[Samba] Setting up Samba as a Domain Member when AD DC is set to enforced LDAP Signing

Rowland Penny rpenny at samba.org
Fri May 17 10:47:10 UTC 2024


On Fri, 17 May 2024 10:27:12 +0200
Andrea Cucciarre via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> I have configured a Samba server (Version 4.15.13-Ubuntu) as an Active
> Directory domain member, and it joined successfully to the domain and
> it's working fine, I have used the following Samba wiki:
> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> 
> Now, my customer decided to enforce the LDAP signing in the Active
> Directory DC.
> I can't find any specific setting for that in the wiki or in the
> smb.conf man page for my scenario where Samb is not a DC.
> So does a Samba Domain Member need some special  (different from
> default) setting when LDAP signing is enforced in the Active
> Directory DC?
> 
> Thanks
> Andrea

I don't think there is anything you can set on a Samba Unix domain
member, it will have little or nothing to do with any arbitrary ldap
searches run on it.

You might like to read this:

https://wiki.samba.org/index.php/Hardening_Samba_as_an_AD_DC

Where it says this:

Microsoft has chosen a different path to addressing this issue, and
instead would like AD clients to include a session-specific value in
the NTLMv2 response, known a channel binding. Samba doesn't set this as
a client nor does it check this as a server, at this time.

I know that doesn't directly to do with ldap, but I hope it points you
in the right direction, whatever ldap searches or modifications you do,
they must be done securely.

Rowland



More information about the samba mailing list