[Samba] Forcibly disabling connection attempts to port 389?
abartlet at samba.org
Mon Jan 24 23:01:20 UTC 2022
On Mon, 2022-01-10 at 09:58 +0000, Rowland Penny via samba wrote:
> On Mon, 2022-01-10 at 10:24 +0100, Peter Eriksson via samba wrote:
> > We recently discovered an annoying problem where it seems that
> > Samba
> > often first attempts to connect to LDAP port 389 before switching
> > to
> > port 636 (SSL-LDAP) when talking to AD servers.
> 1) that is the way AD works
> 2) do not use ldaps, use kerberos instead, it is a lot more secure.
> > This is normally not a big issue since the AD server has the port
> > blocked/disabled.
> I suggest you unblock it, you need it.
Samba has been actively removing code to connect over LDAP+SSL (636) as
absent channel binding it is a security problem. We never got TLS
channel binding working to our satisfaction and TLS certificate
validation is poor within internal networks (often not done at all).
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
More information about the samba