[Samba] Samba, AD and devices compatibility...

Andrew Bartlett abartlet at samba.org
Fri May 11 02:07:12 UTC 2018 

On Thu, 2018-05-10 at 15:48 +0200, Marco Gaiarin via samba wrote:
> Mandi! Andrew Bartlett via samba
>   In chel di` si favelave...
> 
> Ok, i coma back to an old thread, because vendor finally reply.

Thanks!

> 
> Little fast-rewind: i own some Konica-Minolta BizHub multifunction
> printers/copiers, and i need to ''bind'' it to my new AD domain.
> 
> But authentication does not work, seems bacause that printer try to use
> SASL over plain LDAP (no SSL nor TLS).
> 
> After writing to the vendor (ahem, writing to my local reseller, that
> write to the vendor) the answer was:
> 
> > the information provided, are not sufficient to provide a solution.
> > About the AD /Kerberos Problem, the listed "tcpdump" just shows the TGS (Ticket Granting Ticket) request and response.
> > There is no details about the AS (authentication service) request. Therefore it's difficult to find the problem cause.
> > 
> > Maybe the LDAP part is easier to solve. Although the TCP dump does not show much details it indicates the problem:
> > "bindResponse(3) strongAuthRequired (SASL:[GSS-SPNEGO]: Sign or Seal are required"
> > Basically the LDAP Server requires a secured connection.
> > 
> > This is related to following SAMBA settings:
> > > ldap server require strong auth (G)
> > > 
> > > The ldap server require strong auth defines whether the ldap server requires ldap traffic to be signed or signed and encrypted (sealed). Possible >values are no, allow_sasl_over_tls and yes.
> > > 
> > > A value of no allows simple and sasl binds over all transports.
> > > 
> > > A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal) over TLS encrypted connections. Unencrypted connections only >allow sasl binds with sign or seal.
> > > 
> > > A value of yes allows only simple binds over TLS encrypted connections. Unencrypted connections only allow sasl binds with sign or seal.
> > > Default: ldap server require strong auth = yes

Correct.

> 
> So, doing some tests:
> 
> AD, 'ldap server require strong auth = yes' (default)
>   8  32.680120   10.5.1.202 -> 10.5.1.25    TCP 74 40253→389 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=121046256 TSecr=0 WS=16
>   9  32.680132    10.5.1.25 -> 10.5.1.202   TCP 74 389→40253 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=361876476 TSecr=121046256 WS=128
>  10  32.680292   10.5.1.202 -> 10.5.1.25    TCP 66 40253→389 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=121046257 TSecr=361876476
>  11  32.685230   10.5.1.202 -> 10.5.1.25    LDAP 80 bindRequest(1) "<ROOT>" simple 
>  12  32.685240    10.5.1.25 -> 10.5.1.202   TCP 66 389→40253 [ACK] Seq=1 Ack=15 Win=29056 Len=0 TSval=361876477 TSecr=121046258
>  13  32.686723    10.5.1.25 -> 10.5.1.202   LDAP 80 bindResponse(1) success 
>  14  32.686854   10.5.1.202 -> 10.5.1.25    TCP 66 40253→389 [ACK] Seq=15 Ack=15 Win=5840 Len=0 TSval=121046258 TSecr=361876478
>  15  32.694734   10.5.1.202 -> 10.5.1.25    LDAP 183 searchRequest(2) "<ROOT>" baseObject 
>  16  32.695277    10.5.1.25 -> 10.5.1.202   LDAP 219 searchResEntry(2) "<ROOT>"  | searchResDone(2) success 
>  17  32.722454   10.5.1.202 -> 10.5.1.25    TCP 1514 [TCP segment of a reassembled PDU]
>  18  32.722455   10.5.1.202 -> 10.5.1.25    LDAP 107 bindRequest(3) "<ROOT>" sasl 
>  19  32.722466    10.5.1.25 -> 10.5.1.202   TCP 66 389→40253 [ACK] Seq=168 Ack=1621 Win=31872 Len=0 TSval=361876486 TSecr=121046263
>  20  32.723143    10.5.1.25 -> 10.5.1.202   LDAP 315 bindResponse(3) strongAuthRequired (SASL:[GSS-SPNEGO]: Sign or Seal are required.) 
>  21  32.729426   10.5.1.202 -> 10.5.1.25    LDAP 73 unbindRequest(4) 
>  22  32.729474   10.5.1.202 -> 10.5.1.25    TCP 66 40253→389 [FIN, ACK] Seq=1628 Ack=417 Win=7984 Len=0 TSval=121046266 TSecr=361876487
>  23  32.729547    10.5.1.25 -> 10.5.1.202   TCP 66 389→40253 [FIN, ACK] Seq=417 Ack=1629 Win=31872 Len=0 TSval=361876488 TSecr=121046266
>  24  32.729714   10.5.1.202 -> 10.5.1.25    TCP 66 40253→389 [ACK] Seq=1629 Ack=418 Win=7984 Len=0 TSval=121046266 TSecr=361876488
> 
> 
> AD, 'ldap server require strong auth = allow_sasl_over_tls'
> 113 2995.932618   10.5.1.202 -> 10.5.1.25    TCP 74 40245→389 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=120908056 TSecr=0 WS=16
> 114 2995.932639    10.5.1.25 -> 10.5.1.202   TCP 74 389→40245 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=361656202 TSecr=120908056 WS=128
> 115 2995.932785   10.5.1.202 -> 10.5.1.25    TCP 66 40245→389 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=120908056 TSecr=361656202
> 116 2995.937504   10.5.1.202 -> 10.5.1.25    LDAP 80 bindRequest(1) "<ROOT>" simple 
> 117 2995.937516    10.5.1.25 -> 10.5.1.202   TCP 66 389→40245 [ACK] Seq=1 Ack=15 Win=29056 Len=0 TSval=361656204 TSecr=120908057
> 118 2995.939099    10.5.1.25 -> 10.5.1.202   LDAP 80 bindResponse(1) success 
> 119 2995.939241   10.5.1.202 -> 10.5.1.25    TCP 66 40245→389 [ACK] Seq=15 Ack=15 Win=5840 Len=0 TSval=120908057 TSecr=361656204
> 120 2995.958568   10.5.1.202 -> 10.5.1.25    LDAP 183 searchRequest(2) "<ROOT>" baseObject 
> 121 2995.958945    10.5.1.25 -> 10.5.1.202   LDAP 219 searchResEntry(2) "<ROOT>"  | searchResDone(2) success 
> 122 2995.997247   10.5.1.202 -> 10.5.1.25    TCP 66 40245→389 [ACK] Seq=132 Ack=168 Win=6912 Len=0 TSval=120908069 TSecr=361656209
> 123 2996.119036   10.5.1.202 -> 10.5.1.25    LDAP 1555 bindRequest(3) "<ROOT>" sasl 
> 124 2996.119051    10.5.1.25 -> 10.5.1.202   TCP 66 389→40245 [ACK] Seq=168 Ack=1621 Win=32000 Len=0 TSval=361656249 TSecr=120908093
> 125 2996.119914    10.5.1.25 -> 10.5.1.202   LDAP 316 bindResponse(3) strongAuthRequired (SASL:[GSS-SPNEGO]: not allowed if TLS is used.) 
> 126 2996.120093   10.5.1.202 -> 10.5.1.25    TCP 66 40245→389 [ACK] Seq=1621 Ack=418 Win=7984 Len=0 TSval=120908093 TSecr=361656249
> 127 2996.120355   10.5.1.202 -> 10.5.1.25    LDAP 73 unbindRequest(4) 
> 128 2996.120434   10.5.1.202 -> 10.5.1.25    TCP 66 40245→389 [FIN, ACK] Seq=1628 Ack=418 Win=7984 Len=0 TSval=120908093 TSecr=361656249
> 129 2996.120456    10.5.1.25 -> 10.5.1.202   TCP 66 389→40245 [FIN, ACK] Seq=418 Ack=1629 Win=32000 Len=0 TSval=361656249 TSecr=120908093
> 130 2996.120591   10.5.1.202 -> 10.5.1.25    TCP 66 40245→389 [ACK] Seq=1629 Ack=419 Win=7984 Len=0 TSval=120908093 TSecr=361656249
> 
> AD, 'ldap server require strong auth = no'
>   1   0.000000   10.5.1.202 -> 10.5.1.25    TCP 74 40258→389 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=121084503 TSecr=0 WS=16
>   2   0.000019    10.5.1.25 -> 10.5.1.202   TCP 74 389→40258 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=361924284 TSecr=121084503 WS=128
>   3   0.000179   10.5.1.202 -> 10.5.1.25    TCP 66 40258→389 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=121084503 TSecr=361924284
>   4   0.003849   10.5.1.202 -> 10.5.1.25    LDAP 80 bindRequest(1) "<ROOT>" simple 
>   5   0.003857    10.5.1.25 -> 10.5.1.202   TCP 66 389→40258 [ACK] Seq=1 Ack=15 Win=29056 Len=0 TSval=361924285 TSecr=121084504
>   6   0.005388    10.5.1.25 -> 10.5.1.202   LDAP 80 bindResponse(1) success 
>   7   0.005536   10.5.1.202 -> 10.5.1.25    TCP 66 40258→389 [ACK] Seq=15 Ack=15 Win=5840 Len=0 TSval=121084504 TSecr=361924285
>   8   0.023918   10.5.1.202 -> 10.5.1.25    LDAP 183 searchRequest(2) "<ROOT>" baseObject 
>   9   0.024364    10.5.1.25 -> 10.5.1.202   LDAP 219 searchResEntry(2) "<ROOT>"  | searchResDone(2) success 
>  10   0.063587   10.5.1.202 -> 10.5.1.25    TCP 66 40258→389 [ACK] Seq=132 Ack=168 Win=6912 Len=0 TSval=121084516 TSecr=361924290
>  11   0.074684   10.5.1.202 -> 10.5.1.25    LDAP 1555 bindRequest(3) "<ROOT>" sasl 
>  12   0.074698    10.5.1.25 -> 10.5.1.202   TCP 66 389→40258 [ACK] Seq=168 Ack=1621 Win=32000 Len=0 TSval=361924302 TSecr=121084518
>  13   0.079764    10.5.1.25 -> 10.5.1.202   LDAP 270 bindResponse(3) success 
>  14   0.079974   10.5.1.202 -> 10.5.1.25    TCP 66 40258→389 [ACK] Seq=1621 Ack=372 Win=7984 Len=0 TSval=121084519 TSecr=361924304
>  15   0.085792   10.5.1.202 -> 10.5.1.25    LDAP 402 searchRequest(4) "dc=ad,dc=fvg,dc=lnf,dc=it" wholeSubtree 
>  16   0.086364    10.5.1.25 -> 10.5.1.202   LDAP 574 searchResEntry(4) "CN=gaio,OU=Roaming,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it"  | searchResRef(4)  | searchResRef(4)  | searchResRef(4)  | se
>  17   0.087354   10.5.1.202 -> 10.5.1.25    LDAP 73 unbindRequest(5) 
>  18   0.087401   10.5.1.202 -> 10.5.1.25    TCP 66 40258→389 [FIN, ACK] Seq=1964 Ack=880 Win=9056 Len=0 TSval=121084520 TSecr=361924305
>  19   0.087467    10.5.1.25 -> 10.5.1.202   TCP 66 389→40258 [FIN, ACK] Seq=880 Ack=1965 Win=34944 Len=0 TSval=361924306 TSecr=121084520
>  20   0.087621   10.5.1.202 -> 10.5.1.25    TCP 66 40258→389 [ACK] Seq=1965 Ack=881 Win=9056 Len=0 TSval=121084520 TSecr=361924306
> 
> and last configuration work. So seems that the only option compatible
> with that MFP is the less secure 'ldap server require strong auth =
> no'.
> 
> 
> There's some way to ''tight'' that configuration , eg permit 'ldap server require strong auth =
> no' only by some hosts?
> Or some other smb.conf options that i've missed?

Nothing at this stage.  The issue is that they need to do fully signed
or sealed Kerberos SASL. 

I agree that a per-IP or per-client whitelist would be a good idea. 

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

More information about the samba mailing list