[Samba] questions about ports

Marcos Ariel Negrini mnegrini at afip.gob.ar
Thu Nov 25 20:02:01 UTC 2021

We are running vulnerability analysis on samba4 AD and I have several 

1- The LDAP port(389) is obviously not encrypted, I was looking for 
information about the possibility of disabling it on the internal 
network(the workstation network), but I read on several sites that this 
is not suitable. Can I force all the LDAP communication against the 
servers to be LDAPS?

2- The LDAPS(636) port by default supports deprecated TLS versions 
(TLSv1.0 and TLSv1.1), my samba AD version is 4.13.7. I am looking in 
the Samba documentation and I did not find how to disable a specific TLS 
version. It's this possible, to disable an specific TLS version?

3- The Global Catalog port (3268), Can I disable it? Are there 
communications that cannot be encrypted by the 3269 and I must leave 
enabled the 3268 port?

4- Same query as in point 2, but with The Global Catalog SSL port 
(3269), I suppose that if there is a configuration to define the TLS 
versions it will affect both ports.

Marcos Ariel Negrini

More information about the samba mailing list