[Samba] questions about ports
Kees van Vloten
keesvanvloten at gmail.com
Fri Nov 26 13:36:59 UTC 2021
On 26-11-2021 13:14, Marcos Ariel Negrini via samba wrote:
> Hi... thanks Andrew, I will read about SASL/GSSAPI/Kerberos.
> Regarding question 2, is it possible to disable deprecated versions of
> Tls?
> Regards
Something like this?
tls priority = NONE:+SECURE256:-VERS-ALL:+VERS-TLS1.2:+VERS-TLS1.3
>
> El 26/11/21 a las 01:09, Andrew Bartlett escribió:
>> On Thu, 2021-11-25 at 17:02 -0300, Marcos Ariel Negrini via samba
>> wrote:
>>> 1- The LDAP port(389) is obviously not encrypted, I was looking for
>>>
>>> information about the possibility of disabling it on the internal
>>>
>>> network(the workstation network), but I read on several sites that
>>> this
>>>
>>> is not suitable. Can I force all the LDAP communication against the
>>>
>>> servers to be LDAPS?
>> You don't want that. LDAPS is actually less secure, you want LDAP
>> (389) with SASL/GSSAPI/Kerberos encryption.
>>
>> Blocking 389 will break everything. LDAPS is only helpful for the
>> simple bind case, where that is better than plaintext.
>>
>> See 'ldap server require strong auth' for some details, but in short
>> because Samba doesn't implement the channel bindings for LDAPS, and
>> unless all clients send them, NTLM/Kerberos over LDAPS is vulnerable to
>> relay attacks.
>>
>> Andrew Bartlett
>>
>
More information about the samba
mailing list