[Samba] How to configure samba domain member to use LDAPS instead of LDAP
Andrew Walker
walker.aj325 at gmail.com
Mon Nov 9 14:46:08 UTC 2020
On Mon, Nov 9, 2020 at 9:43 AM cn--- via samba <samba at lists.samba.org>
wrote:
> What version of Samba is this and do you have "server schannel = no" set
> in its smb.conf?
>
>
> Regards
>
> Christian
>
> Am 09.11.20 um 15:31 schrieb Andrea Cucciarre' via samba:
> > The DC is a Windows AD DC.
> > Could you please clarify why i should change setting in the Windows DC
> > instead of the Samba server, which is the one that does the insecure
> > ldap bind?
> >
> > Regards
> > Andrea Cucciarre'
> >
> >
> > On 11/9/2020 3:13 PM, Rowland penny via samba wrote:
> >> On 09/11/2020 13:28, Andrea Cucciarre' wrote:
> >>> My customer complain that in the AD DC they see the following
> >>> insecure communication coming from the Samba server (DC member):
> >>>
> >>> "The following client performed a SASL
> >>> (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing
> >>> (integrity verification), or performed a simple bind over a cleartext
> >>> (non-SSL/TLS-encrypted) LDAP connection."
> >>>
> >>> So Samba does an insecure LDAP bind and they are asking how to change
> >>> Samba so that it does it in a secure way.
> >>> Any tuning or suggestion to achieve it?
> >>
> >> OK, I think you want to see something like this instead:
> >>
> >> GSSAPI Connection will be cryptographically signed
> >>
> >> Try adding 'server signing = mandatory' to the DC smb.conf (provided
> >> it is a Samba DC, otherwise there is probably a registry key that does
> >> the same).
> >>
> >> Rowland
> >>
> >>
> >>
> >
> >
>
> --
> Dr. Christian Naumer
> Unit Head Bioprocess Development
>
> B.R.A.I.N Aktiengesellschaft
> Darmstaedter Str. 34-36, D-64673 Zwingenberg
> e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
> fon +49-6251-9331-30 / fax +49-6251-9331-11
>
> Subscribe to BRAIN's Newsletter:
> http://www.brain-biotech.com/de/newsletter
>
> Sitz der Gesellschaft: Zwingenberg/Bergstrasse
> Registergericht AG Darmstadt, HRB 24758
> Vorstand: Adriaan Moelker (Vorstandsvorsitzender),
> Lukas Linnig
> Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
I think that we may need to see the smb.conf of the problem server.
More information about the samba
mailing list