[Samba] LDAPS & Windows Domain Controller

Andrew Bartlett abartlet at samba.org
Fri Oct 30 19:14:24 UTC 2020 

On Fri, 2020-10-30 at 14:10 -0500, Rob Townley wrote:
> So is that a bind type not mentioned in the chart he referenced for
> ldp.exe?

Kerberos authentication is mentioned as:

> Understanding bind options for LDAP authentication
> There are several authentication methods available in ldp that allow
> a client to bind to an LDAP server. The best method depends on
> several factors.
> 

> Use GSSAPI Negotiate package to negotiate security package of either
> Kerberos V5 or NTLM (or any other package the client and server
> negotiate). Pass in NULL credentials to specify default logged-in
> user. If Negotiate package is not installed on server or client, this
> will fall back to Sicily negotiation.

This is what we use in Samba, Kerberos with a fallback to NTLMv2.

Andrew Bartlett

> On Fri, Oct 30, 2020 at 1:57 PM Andrew Bartlett via samba <
> samba at lists.samba.org> wrote:
> > On Fri, 2020-10-30 at 13:53 +0000, Zebrose, Cordell via samba
> > wrote:
> > > > Samba 4.13 recently removed this support. 
> > > > The issue is that while it was possible to use LDAPS in some
> > > > situations, it was not possible to reliably determine the
> > hostname
> > > > to verify the TLS certificate, rendering the protection moot.
> > > > Furthermore, extensive work would have been required to fully
> > > > implement the 'channel bindings' required to tie the Kerberos
> > > > authentication Samba uses to the TLS channel.
> > > > Samba secures the LDAP connection it makes with Kerberos and
> > > > ensures (unless you unwisely configure otherwise) that the
> > session
> > > > is fully encrypted.  Because of this our use of Kerberos
> > encrypted
> > > > LDAP is actually more secure than LDAPS.
> > > 
> > > Thanks for the quick response and it's reassuring to hear that
> > > Kerberos is more secure than LDAPS. One question, when I was
> > looking
> > > at the packets during a join domain, I noticed that the username
> > and
> > > domain name appear to be sent in plain text during the Kerberos
> > > authentication. Is there any way to encrypt either of those as
> > well?
> > > Or is that just part of the Kerberos authentication process?
> > 
> > Not currently, and certainly not for the domain join.
> > 
> > Once joined, for subsequent user authentication we would like to
> > improve that.  Samba could and should in the future use FAST, a
> > secure
> > tunnel for Kerberos (compound authentication) where user
> > authentication
> > from the Samba server (think pam_winbind etc) is wrapped by the
> > machine
> > account, but the machine account will always be cleartext in the
> > AS-
> > REQ.
> > 
> > Again, none of this really matters if you are not starting user
> > authentication on the newly joined host (as opposed to accepting
> > tickets), but to complete the story:
> > 
> > Currently a big main blocker to adding FAST to Winbindd (and so
> > pam_winbind) is the Samba's AD DC doesn't support that, which in
> > turn
> > means we can't test it.  Many of us would love to get our internal
> > Heimdal upgraded (and once that is done I have patches for the
> > server
> > side), but it is a big task.
> > 
> > I hope this helps,
> > 
> > Andrew Bartlett
> > -- 
> > Andrew Bartlett                       https://samba.org/~abartlet/
> > Authentication Developer, Samba Team  https://samba.org
> > Samba Developer, Catalyst IT          
> > https://catalyst.net.nz/services/samba
> > 
> > 
> > 
> > 
-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba

More information about the samba mailing list