[Samba] Setting up Samba as a Domain Member when AD DC is set to enforced LDAP Signing
Andrea Cucciarre
acucciarre at cloudian.com
Fri May 17 14:21:59 UTC 2024
I don't believe my customer is going to enable LDAP channel binding, only
LDAP signing.
Aren't the settings "client ldap sasl wrapping" and "ldap ssl" in smb.conf
related to that, even if Samba is only a Domain Member?
Thanks
Andrea
On Fri, May 17, 2024 at 12:47 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 17 May 2024 10:27:12 +0200
> Andrea Cucciarre via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> >
> > I have configured a Samba server (Version 4.15.13-Ubuntu) as an Active
> > Directory domain member, and it joined successfully to the domain and
> > it's working fine, I have used the following Samba wiki:
> >
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> >
> > Now, my customer decided to enforce the LDAP signing in the Active
> > Directory DC.
> > I can't find any specific setting for that in the wiki or in the
> > smb.conf man page for my scenario where Samb is not a DC.
> > So does a Samba Domain Member need some special (different from
> > default) setting when LDAP signing is enforced in the Active
> > Directory DC?
> >
> > Thanks
> > Andrea
>
> I don't think there is anything you can set on a Samba Unix domain
> member, it will have little or nothing to do with any arbitrary ldap
> searches run on it.
>
> You might like to read this:
>
> https://wiki.samba.org/index.php/Hardening_Samba_as_an_AD_DC
>
> Where it says this:
>
> Microsoft has chosen a different path to addressing this issue, and
> instead would like AD clients to include a session-specific value in
> the NTLMv2 response, known a channel binding. Samba doesn't set this as
> a client nor does it check this as a server, at this time.
>
> I know that doesn't directly to do with ldap, but I hope it points you
> in the right direction, whatever ldap searches or modifications you do,
> they must be done securely.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Andrea Cucciarre'
Global Technical Support Manager
Cloudian Inc.
More information about the samba
mailing list