[Samba] How to configure samba domain member to use LDAPS instead of LDAP
Rowland penny
rpenny at samba.org
Mon Nov 9 14:13:01 UTC 2020
On 09/11/2020 13:28, Andrea Cucciarre' wrote:
> My customer complain that in the AD DC they see the following insecure
> communication coming from the Samba server (DC member):
>
> "The following client performed a SASL
> (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing
> (integrity verification), or performed a simple bind over a cleartext
> (non-SSL/TLS-encrypted) LDAP connection."
>
> So Samba does an insecure LDAP bind and they are asking how to change
> Samba so that it does it in a secure way.
> Any tuning or suggestion to achieve it?
OK, I think you want to see something like this instead:
GSSAPI Connection will be cryptographically signed
Try adding 'server signing = mandatory' to the DC smb.conf (provided it
is a Samba DC, otherwise there is probably a registry key that does the
same).
Rowland
More information about the samba
mailing list