[Samba] questions about ports

Andrew Bartlett abartlet at samba.org
Fri Nov 26 04:09:47 UTC 2021

On Thu, 2021-11-25 at 17:02 -0300, Marcos Ariel Negrini via samba
> 1- The LDAP port(389) is obviously not encrypted, I was looking for 
> information about the possibility of disabling it on the internal 
> network(the workstation network), but I read on several sites that
> this 
> is not suitable. Can I force all the LDAP communication against the 
> servers to be LDAPS?

You don't want that.  LDAPS is actually less secure, you want LDAP
(389) with SASL/GSSAPI/Kerberos encryption. 

Blocking 389 will break everything.  LDAPS is only helpful for the
simple bind case, where that is better than plaintext.

See 'ldap server require strong auth' for some details, but in short
because Samba doesn't implement the channel bindings for LDAPS, and
unless all clients send them, NTLM/Kerberos over LDAPS is vulnerable to
relay attacks. 

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list