[Samba] How to configure samba domain member to use LDAPS instead of LDAP

Rowland penny rpenny at samba.org
Mon Nov 9 14:13:01 UTC 2020


On 09/11/2020 13:28, Andrea Cucciarre' wrote:
> My customer complain that in the AD DC they see the following insecure 
> communication coming from the Samba server (DC member):
>
> "The following client performed a SASL 
> (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing 
> (integrity verification), or performed a simple bind over a cleartext 
> (non-SSL/TLS-encrypted) LDAP connection."
>
> So Samba does an insecure LDAP bind and they are asking how to change 
> Samba so that it does it in a secure way.
> Any tuning or suggestion to achieve it?

OK, I think you want to see something like this instead:

GSSAPI Connection will be cryptographically signed

Try adding 'server signing = mandatory' to the DC smb.conf (provided it 
is a Samba DC, otherwise there is probably a registry key that does the 
same).

Rowland





More information about the samba mailing list