[Samba] winbindd with LDAPS
jose.celestino at gmail.com
jose.celestino at gmail.com
Wed Sep 13 13:27:21 UTC 2023
Hello Andrew and all,
We managed to delay the change to LDAPS but it seems inevitable, and
we're being pressured to make the change.
What is the proper way to discuss the possibility of developing what
we need to make it work?
We currently have no internal resources to do it, but are willing to
sponsor the needed work.
On Fri, Apr 21, 2023 at 10:03 AM jose.celestino at gmail.com
<jose.celestino at gmail.com> wrote:
>
> Hi Andrew,
>
> I'm assuming that simply hacking the Samba code to connect to LDAPS
> instead of LDAP wouldn't work (other workarounds we tried: connecting
> to a local endpoint and stunnel it to the remote LDAP, for instance).
> There should be TLS channel-binding also on the LDAP connection?
>
> Anyway, are you, or anyone on the Samba team, willing to develop the
> needed LDAPS support?
>
> Can I pass your contact to the project admins to discuss that?
>
> Thank you.
>
> Best regards,
> José Celestino
>
> On Wed, Mar 8, 2023 at 6:49 PM Andrew Bartlett <abartlet at samba.org> wrote:
> >
> > On Wed, 2023-03-08 at 12:58 +0000, jose.celestino--- via samba wrote:
> > > Hi,
> > >
> > > We have a samba installation (4.17.5) where a winbindd is part of an
> > > AD domain and used to authenticate radius (radiator) logins.
> > >
> > > The thing is, the AD administration is closing port 386 on the
> > > password server and only allowing requests on 636 (ldaps).
> > >
> > > I don't seem to be able to change the winbindd to use the ldaps port.
> > > Tried
> > >
> > > ldap ssl = start tls
> > > ldap ssl ads = yes
> > > tls enabled = yes
> > >
> > > but both the net join and the ntlm_auth go to port 386 and will cease
> > > to work as soon as that is disabled.
> >
> > This won't work, for the cases were LDAP is used. This is typically
> > for idmap_ad operations and similar. Samba uses, just as windows
> > clients do, a Kerberos secured connection on port 389, when it contacts
> > the AD DC.
> >
> > In the past efforts were made to allow connections wrapped with TLS
> > safely, but this was abandoned.
> >
> > There are a number of issues, in particular the need to implement
> > 'channel bindings', to tie our inner Kerberos authentication to the
> > outer TLS tunnel.
> >
> > If this is absolutely critical, then a development effort could be
> > started to finish that work.
> >
> > The removal is here:
> > https://bugzilla.samba.org/show_bug.cgi?id=14462
> >
> > Sorry,
> >
> > Andrew Bartlett
> >
> >
> > --
> > Andrew Bartlett (he/him) https://samba.org/~abartlet/
> > Samba Team Member (since 2001) https://samba.org
> > Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
> >
> > Samba Development and Support, Catalyst.Net Limited
> >
> > Catalyst.Net Ltd - a Catalyst IT group company - Expert Open Source
> > Solutions
> >
> >
More information about the samba-technical
mailing list