[Samba] How to configure samba domain member to use LDAPS instead of LDAP
rpenny at samba.org
Mon Nov 9 14:44:47 UTC 2020
On 09/11/2020 14:31, Andrea Cucciarre' wrote:
> The DC is a Windows AD DC.
> Could you please clarify why i should change setting in the Windows DC
> instead of the Samba server, which is the one that does the insecure
> ldap bind?
> Andrea Cucciarre'
> On 11/9/2020 3:13 PM, Rowland penny via samba wrote:
>> On 09/11/2020 13:28, Andrea Cucciarre' wrote:
>>> My customer complain that in the AD DC they see the following
>>> insecure communication coming from the Samba server (DC member):
>>> "The following client performed a SASL
>>> (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting
>>> signing (integrity verification), or performed a simple bind over a
>>> cleartext (non-SSL/TLS-encrypted) LDAP connection."
>>> So Samba does an insecure LDAP bind and they are asking how to
>>> change Samba so that it does it in a secure way.
>>> Any tuning or suggestion to achieve it?
>> OK, I think you want to see something like this instead:
>> GSSAPI Connection will be cryptographically signed
>> Try adding 'server signing = mandatory' to the DC smb.conf (provided
>> it is a Samba DC, otherwise there is probably a registry key that
>> does the same).
One word 'Negotiation' 😁
The server tells the client it must 'sign' the connection.
More information about the samba