[Samba] questions about ports

Marcos Ariel Negrini mnegrini at afip.gob.ar
Fri Nov 26 12:14:40 UTC 2021


Hi... thanks Andrew, I will read about SASL/GSSAPI/Kerberos.
Regarding question 2, is it possible to disable deprecated versions of Tls?
Regards

El 26/11/21 a las 01:09, Andrew Bartlett escribió:
> On Thu, 2021-11-25 at 17:02 -0300, Marcos Ariel Negrini via samba
> wrote:
>> 1- The LDAP port(389) is obviously not encrypted, I was looking for
>>
>> information about the possibility of disabling it on the internal
>>
>> network(the workstation network), but I read on several sites that
>> this
>>
>> is not suitable. Can I force all the LDAP communication against the
>>
>> servers to be LDAPS?
> You don't want that.  LDAPS is actually less secure, you want LDAP
> (389) with SASL/GSSAPI/Kerberos encryption.
>
> Blocking 389 will break everything.  LDAPS is only helpful for the
> simple bind case, where that is better than plaintext.
>
> See 'ldap server require strong auth' for some details, but in short
> because Samba doesn't implement the channel bindings for LDAPS, and
> unless all clients send them, NTLM/Kerberos over LDAPS is vulnerable to
> relay attacks.
>
> Andrew Bartlett
>



More information about the samba mailing list