[Samba] Security Implications of "ldap server require strong auth"?

Rowland Penny rpenny at samba.org
Mon May 27 15:46:35 UTC 2024 

On Mon, 27 May 2024 17:27:30 +0200
Bestattungen Vitt - Thomas Reitelbach via samba <samba at lists.samba.org>
wrote:

> Am 27.05.2024 16:25, schrieb Rowland Penny via samba:
> > On Mon, 27 May 2024 15:57:52 +0200
> > Bestattungen Vitt - Thomas Reitelbach via samba
> > <samba at lists.samba.org> wrote:
> > 
> >> Hello Samba Team,
> >> 
> >> I hope someone with more expertise than me can englighten me to the
> >> following "problem":
> >> 
> >> I'm on my way to implement Nextcloud LDAP Authentication against my
> >> existing Samba Active Directory via the LDAP Auth Plugin in
> >> Nextcloud. I have had trouble with the configuration of the
> >> Auth-Plugin in Nextcloud because it could not bind to the ldap
> >> directory. After some investigation I learned, that the nextcloud
> >> ldap auth plugin does not support "strong authentication", which
> >> seems to be enforced by samba by default.
> >> Further investigation led me to the solution to use the [global]
> >> option "ldap server require strong auth = no" in smb.conf. With
> >> this option set, the ldap plugin is working and my Domain users can
> >> authenticate to nextcloud with their Domain account.
> >> 
> >> But before I implement this in my production system I need to know
> >> the security implications of this samba parameter. I must admit
> >> that I don't really understand the risc for a real-life scenario.
> >> Also, I'm not very experienced with ldap, so please, can you help
> >> me a bit?
> >> 
> >> Samba: 4.17.12-Debian (stock debian version)
> >> Nextcloud Hub 8 (29.0.0.1)
> >> 
> >> Cheers
> >> Thomas Reitelbach
> >> 
> > 
> > It is quite simple, 'ldap server require strong auth = no' allows
> > simple binds over ldap, 'ldap server require strong auth = yes' (the
> > default) requires ldaps.
> 
> Hi Rowland,
> 
> thank you for your reply and your time.
> I am aware that this option enables "simple binds". But what does
> this mean for network security? Maybe I don't understand the meaning
> of "simple binds" -> does it mean, credentials will be sent
> unencrypted over the network and can easily be sniffed by anyone who
> has access to a network scanner/analyzer?

Yes.

> Maybe it's a stupid question, but what I have found with my google 
> search does not give me a clue if this option can be safely used in a 
> corporate network with at least a bit of security awareness or not.
> 
> Usually the samba teams choices for "default" parameters are very 
> sensitive and with security in mind. This makes me think it might be
> a bad idea to use "ldap server require strong auth = no".

Again, yes

To use ldaps requires certificates and basically opens a closed tunnel
between either end, your ldap request then goes down this tunnel and no
one can intercept it.

Is it possible to use kerberos instead ? That is even more secure.

Rowland

More information about the samba mailing list