[Samba] LDAPS & Windows Domain Controller

Zebrose, Cordell zebrose at amazon.com
Fri Oct 30 13:53:49 UTC 2020

> Samba 4.13 recently removed this support. 
> The issue is that while it was possible to use LDAPS in some situations, it was not possible to reliably determine the hostname to verify the TLS certificate, rendering the protection moot.
> Furthermore, extensive work would have been required to fully implement the 'channel bindings' required to tie the Kerberos authentication Samba uses to the TLS channel.
> Samba secures the LDAP connection it makes with Kerberos and ensures (unless you unwisely configure otherwise) that the session is fully encrypted.  Because of this our use of Kerberos encrypted LDAP is actually more secure than LDAPS.

Thanks for the quick response and it's reassuring to hear that Kerberos is more secure than LDAPS. One question, when I was looking at the packets during a join domain, I noticed that the username and domain name appear to be sent in plain text during the Kerberos authentication. Is there any way to encrypt either of those as well? Or is that just part of the Kerberos authentication process?


More information about the samba mailing list