[Samba] How to configure samba domain member to use LDAPS instead of LDAP

Andrea Cucciarre' acucciarre at cloudian.com
Mon Nov 9 13:48:02 UTC 2020


I have found out the smb.conf options: ldap ssl, ldap ssl ads.
Moreover it seems the samba I'm using is not compiled with the SSL option:

/opt/samba/sbin/smbd -b | grep -i with
    WITH_UTMP
    HAVE_KRB5_ENCTYPE_TO_STRING_WITH_KRB5_CONTEXT_ARG
--with Options:
    WITH_ADS
    WITH_AUTOMOUNT
    WITH_DNS_UPDATES
    WITH_PAM
    WITH_PAM_MODULES
    WITH_PTHREADPOOL
    WITH_QUOTAS
    WITH_SYSLOG
    WITH_WINBIND
    TIME_WITH_SYS_TIME

Do you believe that using a Samba compiled with SSL will address it?

Regards

Andrea Cucciarre'
Global Technical Support Manager
Cloudian Inc.


On 11/9/2020 2:28 PM, Andrea Cucciarre' wrote:
> My customer complain that in the AD DC they see the following insecure 
> communication coming from the Samba server (DC member):
>
> "The following client performed a SASL 
> (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing 
> (integrity verification), or performed a simple bind over a cleartext 
> (non-SSL/TLS-encrypted) LDAP connection."
>
> So Samba does an insecure LDAP bind and they are asking how to change 
> Samba so that it does it in a secure way.
> Any tuning or suggestion to achieve it?
>
> Thanks
> Andrea
>
>
> On 11/9/2020 1:03 PM, Rowland penny via samba wrote:
>> On 09/11/2020 11:45, Andrea Cucciarre' via samba wrote:
>>>
>>> is there any documented procedure to configure a samba domain member 
>>> (AD windows domain) to use LDAPS instead of LDAP
>> The only documentation I know of is here:
>>
>> https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC 
>>
>>
>> But it is meant for a DC.
>>
>> Are you talking about using ldaps with ldap searches ? If so, then 
>> don't, use kerberos instead, it is even more secure.
>>
>> Rowland
>>
>>
>>
>




More information about the samba mailing list