[Samba] GPO on a DC

Rowland Penny rpenny at samba.org
Fri Jun 24 17:40:51 UTC 2022

On Fri, 2022-06-24 at 17:00 +0000, samba-ml-en wrote:
> They talk about AD talk (Dc to DC) (where as I mentioned - there is
> some reading too on the web on the topic) anyway AD needs LDAP to
> work and such traffic will always use LDAP (replication etc...).
> LDAPS' use in my project would be for an application where you would
> want traffic encrypted because no other mean to protect the traffic
> in transit is available. Anyway, I gather that when you set tls
> enabled=yes
> samba (or samba-gpupdate) tries to use LDAPS (connect to LDAP and
> server redirect to LDAPS) whereas this should be at the clients
> request. Again my understanding....

I am no expert here, but my understanding is that if you use ldapsearch
or ldbsearch with kerberos (its called GSSAPI by ldapsearch), then the
data is encrypted end to end just like ldaps.

Windows was going to enforce ldaps, but, unless I missed it, it has
never happened, doesn't this tell you something ?

If I am getting this wrong, I am sure Andrew will put me right.


Please do not 'CC' me, just send posts to the lists.

More information about the samba mailing list