Web lists-archives.com

Re: [Samba] ldap server require strong auth = no

ABvs> On Wed, 2018-06-13 at 10:06 -0700, Gregory Sloop via samba wrote:
>> I, perhaps amazingly, have FreeNAS working properly now.

>> One of the issues was that I needed to set ldap server require strong auth = no
>> on the Samba DC.

>> So, what are the implications of doing that?
>> Does authentication happen over LDAP, or just user/group enumeration?

ABvs> Yes, LDAP is often used by clients for authentication (often via a
ABvs> simple bind)

>> Is there a wiki page that covers that somewhere?
>> [And how does Windows not suffer from the same security issues, if it's obviously not using signed/sealed LDAP?]

ABvs> In short, it does.

So, does that generally mean that if one was fine with the risks involved in using Windows across the LAN, that there would be no additional security exposure to doing the "same thing" with Samba and no LDAP sign/sealing? [Or is it more complicated than that?]

Perhaps related: Are things more secure with Windows clients only? [i.e. Avoiding doing pure LDAP from non Windows clients.]
[I've got some vague notion of how Windows clients handle things - but perhaps I ought to add some more actual knowledge to that vague collection.]

Can someone point me to some good place to start reading to grok the big picture?


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba