[Samba] winbindd with LDAPS
Andrew Bartlett
abartlet at samba.org
Wed Mar 8 18:49:30 UTC 2023
On Wed, 2023-03-08 at 12:58 +0000, jose.celestino--- via samba wrote:
> Hi,
>
> We have a samba installation (4.17.5) where a winbindd is part of an
> AD domain and used to authenticate radius (radiator) logins.
>
> The thing is, the AD administration is closing port 386 on the
> password server and only allowing requests on 636 (ldaps).
>
> I don't seem to be able to change the winbindd to use the ldaps port.
> Tried
>
> ldap ssl = start tls
> ldap ssl ads = yes
> tls enabled = yes
>
> but both the net join and the ntlm_auth go to port 386 and will cease
> to work as soon as that is disabled.
This won't work, for the cases were LDAP is used. This is typically
for idmap_ad operations and similar. Samba uses, just as windows
clients do, a Kerberos secured connection on port 389, when it contacts
the AD DC.
In the past efforts were made to allow connections wrapped with TLS
safely, but this was abandoned.
There are a number of issues, in particular the need to implement
'channel bindings', to tie our inner Kerberos authentication to the
outer TLS tunnel.
If this is absolutely critical, then a development effort could be
started to finish that work.
The removal is here:
https://bugzilla.samba.org/show_bug.cgi?id=14462
Sorry,
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst.Net Limited
Catalyst.Net Ltd - a Catalyst IT group company - Expert Open Source
Solutions
More information about the samba
mailing list