[Samba] questions about ports
Marcos Ariel Negrini
mnegrini at afip.gob.ar
Thu Nov 25 20:02:01 UTC 2021
Hello:
We are running vulnerability analysis on samba4 AD and I have several
doubts:
1- The LDAP port(389) is obviously not encrypted, I was looking for
information about the possibility of disabling it on the internal
network(the workstation network), but I read on several sites that this
is not suitable. Can I force all the LDAP communication against the
servers to be LDAPS?
2- The LDAPS(636) port by default supports deprecated TLS versions
(TLSv1.0 and TLSv1.1), my samba AD version is 4.13.7. I am looking in
the Samba documentation and I did not find how to disable a specific TLS
version. It's this possible, to disable an specific TLS version?
3- The Global Catalog port (3268), Can I disable it? Are there
communications that cannot be encrypted by the 3269 and I must leave
enabled the 3268 port?
4- Same query as in point 2, but with The Global Catalog SSL port
(3269), I suppose that if there is a configuration to define the TLS
versions it will affect both ports.
Regards
Marcos Ariel Negrini
More information about the samba
mailing list