[Samba] winbindd with LDAPS

Andrew Bartlett abartlet at samba.org
Wed Mar 8 20:15:24 UTC 2023 

Correct, we use Kerberos to protect our connections, where possible,
otherwise NTLM.  StartTLS would have the same issues, it just changes
how the connection starts.
Andrew Bartlett
On Wed, 2023-03-08 at 20:08 +0000, jose.celestino at gmail.com wrote:
> Thank you,
> I've seen that commit. But even that seemed to be a STARTTLS inside
> aplain ldap connection (389).
> On Wed, Mar 8, 2023 at 6:49 PM Andrew Bartlett <abartlet at samba.org>
> wrote:
> > On Wed, 2023-03-08 at 12:58 +0000, jose.celestino--- via samba
> > wrote:
> > > Hi,
> > > We have a samba installation (4.17.5) where a winbindd is part of
> > > anAD domain and used to authenticate radius (radiator) logins.
> > > The thing is, the AD administration is closing port 386 on
> > > thepassword server and only allowing requests on 636 (ldaps).
> > > I don't seem to be able to change the winbindd to use the ldaps
> > > port.Tried
> > > ldap ssl = start tlsldap ssl ads = yestls enabled = yes
> > > but both the net join and the ntlm_auth go to port 386 and will
> > > ceaseto work as soon as that is disabled.
> > 
> > This won't work, for the cases were LDAP is used.  This is
> > typicallyfor idmap_ad operations and similar.  Samba uses, just as
> > windowsclients do, a Kerberos secured connection on port 389, when
> > it contactsthe AD DC.
> > In the past efforts were made to allow connections wrapped with
> > TLSsafely, but this was abandoned.
> > There are a number of issues, in particular the need to
> > implement'channel bindings', to tie our inner Kerberos
> > authentication to theouter TLS tunnel.
> > If this is absolutely critical, then a development effort could
> > bestarted to finish that work.
> > The removal is here:
> > https://bugzilla.samba.org/show_bug.cgi?id=14462
> > 
> > Sorry,
> > Andrew Bartlett
> > 
> > --Andrew Bartlett (he/him)       https://samba.org/~abartlet/
> > Samba Team Member (since 2001) https://samba.org
> > Samba Team Lead, Catalyst IT   
> > https://catalyst.net.nz/services/samba
> > 
> > Samba Development and Support, Catalyst.Net Limited
> > Catalyst.Net Ltd - a Catalyst IT group company - Expert Open
> > SourceSolutions
> > 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst.Net Limited
Catalyst.Net Ltd - a Catalyst IT group company - Expert Open SourceSolutions

More information about the samba mailing list