[Samba] How to configure samba domain member to use LDAPS instead of LDAP

Andrea Cucciarre' acucciarre at cloudian.com
Mon Nov 9 14:31:34 UTC 2020


The DC is a Windows AD DC.
Could you please clarify why i should change setting in the Windows DC 
instead of the Samba server, which is the one that does the insecure 
ldap bind?

Regards
Andrea Cucciarre'


On 11/9/2020 3:13 PM, Rowland penny via samba wrote:
> On 09/11/2020 13:28, Andrea Cucciarre' wrote:
>> My customer complain that in the AD DC they see the following 
>> insecure communication coming from the Samba server (DC member):
>>
>> "The following client performed a SASL 
>> (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing 
>> (integrity verification), or performed a simple bind over a cleartext 
>> (non-SSL/TLS-encrypted) LDAP connection."
>>
>> So Samba does an insecure LDAP bind and they are asking how to change 
>> Samba so that it does it in a secure way.
>> Any tuning or suggestion to achieve it?
>
> OK, I think you want to see something like this instead:
>
> GSSAPI Connection will be cryptographically signed
>
> Try adding 'server signing = mandatory' to the DC smb.conf (provided 
> it is a Samba DC, otherwise there is probably a registry key that does 
> the same).
>
> Rowland
>
>
>




More information about the samba mailing list