bindResponse(3) strongAuthRequired (SASL:[GSS-SPNEGO]: Sign or Seal are required.)
> 21 32.729426 10.5.1.202 -> 10.5.1.25 LDAP 73 unbindRequest(4)
> 22 32.729474 10.5.1.202 -> 10.5.1.25 TCP 66 40253→389 [FIN, ACK] Seq=1628 Ack=417 Win=7984 Len=0 TSval=121046266 TSecr=361876487
> 23 32.729547 10.5.1.25 -> 10.5.1.202 TCP 66 389→40253 [FIN, ACK] Seq=417 Ack=1629 Win=31872 Len=0 TSval=361876488 TSecr=121046266
> 24 32.729714 10.5.1.202 -> 10.5.1.25 TCP 66 40253→389 [ACK] Seq=1629 Ack=418 Win=7984 Len=0 TSval=121046266 TSecr=361876488
>
>
> AD, 'ldap server require strong auth = allow_sasl_over_tls'
> 113 2995.932618 10.5.1.202 -> 10.5.1.25 TCP 74 40245→389 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=120908056 TSecr=0 WS=16
> 114 2995.932639 10.5.1.25 -> 10.5.1.202 TCP 74 389→40245 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=361656202 TSecr=120908056 WS=128
> 115 2995.932785 10.5.1.202 -> 10.5.1.25 TCP 66 40245→389 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=120908056 TSecr=361656202
> 116 2995.937504 10.5.1.202 -> 10.5.1.25 LDAP 80 bindRequest(1) "<ROOT>" simple
> 117 2995.937516 10.5.1.25 -> 10.5.1.202 TCP 66 389→40245 [ACK] Seq=1 Ack=15 Win=29056 Len=0 TSval=361656204 TSecr=120908057
> 118 2995.939099 10.5.1.25 -> 10.5.1.202 LDAP 80 bindResponse(1) success
> 119 2995.939241 10.5.1.202 -> 10.5.1.25 TCP 66 40245→389 [ACK] Seq=15 Ack=15 Win=5840 Len=0 TSval=120908057 TSecr=361656204
> 120 2995.958568 10.5.1.202 -> 10.5.1.25 LDAP 183 searchRequest(2) "<ROOT>" baseObject
> 121 2995.958945 10.5.1.25 -> 10.5.1.202 LDAP 219 searchResEntry(2) "<ROOT>" | searchResDone(2) success
> 122 2995.997247 10.5.1.202 -> 10.5.1.25 TCP 66 40245→389 [ACK] Seq=132 Ack=168 Win=6912 Len=0 TSval=120908069 TSecr=361656209
> 123 2996.119036 10.5.1.202 -> 10.5.1.25 LDAP 1555 bindRequest(3) "<ROOT>" sasl
> 124 2996.119051 10.5.1.25 -> 10.5.1.202 TCP 66 389→40245 [ACK] Seq=168 Ack=1621 Win=32000 Len=0 TSval=361656249 TSecr=120908093
> 125 2996.119914 10.5.1.25 -> 10.5.1.202 LDAP 316 bindResponse(3) strongAuthRequired (SASL:[GSS-SPNEGO]: not allowed if TLS is used.)
> 126 2996.120093 10.5.1.202 -> 10.5.1.25 TCP 66 40245→389 [ACK] Seq=1621 Ack=418 Win=7984 Len=0 TSval=120908093 TSecr=361656249
> 127 2996.120355 10.5.1.202 -> 10.5.1.25 LDAP 73 unbindRequest(4)
> 128 2996.120434 10.5.1.202 -> 10.5.1.25 TCP 66 40245→389 [FIN, ACK] Seq=1628 Ack=418 Win=7984 Len=0 TSval=120908093 TSecr=361656249
> 129 2996.120456 10.5.1.25 -> 10.5.1.202 TCP 66 389→40245 [FIN, ACK] Seq=418 Ack=1629 Win=32000 Len=0 TSval=361656249 TSecr=120908093
> 130 2996.120591 10.5.1.202 -> 10.5.1.25 TCP 66 40245→389 [ACK] Seq=1629 Ack=419 Win=7984 Len=0 TSval=120908093 TSecr=361656249
>
> AD, 'ldap server require strong auth = no'
> 1 0.000000 10.5.1.202 -> 10.5.1.25 TCP 74 40258→389 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=121084503 TSecr=0 WS=16
> 2 0.000019 10.5.1.25 -> 10.5.1.202 TCP 74 389→40258 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=361924284 TSecr=121084503 WS=128
> 3 0.000179 10.5.1.202 -> 10.5.1.25 TCP 66 40258→389 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=121084503 TSecr=361924284
> 4 0.003849 10.5.1.202 -> 10.5.1.25 LDAP 80 bindRequest(1) "<ROOT>" simple
> 5 0.003857 10.5.1.25 -> 10.5.1.202 TCP 66 389→40258 [ACK] Seq=1 Ack=15 Win=29056 Len=0 TSval=361924285 TSecr=121084504
> 6 0.005388 10.5.1.25 -> 10.5.1.202 LDAP 80 bindResponse(1) success
> 7 0.005536 10.5.1.202 -> 10.5.1.25 TCP 66 40258→389 [ACK] Seq=15 Ack=15 Win=5840 Len=0 TSval=121084504 TSecr=361924285
> 8 0.023918 10.5.1.202 -> 10.5.1.25 LDAP 183 searchRequest(2) "<ROOT>" baseObject
> 9 0.024364 10.5.1.25 -> 10.5.1.202 LDAP 219 searchResEntry(2) "<ROOT>" | searchResDone(2) success
> 10 0.063587 10.5.1.202 -> 10.5.1.25 TCP 66 40258→389 [ACK] Seq=132 Ack=168 Win=6912 Len=0 TSval=121084516 TSecr=361924290
> 11 0.074684 10.5.1.202 -> 10.5.1.25 LDAP 1555 bindRequest(3) "<ROOT>" sasl
> 12 0.074698 10.5.1.25 -> 10.5.1.202 TCP 66 389→40258 [ACK] Seq=168 Ack=1621 Win=32000 Len=0 TSval=361924302 TSecr=121084518
> 13 0.079764 10.5.1.25 -> 10.5.1.202 LDAP 270 bindResponse(3) success
> 14 0.079974 10.5.1.202 -> 10.5.1.25 TCP 66 40258→389 [ACK] Seq=1621 Ack=372 Win=7984 Len=0 TSval=121084519 TSecr=361924304
> 15 0.085792 10.5.1.202 -> 10.5.1.25 LDAP 402 searchRequest(4) "dc=ad,dc=fvg,dc=lnf,dc=it" wholeSubtree
> 16 0.086364 10.5.1.25 -> 10.5.1.202 LDAP 574 searchResEntry(4) "CN=gaio,OU=Roaming,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it" | searchResRef(4) | searchResRef(4) | searchResRef(4) | se
> 17 0.087354 10.5.1.202 -> 10.5.1.25 LDAP 73 unbindRequest(5)
> 18 0.087401 10.5.1.202 -> 10.5.1.25 TCP 66 40258→389 [FIN, ACK] Seq=1964 Ack=880 Win=9056 Len=0 TSval=121084520 TSecr=361924305
> 19 0.087467 10.5.1.25 -> 10.5.1.202 TCP 66 389→40258 [FIN, ACK] Seq=880 Ack=1965 Win=34944 Len=0 TSval=361924306 TSecr=121084520
> 20 0.087621 10.5.1.202 -> 10.5.1.25 TCP 66 40258→389 [ACK] Seq=1965 Ack=881 Win=9056 Len=0 TSval=121084520 TSecr=361924306
>
> and last configuration work. So seems that the only option compatible
> with that MFP is the less secure 'ldap server require strong auth =
> no'.
>
>
> There's some way to ''tight'' that configuration , eg permit 'ldap server require strong auth =
> no' only by some hosts?
> Or some other smb.conf options that i've missed?
Nothing at this stage. The issue is that they need to do fully signed
or sealed Kerberos SASL.
I agree that a per-IP or per-client whitelist would be a good idea.
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba
mailing list