[Samba] Samba, AD and devices compatibility...
L.P.H. van Belle
belle at bazuin.nl
Fri May 11 06:55:00 UTC 2018
to my knowlidge, konica = xerox.
and this works fine imo but im not able to look this up now.
i did have xerox connected to my ldapS addc’s.
i can check this monday.
Greetz,
Louis
> Op 11 mei 2018 om 04:09 heeft Andrew Bartlett via samba <samba at lists.samba.org> het volgende geschreven:
>
>> On Thu, 2018-05-10 at 15:48 +0200, Marco Gaiarin via samba wrote:
>> Mandi! Andrew Bartlett via samba
>> In chel di` si favelave...
>>
>> Ok, i coma back to an old thread, because vendor finally reply.
>
> Thanks!
>
>>
>> Little fast-rewind: i own some Konica-Minolta BizHub multifunction
>> printers/copiers, and i need to ''bind'' it to my new AD domain.
>>
>> But authentication does not work, seems bacause that printer try to use
>> SASL over plain LDAP (no SSL nor TLS).
>>
>> After writing to the vendor (ahem, writing to my local reseller, that
>> write to the vendor) the answer was:
>>
>>> the information provided, are not sufficient to provide a solution.
>>> About the AD /Kerberos Problem, the listed "tcpdump" just shows the TGS (Ticket Granting Ticket) request and response.
>>> There is no details about the AS (authentication service) request. Therefore it's difficult to find the problem cause.
>>>
>>> Maybe the LDAP part is easier to solve. Although the TCP dump does not show much details it indicates the problem:
>>> "bindResponse(3) strongAuthRequired (SASL:[GSS-SPNEGO]: Sign or Seal are required"
>>> Basically the LDAP Server requires a secured connection.
>>>
>>> This is related to following SAMBA settings:
>>>> ldap server require strong auth (G)
>>>>
>>>> The ldap server require strong auth defines whether the ldap server requires ldap traffic to be signed or signed and encrypted (sealed). Possible >values are no, allow_sasl_over_tls and yes.
>>>>
>>>> A value of no allows simple and sasl binds over all transports.
>>>>
>>>> A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal) over TLS encrypted connections. Unencrypted connections only >allow sasl binds with sign or seal.
>>>>
>>>> A value of yes allows only simple binds over TLS encrypted connections. Unencrypted connections only allow sasl binds with sign or seal.
>>>> Default: ldap server require strong auth = yes
>
> Correct.
>
>>
>> So, doing some tests:
>>
>> AD, 'ldap server require strong auth = yes' (default)
>> 8 32.680120 10.5.1.202 -> 10.5.1.25 TCP 74 40253???389 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=121046256 TSecr=0 WS=16
>> 9 32.680132 10.5.1.25 -> 10.5.1.202 TCP 74 389???40253 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=361876476 TSecr=121046256 WS=128
>> 10 32.680292 10.5.1.202 -> 10.5.1.25 TCP 66 40253???389 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=121046257 TSecr=361876476
>> 11 32.685230 10.5.1.202 -> 10.5.1.25 LDAP 80 bindRequest(1) "<ROOT>" simple
>> 12 32.685240 10.5.1.25 -> 10.5.1.202 TCP 66 389???40253 [ACK] Seq=1 Ack=15 Win=29056 Len=0 TSval=361876477 TSecr=121046258
>> 13 32.686723 10.5.1.25 -> 10.5.1.202 LDAP 80 bindResponse(1) success
>> 14 32.686854 10.5.1.202 -> 10.5.1.25 TCP 66 40253???389 [ACK] Seq=15 Ack=15 Win=5840 Len=0 TSval=121046258 TSecr=361876478
>> 15 32.694734 10.5.1.202 -> 10.5.1.25 LDAP 183 searchRequest(2) "<ROOT>" baseObject
>> 16 32.695277 10.5.1.25 -> 10.5.1.202 LDAP 219 searchResEntry(2) "<ROOT>" | searchResDone(2) success
>> 17 32.722454 10.5.1.202 -> 10.5.1.25 TCP 1514 [TCP segment of a reassembled PDU]
>> 18 32.722455 10.5.1.202 -> 10.5.1.25 LDAP 107 bindRequest(3) "<ROOT>" sasl
>> 19 32.722466 10.5.1.25 -> 10.5.1.202 TCP 66 389???40253 [ACK] Seq=168 Ack=1621 Win=31872 Len=0 TSval=361876486 TSecr=121046263
>> 20 32.723143 10.5.1.25 -> 10.5.1.202 LDAP 315 bindResponse(3) strongAuthRequired (SASL:[GSS-SPNEGO]: Sign or Seal are required.)
>> 21 32.729426 10.5.1.202 -> 10.5.1.25 LDAP 73 unbindRequest(4)
>> 22 32.729474 10.5.1.202 -> 10.5.1.25 TCP 66 40253???389 [FIN, ACK] Seq=1628 Ack=417 Win=7984 Len=0 TSval=121046266 TSecr=361876487
>> 23 32.729547 10.5.1.25 -> 10.5.1.202 TCP 66 389???40253 [FIN, ACK] Seq=417 Ack=1629 Win=31872 Len=0 TSval=361876488 TSecr=121046266
>> 24 32.729714 10.5.1.202 -> 10.5.1.25 TCP 66 40253???389 [ACK] Seq=1629 Ack=418 Win=7984 Len=0 TSval=121046266 TSecr=361876488
>>
>>
>> AD, 'ldap server require strong auth = allow_sasl_over_tls'
>> 113 2995.932618 10.5.1.202 -> 10.5.1.25 TCP 74 40245???389 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=120908056 TSecr=0 WS=16
>> 114 2995.932639 10.5.1.25 -> 10.5.1.202 TCP 74 389???40245 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=361656202 TSecr=120908056 WS=128
>> 115 2995.932785 10.5.1.202 -> 10.5.1.25 TCP 66 40245???389 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=120908056 TSecr=361656202
>> 116 2995.937504 10.5.1.202 -> 10.5.1.25 LDAP 80 bindRequest(1) "<ROOT>" simple
>> 117 2995.937516 10.5.1.25 -> 10.5.1.202 TCP 66 389???40245 [ACK] Seq=1 Ack=15 Win=29056 Len=0 TSval=361656204 TSecr=120908057
>> 118 2995.939099 10.5.1.25 -> 10.5.1.202 LDAP 80 bindResponse(1) success
>> 119 2995.939241 10.5.1.202 -> 10.5.1.25 TCP 66 40245???389 [ACK] Seq=15 Ack=15 Win=5840 Len=0 TSval=120908057 TSecr=361656204
>> 120 2995.958568 10.5.1.202 -> 10.5.1.25 LDAP 183 searchRequest(2) "<ROOT>" baseObject
>> 121 2995.958945 10.5.1.25 -> 10.5.1.202 LDAP 219 searchResEntry(2) "<ROOT>" | searchResDone(2) success
>> 122 2995.997247 10.5.1.202 -> 10.5.1.25 TCP 66 40245???389 [ACK] Seq=132 Ack=168 Win=6912 Len=0 TSval=120908069 TSecr=361656209
>> 123 2996.119036 10.5.1.202 -> 10.5.1.25 LDAP 1555 bindRequest(3) "<ROOT>" sasl
>> 124 2996.119051 10.5.1.25 -> 10.5.1.202 TCP 66 389???40245 [ACK] Seq=168 Ack=1621 Win=32000 Len=0 TSval=361656249 TSecr=120908093
>> 125 2996.119914 10.5.1.25 -> 10.5.1.202 LDAP 316 bindResponse(3) strongAuthRequired (SASL:[GSS-SPNEGO]: not allowed if TLS is used.)
>> 126 2996.120093 10.5.1.202 -> 10.5.1.25 TCP 66 40245???389 [ACK] Seq=1621 Ack=418 Win=7984 Len=0 TSval=120908093 TSecr=361656249
>> 127 2996.120355 10.5.1.202 -> 10.5.1.25 LDAP 73 unbindRequest(4)
>> 128 2996.120434 10.5.1.202 -> 10.5.1.25 TCP 66 40245???389 [FIN, ACK] Seq=1628 Ack=418 Win=7984 Len=0 TSval=120908093 TSecr=361656249
>> 129 2996.120456 10.5.1.25 -> 10.5.1.202 TCP 66 389???40245 [FIN, ACK] Seq=418 Ack=1629 Win=32000 Len=0 TSval=361656249 TSecr=120908093
>> 130 2996.120591 10.5.1.202 -> 10.5.1.25 TCP 66 40245???389 [ACK] Seq=1629 Ack=419 Win=7984 Len=0 TSval=120908093 TSecr=361656249
>>
>> AD, 'ldap server require strong auth = no'
>> 1 0.000000 10.5.1.202 -> 10.5.1.25 TCP 74 40258???389 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 SACK_PERM=1 TSval=121084503 TSecr=0 WS=16
>> 2 0.000019 10.5.1.25 -> 10.5.1.202 TCP 74 389???40258 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=361924284 TSecr=121084503 WS=128
>> 3 0.000179 10.5.1.202 -> 10.5.1.25 TCP 66 40258???389 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSval=121084503 TSecr=361924284
>> 4 0.003849 10.5.1.202 -> 10.5.1.25 LDAP 80 bindRequest(1) "<ROOT>" simple
>> 5 0.003857 10.5.1.25 -> 10.5.1.202 TCP 66 389???40258 [ACK] Seq=1 Ack=15 Win=29056 Len=0 TSval=361924285 TSecr=121084504
>> 6 0.005388 10.5.1.25 -> 10.5.1.202 LDAP 80 bindResponse(1) success
>> 7 0.005536 10.5.1.202 -> 10.5.1.25 TCP 66 40258???389 [ACK] Seq=15 Ack=15 Win=5840 Len=0 TSval=121084504 TSecr=361924285
>> 8 0.023918 10.5.1.202 -> 10.5.1.25 LDAP 183 searchRequest(2) "<ROOT>" baseObject
>> 9 0.024364 10.5.1.25 -> 10.5.1.202 LDAP 219 searchResEntry(2) "<ROOT>" | searchResDone(2) success
>> 10 0.063587 10.5.1.202 -> 10.5.1.25 TCP 66 40258???389 [ACK] Seq=132 Ack=168 Win=6912 Len=0 TSval=121084516 TSecr=361924290
>> 11 0.074684 10.5.1.202 -> 10.5.1.25 LDAP 1555 bindRequest(3) "<ROOT>" sasl
>> 12 0.074698 10.5.1.25 -> 10.5.1.202 TCP 66 389???40258 [ACK] Seq=168 Ack=1621 Win=32000 Len=0 TSval=361924302 TSecr=121084518
>> 13 0.079764 10.5.1.25 -> 10.5.1.202 LDAP 270 bindResponse(3) success
>> 14 0.079974 10.5.1.202 -> 10.5.1.25 TCP 66 40258???389 [ACK] Seq=1621 Ack=372 Win=7984 Len=0 TSval=121084519 TSecr=361924304
>> 15 0.085792 10.5.1.202 -> 10.5.1.25 LDAP 402 searchRequest(4) "dc=ad,dc=fvg,dc=lnf,dc=it" wholeSubtree
>> 16 0.086364 10.5.1.25 -> 10.5.1.202 LDAP 574 searchResEntry(4) "CN=gaio,OU=Roaming,OU=Users,OU=SanVito,OU=FVG,DC=ad,DC=fvg,DC=lnf,DC=it" | searchResRef(4) | searchResRef(4) | searchResRef(4) | se
>> 17 0.087354 10.5.1.202 -> 10.5.1.25 LDAP 73 unbindRequest(5)
>> 18 0.087401 10.5.1.202 -> 10.5.1.25 TCP 66 40258???389 [FIN, ACK] Seq=1964 Ack=880 Win=9056 Len=0 TSval=121084520 TSecr=361924305
>> 19 0.087467 10.5.1.25 -> 10.5.1.202 TCP 66 389???40258 [FIN, ACK] Seq=880 Ack=1965 Win=34944 Len=0 TSval=361924306 TSecr=121084520
>> 20 0.087621 10.5.1.202 -> 10.5.1.25 TCP 66 40258???389 [ACK] Seq=1965 Ack=881 Win=9056 Len=0 TSval=121084520 TSecr=361924306
>>
>> and last configuration work. So seems that the only option compatible
>> with that MFP is the less secure 'ldap server require strong auth =
>> no'.
>>
>>
>> There's some way to ''tight'' that configuration , eg permit 'ldap server require strong auth =
>> no' only by some hosts?
>> Or some other smb.conf options that i've missed?
>
> Nothing at this stage. The issue is that they need to do fully signed
> or sealed Kerberos SASL.
>
> I agree that a per-IP or per-client whitelist would be a good idea.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team https://samba.org
> Samba Development and Support, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list