[Samba] LDAP channel binding and LDAP signing?

A. James Lewis james at fsck.co.uk
Thu Jan 16 00:23:48 UTC 2020 

I will admit that the last paragraph is confusing me slightly with the 
comment about ldbsearch... , other than to say that, at the advice of 
this list, I have kept my smb.conf as simple as possible, and "ldap ssl 
ads" defaults to no....

I literally just use winbindd, and have only:-

workgroup = XYZ
security = ADS
realm = XYZ.DOMAIN.COM

~Some idmaps for different trusted domains using RID.

winbind use default domain = yes
winbind refresh tickets = yes
template shell = /bin/bash

So, from what I'm seeing in the smb.conf man page, the default values 
should be good... and if badlock was in 2016, then anything 4.4.2 or 
newer should be OK.... even tho RHEL7 has somewhat older versions, I 
don't think it's that old....

Would you say that was a reasonable assessment?

James


On 15/01/2020 20:22, Andrew Bartlett via samba wrote:
> Samba has, since the big 'badlock' release, defaults to refusing
> plaintext, unsigned LDAP and also refusing to put Kerberos or NTLM over
> TLS.
>
> This is controlled by "ldap server require strong auth"
>
> Samba does not implement channel bindings (patches or funding welcome)
> which is why we don't allow SASL (NTLM/Kerberos) over TLS, we strongly
> recommend relying on the NTLM or Kerberos layer for that security, it
> provides good mutual authentication without needing to check
> certificates against a private CA.
>
> Also, at the time the the badlock patch was done no known client use it
> for LDAP, the feature originally came from HTTP Negotiate.
>
> So, in short, Samba (Metze gets the credit) realised this was a bad
> thing in 2016 (and yes, we shared our thoughts then). I'm glad
> Microsoft has since then come to the same conclusion.
>
> What will be a problem, as I read it, is winbindd if 'ldap ssl ads =
> yes' is set but and ldbsearch (against ldaps:// URLS, when not using a
> simple bind).
>
> I trust this clarifies things,
>
> Andrew Bartlett
>
> On Wed, 2020-01-15 at 11:22 +0000, A. James Lewis via samba wrote:
>> I found this in the samba security manual, but it could be interpreted
>> to mean that the feature isn't implemented, and so winbind would stop
>> working after Microsoft release the proposed patch!  I hope someone can
>> clarify.
>>
>>
>> On 15/01/2020 00:22, A. James Lewis via samba wrote:
>>> With Microsoft talking about AD changes in upcoming patches, I'm
>>> wondering if someone on this list has any insight into whether this
>>> will impact Samba(winbind).... and/or what version of Samba would be
>>> required to ensure continued operation if so?
>>>
>>> Home someone can shed some light!
>>>
>>> https://support.microsoft.com/en-gb/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows
>>>
>>>
>> -- 
>> ค. ﻝค๓єร ɭєฬเร (james at fsck.co.uk)
>> "Engineering does not require science. Science helps a lot but people
>> built perfectly good brick walls long before they knew why cement works."
>>
-- 
ค. ﻝค๓єร ɭєฬเร (james at fsck.co.uk)
"Engineering does not require science. Science helps a lot but people
built perfectly good brick walls long before they knew why cement works."

More information about the samba mailing list