[Samba] Samba, AD and devices compatibility...

Andrew Bartlett abartlet at samba.org
Fri May 11 18:44:28 UTC 2018


On Fri, 2018-05-11 at 09:13 +0100, Rowland Penny via samba wrote:
> On Fri, 11 May 2018 09:58:11 +0200
> Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> 
> > Mandi! Andrew Bartlett via samba
> >   In chel di` si favelave...
> > 
> > > > There's some way to ''tight'' that configuration , eg permit
> > > > 'ldap server require strong auth = no' only by some hosts?
> > > > Or some other smb.conf options that i've missed?
> > > Nothing at this stage.
> > 
> > Ok.
> > 
> > 
> > > The issue is that they need to do fully signed or sealed Kerberos
> > > SASL. 
> > 
> > Sorry, but i've really a bit of confusion in this field... You forgot
> > a 'not' somwhere in this sentence? ;-)
> > 
> > I've understood that 'sign or seal' mean SASL over TLS/SSL, and my
> > printer suport only SASL, so it is not 'sign and sealed'...
> > 
> > 
> 
> I think that is what Andrew is trying to tell you, the printer needs to
> support SASL over TLS/SSL or it will never work. 

Not quite.  While that combination sounds really secure, without the
channel binding that we don't implement yet, it is actually almost as
bad as not using TLS/SSL.  We prefer SASL using the SASL mech to do the
signing and sealing.

> I don't think there is
> anything you can do, but I am surprised that the print doesn't already
> support it, after all, it isn't something new ;-)

That is the real issue here.  Finding combinations that don't suck
security wise and are supported by printers.  The long term solution on
the Samba end will likely be a 'printer account exception' scheme,
where an account with few real privileges can be made exempt from these
things (which matter for more for Domain Admins).  

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba mailing list