Issue with LDAPS & Winbind

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Issue with LDAPS & Winbind

Samba - General mailing list
I have an Ubuntu 14.04 member server which runs winbind, krb5, and samba.
Without encryption, I am able to use winbind to get all the info I neeed.
i.e.

winbind -g works
winbind -u works

I am trying to now get LDAPS working, but when I run a command nothing
happens

winbind -g does nothing (no errors)
winbind -u does nothing (no errors).

On the Windows DC, I can see TLS traffic happening between the Windows DC
and Ubuntu machine, but of course it does not seem to be fully working.

here is smb.conf:


[global]


workgroup = TIMDOMAIN
realm = TIMDOMAIN.LOCAL
netbios name = UBUNTUWEE
server string = %h server (Samba %v, Ubuntu)
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
panic action = /usr/share/samba/panic-action %d
security = ADS
ldap ssl = start tls
ldap ssl ads = yes
domain master = no
template shell = /bin/bash
template homedir = /home/%D/%U
winbind enum groups = yes
winbind enum users = yes
winbind use default domain = yes
usershare allow guests = yes

I've tried this config without ldap ssl = start tls and just ldap ssl ads
and the traffic seems to be the exact same.

Here is ldap.conf:

TLS_CACERT      /etc/ssl/certs/ca.cer

ca.cer contains my CA root certificate in Base-64 X509 format.

--
Tim Gwynne
978-994-4272
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Issue with LDAPS & Winbind

Samba - General mailing list
On Tue, 9 Jan 2018 11:08:19 -0800
Timothy Gwynne via samba <[hidden email]> wrote:

> I have an Ubuntu 14.04 member server which runs winbind, krb5, and
> samba. Without encryption, I am able to use winbind to get all the
> info I neeed. i.e.
>
> winbind -g works
> winbind -u works

I am very sure it doesn't ;-)
I think you mean 'wbinfo' instead

>
> I am trying to now get LDAPS working, but when I run a command nothing
> happens
>
> winbind -g does nothing (no errors)
> winbind -u does nothing (no errors).
>
> On the Windows DC, I can see TLS traffic happening between the
> Windows DC and Ubuntu machine, but of course it does not seem to be
> fully working.
>
> here is smb.conf:
>
>
> [global]
>
>
> workgroup = TIMDOMAIN
> realm = TIMDOMAIN.LOCAL
> netbios name = UBUNTUWEE
> server string = %h server (Samba %v, Ubuntu)
> dns proxy = no
> log file = /var/log/samba/log.%m
> max log size = 1000
> panic action = /usr/share/samba/panic-action %d
> security = ADS
> ldap ssl = start tls
> ldap ssl ads = yes
> domain master = no
> template shell = /bin/bash
> template homedir = /home/%D/%U
> winbind enum groups = yes
> winbind enum users = yes
> winbind use default domain = yes
> usershare allow guests = yes
>
> I've tried this config without ldap ssl = start tls and just ldap ssl
> ads and the traffic seems to be the exact same.
>
> Here is ldap.conf:
>
> TLS_CACERT      /etc/ssl/certs/ca.cer
>
> ca.cer contains my CA root certificate in Base-64 X509 format.
>

I am trying to understand just what you are trying to achieve, you do
not normally use ldap for authentication, that is what winbind is for.

Please explain why you are trying this.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Issue with LDAPS & Winbind

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 2018-01-09 at 11:08 -0800 Timothy Gwynne via samba sent off:
> ...

according to https://bugzilla.samba.org/show_bug.cgi?id=13124#c5 ldap ssl ads
does not work reliably anymore, you might try the mentioned "client ldap sasl
wrapping = plain" setting. You will make the setup not more secure in the end
though. But the ldap ssl ads parameter might soon go away anyway.

Björn

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Issue with LDAPS & Winbind

Samba - General mailing list
Thank you Bjorn. Is there any way to reliably configure LDAPS via Winbind &
Samba currently that would increase security?

On Wed, Jan 10, 2018 at 11:14 AM, Björn JACKE <[hidden email]> wrote:

> On 2018-01-09 at 11:08 -0800 Timothy Gwynne via samba sent off:
> > ...
>
> according to https://bugzilla.samba.org/show_bug.cgi?id=13124#c5 ldap ssl
> ads
> does not work reliably anymore, you might try the mentioned "client ldap
> sasl
> wrapping = plain" setting. You will make the setup not more secure in the
> end
> though. But the ldap ssl ads parameter might soon go away anyway.
>
> Björn
>



--
Tim Gwynne
978-994-4272
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba