[Samba] LDAPS & Windows Domain Controller

Andrew Bartlett abartlet at samba.org
Thu Oct 29 22:22:31 UTC 2020

On Thu, 2020-10-29 at 22:15 +0000, Zebrose, Cordell via samba wrote:
> I have a Samba file server attempting to join an Active Directory
> domain using "$net ads join". The Domain Controller is running
> Windows Server 2019. I'd like to force samba to use port 636 (LDAPS)
> when making the LDAP connection. I've tried several settings in the
> smb.conf file, but when I check the LDAP packets, samba is still
> using port 389. The join domain call is successful, it's just using
> the wrong port. I've tried:

Samba 4.13 recently removed this support. 

The issue is that while it was possible to use LDAPS in some
situations, it was not possible to reliably determine the hostname to
verify the TLS certificate, rendering the protection moot.

Furthermore, extensive work would have been required to fully implement
the 'channel bindings' required to tie the Kerberos authentication
Samba uses to the TLS channel.

Samba secures the LDAP connection it makes with Kerberos and ensures
(unless you unwisely configure otherwise) that the session is fully
encrypted.  Because of this our use of Kerberos encrypted LDAP is
actually more secure than LDAPS.

Andrew Bartlett

Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          

More information about the samba mailing list