[Samba] Samba, AD and devices compatibility...

Andrew Bartlett abartlet at samba.org
Fri May 11 18:40:55 UTC 2018 

On Fri, 2018-05-11 at 11:26 +0200, Marco Gaiarin via samba wrote:
> Mandi! Rowland Penny via samba
>   In chel di` si favelave...
> 
> > I think that is what Andrew is trying to tell you, the printer needs to
> > support SASL over TLS/SSL or it will never work. I don't think there is
> > anything you can do, but I am surprised that the print doesn't already
> > support it, after all, it isn't something new ;-)
> 
> Mi confusion grow. ;-)
> 
> As stated in my previous email, MFP printer works with this tshark
> dump:
> 
> AD, 'ldap server require strong auth = no'
>  11   0.074684   10.5.1.202 -> 10.5.1.25    LDAP 1555 bindRequest(3) "<ROOT>" sasl 
>  12   0.074698    10.5.1.25 -> 10.5.1.202   TCP 66 389→40258 [ACK] Seq=168 Ack=1621 Win=32000 Len=0 TSval=361924302 TSecr=121084518
>  13   0.079764    10.5.1.25 -> 10.5.1.202   LDAP 270 bindResponse(3) success 
> 
> and clearly this is an example of SASL over PLAIN LDAP, no TLS nor
> SSL, because i can ''see'' the query (if it was TLS/SSL, i'll see the
> SSL/TLS handshake and the only 'data'.)
> 
> So seems that my MFP use plain SASL, and so i'ma bit confused on what
> 'sign and seal' mean. ;)

This is expected.  What this means is that the MFP is sending the
kerberos ticket but not signing the subsequent connection.  Such a
ticket is vulnerable to theft and re-use, so we try not to allow that.

Not as bad as simple binds without SSL, but not good either.  Allowing
this over SSL falls on the same issue, because we don't trust that
clients actually check their SSL certs and because the theft could be
in the reverse direction (from somewhere else).

The only real way to ensure a ticket belongs with this data session is
if it cryptographically bound to the session, by signing or encrypting
(sealing) all the subsequent packets with it.

There is only one more 'out' we don't implement yet, which is a
'channel bindings' between the SSL connection and the Kerberos packet,
but I doubt the MFP is using that. 

I hope this clarifies things,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list