[Samba] "ldap server require strong auth" and MS-AD
Denis Cardon
dcardon at tranquil.it
Wed Dec 18 11:08:48 UTC 2019
Hi everyone,
Microsoft is going to tighten their AD LDAP binding security in
mid-January 2020 [1][2].
I am wondering if this change is identical or similar to the "ldap
server require strong auth=yes" parameter in smb.conf. Or if it more
like "ldap server require strong auth=allow_sasl_over_tls".
From [1] :
"""
Summary
LDAP channel binding and LDAP signing provide ways to increase the
security of network communications between an Active Directory Domain
Services (AD DS) or an Active Directory Lightweight Directory Services
(AD LDS) and its clients. There is a vulerability in the default
configuration for Lightweight Directory Access Protocol (LDAP) channel
binding and LDAP signing and may expose Active directory domain
controllers to elevation of privilege vulnerabilities. Microsoft
Security Advisory ADV190023 address the issue by recommending the
administrators enable LDAP channel binding and LDAP signing on Active
Directory Domain Controllers. This hardening must be done manually until
the release of the security update that will enable these settings by
default.
Microsoft intends to release a security update on Windows Update to
enable LDAP channel binding and LDAP signing hardening changes and
anticipate this update will be available in mid-January 2020.
"""
Cheers,
Denis
[1]
https://support.microsoft.com/en-ca/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows
[2]
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
--
Denis Cardon
Tranquil IT
12 avenue Jules Verne (Bat. A)
44230 Saint Sébastien sur Loire (FRANCE)
tel : +33 (0) 240 975 755
http://www.tranquil.it
Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr
More information about the samba
mailing list