[Samba] How to configure samba domain member to use LDAPS instead of LDAP
cn at brain-biotech.de
cn at brain-biotech.de
Mon Nov 9 14:42:41 UTC 2020
What version of Samba is this and do you have "server schannel = no" set
in its smb.conf?
Regards
Christian
Am 09.11.20 um 15:31 schrieb Andrea Cucciarre' via samba:
> The DC is a Windows AD DC.
> Could you please clarify why i should change setting in the Windows DC
> instead of the Samba server, which is the one that does the insecure
> ldap bind?
>
> Regards
> Andrea Cucciarre'
>
>
> On 11/9/2020 3:13 PM, Rowland penny via samba wrote:
>> On 09/11/2020 13:28, Andrea Cucciarre' wrote:
>>> My customer complain that in the AD DC they see the following
>>> insecure communication coming from the Samba server (DC member):
>>>
>>> "The following client performed a SASL
>>> (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing
>>> (integrity verification), or performed a simple bind over a cleartext
>>> (non-SSL/TLS-encrypted) LDAP connection."
>>>
>>> So Samba does an insecure LDAP bind and they are asking how to change
>>> Samba so that it does it in a secure way.
>>> Any tuning or suggestion to achieve it?
>>
>> OK, I think you want to see something like this instead:
>>
>> GSSAPI Connection will be cryptographically signed
>>
>> Try adding 'server signing = mandatory' to the DC smb.conf (provided
>> it is a Samba DC, otherwise there is probably a registry key that does
>> the same).
>>
>> Rowland
>>
>>
>>
>
>
--
Dr. Christian Naumer
Unit Head Bioprocess Development
B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
fon +49-6251-9331-30 / fax +49-6251-9331-11
Subscribe to BRAIN's Newsletter:
http://www.brain-biotech.com/de/newsletter
Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender),
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
More information about the samba
mailing list