[Samba] Setup LDAPS or other solution for ldap

Andrew Bartlett abartlet at samba.org
Thu May 11 09:39:36 UTC 2023 

On Thu, 2023-05-11 at 10:18 +0100, Rowland Penny via samba wrote:
> 
> On 11/05/2023 09:51, matti.kaupenjohann via samba wrote:
> > 
> > > The problem is, the OP doesn't want to join the domain with all their 
> > > computers. Now you and I know that, to get the best results, it is 
> > > better to join a domain, somehow we have to convince people of this.
> > 
> > I am convinced but do not understand everything yet:)
> > 
> > If I understand this correct, I join the domain with all our client 
> > access machines and our servers. I limit the direct authentication to 
> > our servers via group policies. Now I have as example a guacamole 
> > instance running on one of our servers. Only the domain-administrator 
> > and the server-auth-group has login access. For the guacamole service I 
> > want that my users can connect to guacamole via ldap (or in this case 
> > via ldaps?). For my test scenario I would use my self signed 
> > certificates but later in a real scenario we have access to real ones. 
> > So with this example it sounds like the easiest and best approach with 
> > kinit and not ldaps. Am I right?
> > 
> 
> I am no longer sure, Andrew has said previously that using kerberos 
> instead of ldaps is more secure because it is encrypted 'end-to-end', 
> but now he seems to be saying something different. He has also 
> previously said that ldaps doesn't work fully on Samba AD and to use 
> kerberos instead, but again, he now seems to be saying the opposite.

As always, the world is more subtle that that.

I have in the past spoken against those who wish to have AD-style
clients - Samba's winbindd in particular - that do know how to use
Kerberos do so over TLS 'because security'.  

We should actually do the 'channel binding' to make this better both on
our client and on our server, but this is quite a large task to get
right, doesn't quite solve all the issues and so needs real engineering
time (eg funding). 

LDAPS for a simple bind is just as secure (and not) as a password into
a website, it all comes down to checking the certificate and trusting
the server name.  It is when mixed with Kerberos and in particular NTLM
we get into some trouble, which is why I discourage that.

I hope this clarifies things.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba

More information about the samba mailing list