TLS + GSSAPI ldap binds in 4.0.0alpha17-GIT-2d23dff
Andrew Bartlett
abartlet at samba.org
Mon Aug 15 16:00:23 MDT 2011
On Mon, 2011-08-15 at 07:44 -0400, Stephen Gallagher wrote:
> On Mon, 2011-08-15 at 10:40 +0100, Lukasz Zalewski wrote:
> > Hi all,
> > After the update to alpha17 (from alpha12) we have not been able to
> > perform GSSAPI + TLS binds against the ldap server,
> > i.e. after successful kinit the following:
> > ldapsearch -ZZ -Y GSSAPI -h my.domain -b "dc=my,dc=domain" cn=somecn
> > produces error message:
> > SASL/GSSAPI authentication started
> > ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
> > additional info: SASL:[GSSAPI]: Sign or Seal are not allowed if TLS is used
> >
> > TLS without GSSAPI and GSSAPI without TLS binds work fine. Has anyone
> > experienced this issue? Any help would be apreciated :)
> >
> > Many thanks
> >
> > Luk
>
> Why are you trying to do GSSAPI+TLS? It's unnecessary overhead. If
> you're doing a GSSAPI bind, then the GSSAPI tunnel has already encrypted
> all of the communications. You're essentially just asking it to
> re-encrypt everything a second time.
This is exactly what's happening here. You can do GSSAPI+TLS, but you
must not negotiate signing or sealing. This matches windows behaviour.
If you negotiate sealing, you are better to do just a direct GSSAPI
bind, and avoid the complexities of TLS (we have had quite a bit of pain
here, particularly with GnuTLS regressions).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list