[Samba] "ldap server require strong auth" and MS-AD

Denis Cardon dcardon at tranquil.it
Wed Dec 18 11:08:48 UTC 2019


Hi everyone,

Microsoft is going to tighten their AD LDAP binding security in 
mid-January 2020 [1][2].

I am wondering if this change is identical or similar to the "ldap 
server require strong auth=yes" parameter in smb.conf. Or if it more 
like "ldap server require strong auth=allow_sasl_over_tls".

 From [1] :
"""
Summary

LDAP channel binding and LDAP signing provide ways to increase the 
security of network communications between an Active Directory Domain 
Services (AD DS) or an Active Directory Lightweight Directory Services 
(AD LDS) and its clients. There is a vulerability in the default 
configuration for Lightweight Directory Access Protocol (LDAP) channel 
binding and LDAP signing and may expose Active directory domain 
controllers to elevation of privilege vulnerabilities.  Microsoft 
Security Advisory ADV190023 address the issue by recommending the 
administrators enable LDAP channel binding and LDAP signing on Active 
Directory Domain Controllers. This hardening must be done manually until 
the release of the security update that will enable these settings by 
default.

Microsoft intends to release a security update on Windows Update to 
enable LDAP channel binding and LDAP signing hardening changes and 
anticipate this update will be available in mid-January 2020.
"""

Cheers,

Denis

[1] 
https://support.microsoft.com/en-ca/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows
[2] 
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023


-- 
Denis Cardon
Tranquil IT
12 avenue Jules Verne (Bat. A)
44230 Saint Sébastien sur Loire (FRANCE)
tel : +33 (0) 240 975 755
http://www.tranquil.it

Tranquil IT recrute! https://www.tranquil.it/nous-rejoindre/
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr



More information about the samba mailing list