[Samba] LDAPS & Windows Domain Controller

Andrew Bartlett abartlet at samba.org
Fri Oct 30 18:56:46 UTC 2020 

On Fri, 2020-10-30 at 13:53 +0000, Zebrose, Cordell via samba wrote:
> > Samba 4.13 recently removed this support. 
> > The issue is that while it was possible to use LDAPS in some
> > situations, it was not possible to reliably determine the hostname
> > to verify the TLS certificate, rendering the protection moot.
> > Furthermore, extensive work would have been required to fully
> > implement the 'channel bindings' required to tie the Kerberos
> > authentication Samba uses to the TLS channel.
> > Samba secures the LDAP connection it makes with Kerberos and
> > ensures (unless you unwisely configure otherwise) that the session
> > is fully encrypted.  Because of this our use of Kerberos encrypted
> > LDAP is actually more secure than LDAPS.
> 
> Thanks for the quick response and it's reassuring to hear that
> Kerberos is more secure than LDAPS. One question, when I was looking
> at the packets during a join domain, I noticed that the username and
> domain name appear to be sent in plain text during the Kerberos
> authentication. Is there any way to encrypt either of those as well?
> Or is that just part of the Kerberos authentication process?

Not currently, and certainly not for the domain join.

Once joined, for subsequent user authentication we would like to
improve that.  Samba could and should in the future use FAST, a secure
tunnel for Kerberos (compound authentication) where user authentication
from the Samba server (think pam_winbind etc) is wrapped by the machine
account, but the machine account will always be cleartext in the AS-
REQ.

Again, none of this really matters if you are not starting user
authentication on the newly joined host (as opposed to accepting
tickets), but to complete the story:

Currently a big main blocker to adding FAST to Winbindd (and so
pam_winbind) is the Samba's AD DC doesn't support that, which in turn
means we can't test it.  Many of us would love to get our internal
Heimdal upgraded (and once that is done I have patches for the server
side), but it is a big task.

I hope this helps,

Andrew Bartlett
-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba

More information about the samba mailing list