[Samba] Security Implications of "ldap server require strong auth"?

Christian Pedaschus christian.pedaschus at gmail.com
Mon May 27 15:47:17 UTC 2024 

Hello Thomas,

yes, it means exactly what you described.
If your LDAP server run's on the same box as Samba, no problem.
If it runs on another network host, then you most probably want ldaps or
some other sort of network encryption like wireguard (VPN).

Regards, Christian


Am Mo., 27. Mai 2024 um 17:28 Uhr schrieb Bestattungen Vitt - Thomas
Reitelbach via samba <samba at lists.samba.org>:

> Am 27.05.2024 16:25, schrieb Rowland Penny via samba:
> > On Mon, 27 May 2024 15:57:52 +0200
> > Bestattungen Vitt - Thomas Reitelbach via samba <samba at lists.samba.org>
> > wrote:
> >
> >> Hello Samba Team,
> >>
> >> I hope someone with more expertise than me can englighten me to the
> >> following "problem":
> >>
> >> I'm on my way to implement Nextcloud LDAP Authentication against my
> >> existing Samba Active Directory via the LDAP Auth Plugin in
> >> Nextcloud. I have had trouble with the configuration of the
> >> Auth-Plugin in Nextcloud because it could not bind to the ldap
> >> directory. After some investigation I learned, that the nextcloud
> >> ldap auth plugin does not support "strong authentication", which
> >> seems to be enforced by samba by default.
> >> Further investigation led me to the solution to use the [global]
> >> option "ldap server require strong auth = no" in smb.conf. With this
> >> option set, the ldap plugin is working and my Domain users can
> >> authenticate to nextcloud with their Domain account.
> >>
> >> But before I implement this in my production system I need to know
> >> the security implications of this samba parameter. I must admit that
> >> I don't really understand the risc for a real-life scenario. Also,
> >> I'm not very experienced with ldap, so please, can you help me a bit?
> >>
> >> Samba: 4.17.12-Debian (stock debian version)
> >> Nextcloud Hub 8 (29.0.0.1)
> >>
> >> Cheers
> >> Thomas Reitelbach
> >>
> >
> > It is quite simple, 'ldap server require strong auth = no' allows
> > simple binds over ldap, 'ldap server require strong auth = yes' (the
> > default) requires ldaps.
>
> Hi Rowland,
>
> thank you for your reply and your time.
> I am aware that this option enables "simple binds". But what does this
> mean for network security? Maybe I don't understand the meaning of
> "simple binds" -> does it mean, credentials will be sent unencrypted
> over the network and can easily be sniffed by anyone who has access to a
> network scanner/analyzer?
> Maybe it's a stupid question, but what I have found with my google
> search does not give me a clue if this option can be safely used in a
> corporate network with at least a bit of security awareness or not.
>
> Usually the samba teams choices for "default" parameters are very
> sensitive and with security in mind. This makes me think it might be a
> bad idea to use "ldap server require strong auth = no".
>
> Cheers
> Thomas
>
> --
> Bestattungen Vitt oHG
> Inhaber Willi & Thomas Reitelbach
> Rochusstraße 176
> 53123 Bonn-Duisdorf
> Registergericht: Amtsgericht Bonn, HRA 7958
>
> Facebook:     http://www.facebook.de/bestattungenvitt
> Gedenkportal: http://begleiten.bestattungen-vitt.de
> Internet:     http://www.bestattungen-vitt.de
>
> Telefon: 0228 - 62 68 68
> Fax: 0228 - 978 30 36
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list