[Samba] How to configure samba domain member to use LDAPS instead of LDAP
Andrea Cucciarre'
acucciarre at cloudian.com
Mon Nov 9 13:48:02 UTC 2020
I have found out the smb.conf options: ldap ssl, ldap ssl ads.
Moreover it seems the samba I'm using is not compiled with the SSL option:
/opt/samba/sbin/smbd -b | grep -i with
WITH_UTMP
HAVE_KRB5_ENCTYPE_TO_STRING_WITH_KRB5_CONTEXT_ARG
--with Options:
WITH_ADS
WITH_AUTOMOUNT
WITH_DNS_UPDATES
WITH_PAM
WITH_PAM_MODULES
WITH_PTHREADPOOL
WITH_QUOTAS
WITH_SYSLOG
WITH_WINBIND
TIME_WITH_SYS_TIME
Do you believe that using a Samba compiled with SSL will address it?
Regards
Andrea Cucciarre'
Global Technical Support Manager
Cloudian Inc.
On 11/9/2020 2:28 PM, Andrea Cucciarre' wrote:
> My customer complain that in the AD DC they see the following insecure
> communication coming from the Samba server (DC member):
>
> "The following client performed a SASL
> (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing
> (integrity verification), or performed a simple bind over a cleartext
> (non-SSL/TLS-encrypted) LDAP connection."
>
> So Samba does an insecure LDAP bind and they are asking how to change
> Samba so that it does it in a secure way.
> Any tuning or suggestion to achieve it?
>
> Thanks
> Andrea
>
>
> On 11/9/2020 1:03 PM, Rowland penny via samba wrote:
>> On 09/11/2020 11:45, Andrea Cucciarre' via samba wrote:
>>>
>>> is there any documented procedure to configure a samba domain member
>>> (AD windows domain) to use LDAPS instead of LDAP
>> The only documentation I know of is here:
>>
>> https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
>>
>>
>> But it is meant for a DC.
>>
>> Are you talking about using ldaps with ldap searches ? If so, then
>> don't, use kerberos instead, it is even more secure.
>>
>> Rowland
>>
>>
>>
>
More information about the samba
mailing list