[Samba] Setting up Samba as a Domain Member when AD DC is set to enforced LDAP Signing
Rowland Penny
rpenny at samba.org
Fri May 17 10:47:10 UTC 2024
On Fri, 17 May 2024 10:27:12 +0200
Andrea Cucciarre via samba <samba at lists.samba.org> wrote:
> Hello,
>
> I have configured a Samba server (Version 4.15.13-Ubuntu) as an Active
> Directory domain member, and it joined successfully to the domain and
> it's working fine, I have used the following Samba wiki:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
>
> Now, my customer decided to enforce the LDAP signing in the Active
> Directory DC.
> I can't find any specific setting for that in the wiki or in the
> smb.conf man page for my scenario where Samb is not a DC.
> So does a Samba Domain Member need some special (different from
> default) setting when LDAP signing is enforced in the Active
> Directory DC?
>
> Thanks
> Andrea
I don't think there is anything you can set on a Samba Unix domain
member, it will have little or nothing to do with any arbitrary ldap
searches run on it.
You might like to read this:
https://wiki.samba.org/index.php/Hardening_Samba_as_an_AD_DC
Where it says this:
Microsoft has chosen a different path to addressing this issue, and
instead would like AD clients to include a session-specific value in
the NTLMv2 response, known a channel binding. Samba doesn't set this as
a client nor does it check this as a server, at this time.
I know that doesn't directly to do with ldap, but I hope it points you
in the right direction, whatever ldap searches or modifications you do,
they must be done securely.
Rowland
More information about the samba
mailing list