[Samba] Forcibly disabling connection attempts to port 389?
Peter Eriksson
pen at lysator.liu.se
Tue Jan 25 10:36:52 UTC 2022
Yeah, I can see that. Btw the problem has been solved here now - it required a reboot of the firewall cluster in question since the hardware packet accelerators in one of them had suffered a condition Fortigate calls “Session Drift” (where it apparently forgets to clean up/remove running “syn-proxy” stuff, looking at the statistics on the problematic accelerator there where a million or so “drifted” sessions) - the official workaround is to reboot…
https://docs.fortinet.com/document/fortigate/6.0.0/hardware-acceleration/184147/np6-session-drift
Anyway, I could see a use for some way to blacklist certain AD controllers if they are slow to respond.
I “solved" it (until we could reboot the firewalls) manually by configuring the local (on the server) firewall to stop Samba from reaching the problematic AD server - which works but requires manual intervention. Which reminds me that I probably should remove that backlisting by now… :-)
- Peter
> On 25 Jan 2022, at 00:01, Andrew Bartlett via samba <samba at lists.samba.org> wrote:
>
> On Mon, 2022-01-10 at 09:58 +0000, Rowland Penny via samba wrote:
>> On Mon, 2022-01-10 at 10:24 +0100, Peter Eriksson via samba wrote:
>>
>>> We recently discovered an annoying problem where it seems that
>>> Samba
>>> often first attempts to connect to LDAP port 389 before switching
>>> to
>>> port 636 (SSL-LDAP) when talking to AD servers.
>>
>>
>> 1) that is the way AD works
>>
>> 2) do not use ldaps, use kerberos instead, it is a lot more secure.
>>
>>
>>
>>> This is normally not a big issue since the AD server has the port
>>> blocked/disabled.
>>
>>
>> I suggest you unblock it, you need it.
>
> Samba has been actively removing code to connect over LDAP+SSL (636) as
> absent channel binding it is a security problem. We never got TLS
> channel binding working to our satisfaction and TLS certificate
> validation is poor within internal networks (often not done at all).
>
> Andrew Bartlett
>
> --
> Andrew Bartlett (he/him) https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
>
> Samba Development and Support, Catalyst IT - Expert Open Source
> Solutions
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list