[Samba] LDAPS & Windows Domain Controller
Rob Townley
rob.townley at gmail.com
Fri Oct 30 19:17:51 UTC 2020
Thanks Andrew, that will help for security reviews.
On Fri, Oct 30, 2020 at 2:14 PM Andrew Bartlett <abartlet at samba.org> wrote:
>
> On Fri, 2020-10-30 at 14:10 -0500, Rob Townley wrote:
> > So is that a bind type not mentioned in the chart he referenced for
> > ldp.exe?
>
> Kerberos authentication is mentioned as:
>
> > Understanding bind options for LDAP authentication
> > There are several authentication methods available in ldp that allow
> > a client to bind to an LDAP server. The best method depends on
> > several factors.
> >
>
> > Use GSSAPI Negotiate package to negotiate security package of either
> > Kerberos V5 or NTLM (or any other package the client and server
> > negotiate). Pass in NULL credentials to specify default logged-in
> > user. If Negotiate package is not installed on server or client, this
> > will fall back to Sicily negotiation.
>
> This is what we use in Samba, Kerberos with a fallback to NTLMv2.
>
> Andrew Bartlett
>
> > On Fri, Oct 30, 2020 at 1:57 PM Andrew Bartlett via samba <
> > samba at lists.samba.org> wrote:
> > > On Fri, 2020-10-30 at 13:53 +0000, Zebrose, Cordell via samba
> > > wrote:
> > > > > Samba 4.13 recently removed this support.
> > > > > The issue is that while it was possible to use LDAPS in some
> > > > > situations, it was not possible to reliably determine the
> > > hostname
> > > > > to verify the TLS certificate, rendering the protection moot.
> > > > > Furthermore, extensive work would have been required to fully
> > > > > implement the 'channel bindings' required to tie the Kerberos
> > > > > authentication Samba uses to the TLS channel.
> > > > > Samba secures the LDAP connection it makes with Kerberos and
> > > > > ensures (unless you unwisely configure otherwise) that the
> > > session
> > > > > is fully encrypted. Because of this our use of Kerberos
> > > encrypted
> > > > > LDAP is actually more secure than LDAPS.
> > > >
> > > > Thanks for the quick response and it's reassuring to hear that
> > > > Kerberos is more secure than LDAPS. One question, when I was
> > > looking
> > > > at the packets during a join domain, I noticed that the username
> > > and
> > > > domain name appear to be sent in plain text during the Kerberos
> > > > authentication. Is there any way to encrypt either of those as
> > > well?
> > > > Or is that just part of the Kerberos authentication process?
> > >
> > > Not currently, and certainly not for the domain join.
> > >
> > > Once joined, for subsequent user authentication we would like to
> > > improve that. Samba could and should in the future use FAST, a
> > > secure
> > > tunnel for Kerberos (compound authentication) where user
> > > authentication
> > > from the Samba server (think pam_winbind etc) is wrapped by the
> > > machine
> > > account, but the machine account will always be cleartext in the
> > > AS-
> > > REQ.
> > >
> > > Again, none of this really matters if you are not starting user
> > > authentication on the newly joined host (as opposed to accepting
> > > tickets), but to complete the story:
> > >
> > > Currently a big main blocker to adding FAST to Winbindd (and so
> > > pam_winbind) is the Samba's AD DC doesn't support that, which in
> > > turn
> > > means we can't test it. Many of us would love to get our internal
> > > Heimdal upgraded (and once that is done I have patches for the
> > > server
> > > side), but it is a big task.
> > >
> > > I hope this helps,
> > >
> > > Andrew Bartlett
> > > --
> > > Andrew Bartlett https://samba.org/~abartlet/
> > > Authentication Developer, Samba Team https://samba.org
> > > Samba Developer, Catalyst IT
> > > https://catalyst.net.nz/services/samba
> > >
> > >
> > >
> > >
> --
> Andrew Bartlett https://samba.org/~abartlet/
> Authentication Developer, Samba Team https://samba.org
> Samba Developer, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>
More information about the samba
mailing list