[Samba] Forcibly disabling connection attempts to port 389?

Rowland Penny rpenny at samba.org
Mon Jan 10 09:58:39 UTC 2022


On Mon, 2022-01-10 at 10:24 +0100, Peter Eriksson via samba wrote:
> We recently discovered an annoying problem where it seems that Samba
> often first attempts to connect to LDAP port 389 before switching to
> port 636 (SSL-LDAP) when talking to AD servers.

1) that is the way AD works
2) do not use ldaps, use kerberos instead, it is a lot more secure.

>  This is normally not a big issue since the AD server has the port
> blocked/disabled.

I suggest you unblock it, you need it.

>  However we currently have an issue with a FortiGate firewall that
> for some unknown reason decided to start running a “SYN-proxy” on
> that port for one of the AD servers…
> 
> This has the effect of causing clients that try to connect to port
> 389/tcp on that AD server to “see” an accepted TCP session until it
> times out a number of seconds/minutes later instead of a quick
> reject. This causes Samba to regularly take a long time to accept
> user authentications if it happens to choose to bind to that server.

See, I said you need it.

> 
> For the moment I've “fixed” that by adding machine-local firewall
> rules that block outgoing TCP connection attempts to that specific AD
> server, but I was wondering if there perhaps could be some better way
> to solve this - like having some option in Samba to forcibly stop
> attempting to connect to port 389 and just use 636 (ssl-ldap)? Or
> switch it so it first attempts 636 and then if that fails falls back
> to 636?

That isn't how AD works, it starts with '389' and escalates from there.

Rowland





More information about the samba mailing list