[Samba] Samba, AD and devices compatibility...
abartlet at samba.org
Fri May 11 18:40:55 UTC 2018
On Fri, 2018-05-11 at 11:26 +0200, Marco Gaiarin via samba wrote:
> Mandi! Rowland Penny via samba
> In chel di` si favelave...
> > I think that is what Andrew is trying to tell you, the printer needs to
> > support SASL over TLS/SSL or it will never work. I don't think there is
> > anything you can do, but I am surprised that the print doesn't already
> > support it, after all, it isn't something new ;-)
> Mi confusion grow. ;-)
> As stated in my previous email, MFP printer works with this tshark
> AD, 'ldap server require strong auth = no'
> 11 0.074684 10.5.1.202 -> 10.5.1.25 LDAP 1555 bindRequest(3) "<ROOT>" sasl
> 12 0.074698 10.5.1.25 -> 10.5.1.202 TCP 66 389→40258 [ACK] Seq=168 Ack=1621 Win=32000 Len=0 TSval=361924302 TSecr=121084518
> 13 0.079764 10.5.1.25 -> 10.5.1.202 LDAP 270 bindResponse(3) success
> and clearly this is an example of SASL over PLAIN LDAP, no TLS nor
> SSL, because i can ''see'' the query (if it was TLS/SSL, i'll see the
> SSL/TLS handshake and the only 'data'.)
> So seems that my MFP use plain SASL, and so i'ma bit confused on what
> 'sign and seal' mean. ;)
This is expected. What this means is that the MFP is sending the
kerberos ticket but not signing the subsequent connection. Such a
ticket is vulnerable to theft and re-use, so we try not to allow that.
Not as bad as simple binds without SSL, but not good either. Allowing
this over SSL falls on the same issue, because we don't trust that
clients actually check their SSL certs and because the theft could be
in the reverse direction (from somewhere else).
The only real way to ensure a ticket belongs with this data session is
if it cryptographically bound to the session, by signing or encrypting
(sealing) all the subsequent packets with it.
There is only one more 'out' we don't implement yet, which is a
'channel bindings' between the SSL connection and the Kerberos packet,
but I doubt the MFP is using that.
I hope this clarifies things,
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba