<para>
The <smbconfoption name="ldap server require strong auth"/> defines whether
the ldap server requires ldap traffic to be signed or signed and encrypted (sealed).
- Possible values are <emphasis>no</emphasis>, <emphasis>allow_sasl_over_tls</emphasis>
+ Possible values are <emphasis>no</emphasis>,
+ <emphasis>allow_sasl_without_tls_channel_bindings</emphasis>
and <emphasis>yes</emphasis>.
</para>
+ <para>Windows has <emphasis>LdapEnforceChannelBinding</emphasis> under
+ <emphasis>HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\</emphasis>.
+ </para>
+
<para>A value of <emphasis>no</emphasis> allows simple and sasl binds over
- all transports.</para>
+ all transports. This matches LdapEnforceChannelBinding=0.</para>
+
+ <para>A value of <emphasis>allow_sasl_without_tls_channel_bindings</emphasis>
+ allows simple and sasl binds (without sign or seal) over TLS encrypted connections.
+ Missing tls channel bindings are ignored, so only use this if a value of
+ <emphasis>yes</emphasis> is not possible.
+ Unencrypted connections only allow sasl binds with sign or seal.
+ This matches LdapEnforceChannelBinding=1.
+ </para>
- <para>A value of <emphasis>allow_sasl_over_tls</emphasis> allows simple and sasl binds
- (without sign or seal) over TLS encrypted connections. Unencrypted connections only
- allow sasl binds with sign or seal.</para>
+ <para>Before support for tls channel bindings existed in Samba,
+ a value of <emphasis>allow_sasl_over_tls</emphasis> was possible in order
+ to allow sasl binds without tls channel bindings. This now misleading
+ as a value of <emphasis>yes</emphasis> will now allow sasl binds
+ with tls channel bindings. Configurations should be changed to
+ <emphasis>yes</emphasis> instead or
+ <emphasis>allow_sasl_without_tls_channel_bindings</emphasis>
+ if really required. Currently <emphasis>allow_sasl_over_tls</emphasis>
+ is just an alias of <emphasis>allow_sasl_without_tls_channel_bindings</emphasis>,
+ but it will be removed in future versions.
+ </para>
<para>A value of <emphasis>yes</emphasis> allows only simple binds
- over TLS encrypted connections. Unencrypted connections only
- allow sasl binds with sign or seal.</para>
+ and sasl binds with correct tls channel bindings
+ over TLS encrypted connections. sasl binds without tls channel bindings
+ are not allowed. Unencrypted connections only
+ allow sasl binds with sign or seal. This matches LdapEnforceChannelBinding=2.
+ </para>
</description>
<value type="default">yes</value>
</samba:parameter>
enum ldap_server_require_strong_auth {
LDAP_SERVER_REQUIRE_STRONG_AUTH_NO,
LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS,
+ LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_WITHOUT_TLS_CB,
LDAP_SERVER_REQUIRE_STRONG_AUTH_YES,
};
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "0" },
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS,
"allow_sasl_over_tls" },
+ { LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_WITHOUT_TLS_CB,
+ "allow_sasl_without_tls_channel_bindings" },
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "Yes" },
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "True" },
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "1" },
"When acting as Active Directory domain controller, " +
entry + " should be in vfs objects.")
+ strong_auth = lp.get("ldap server require strong auth")
+ if strong_auth == "allow_sasl_over_tls":
+ logger.warning(
+ "WARNING: You have not configured "
+ "'ldap server require strong auth = "
+ "allow_sasl_over_tls'.\n"
+ "Please change to 'yes' (preferred) or "
+ "'allow_sasl_without_tls_channel_bindings' "
+ "(if really needed).")
+
return valid
def allow_access(self, deny_list, allow_list, cname, caddr):
print "PROVISIONING AD DC (NTVFS)...\n";
my $extra_conf_options = "netbios aliases = localDC1-a
server services = +winbind -winbindd
- ldap server require strong auth = allow_sasl_over_tls
+ ldap server require strong auth = allow_sasl_without_tls_channel_bindings
raw NTLMv2 auth = yes
lsa over netlogon = yes
rpc server port = 1027
ret = 1;
}
+ if (lp_ldap_server_require_strong_auth() ==
+ LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS)
+ {
+ fprintf(stderr,
+ "WARNING: You have not configured "
+ "'ldap server require strong auth = "
+ "allow_sasl_over_tls'.\n"
+ "Please change to 'yes' (preferred) or "
+ "'allow_sasl_without_tls_channel_bindings' "
+ "(if really needed)\n\n");
+ }
+
if (lp_server_schannel() != true) { /* can be 'auto' */
fprintf(stderr,
"WARNING: You have not configured "
#include "dsdb/samdb/samdb.h"
#include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_tstream.h"
+#include "lib/tls/tls.h"
#include "param/param.h"
#include "../lib/util/tevent_ntstatus.h"
#include "lib/util/time_basic.h"
gensec_want_feature(gensec_security, GENSEC_FEATURE_LDAP_STYLE);
if (conn->sockets.active == conn->sockets.tls) {
+ uint32_t initiator_addrtype = 0;
+ const DATA_BLOB *initiator_address = NULL;
+ uint32_t acceptor_addrtype = 0;
+ const DATA_BLOB *acceptor_address = NULL;
+ const DATA_BLOB *application_data =
+ tstream_tls_channel_bindings(conn->sockets.tls);
+
+ status = gensec_set_channel_bindings(gensec_security,
+ initiator_addrtype,
+ initiator_address,
+ acceptor_addrtype,
+ acceptor_address,
+ application_data);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ /*
+ * By default channel bindings are required,
+ * so we only set GENSEC_FEATURE_CB_OPTIONAL
+ * for the legacy option:
+ *
+ * ldap server require strong auth = no
+ * or
+ * ldap server require strong auth =
+ * allow_sasl_without_tls_channel_bindings
+ *
+ * And this as an alias to cope with existing smb.conf
+ * files:
+ *
+ * ldap server require strong auth = allow_sasl_over_tls
+ */
+ switch (conn->require_strong_auth) {
+ case LDAP_SERVER_REQUIRE_STRONG_AUTH_NO:
+ case LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS:
+ case LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_WITHOUT_TLS_CB:
+ gensec_want_feature(gensec_security,
+ GENSEC_FEATURE_CB_OPTIONAL);
+ break;
+ default:
+ break;
+ }
+
gensec_want_feature(gensec_security, GENSEC_FEATURE_LDAPS_TRANSPORT);
}
goto do_reply;
}
+ if (NT_STATUS_EQUAL(status, NT_STATUS_BAD_BINDINGS)) {
+ result = LDAP_INVALID_CREDENTIALS;
+ errstr = ldapsrv_bind_error_msg(reply,
+ HRES_SEC_E_BAD_BINDINGS,
+ 0x0C090711,
+ status);
+ goto do_reply;
+ }
if (!NT_STATUS_IS_OK(status)) {
status = nt_status_squash(status);
result = LDAP_INVALID_CREDENTIALS;
case LDAP_SERVER_REQUIRE_STRONG_AUTH_NO:
break;
case LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS:
+ case LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_WITHOUT_TLS_CB:
+ case LDAP_SERVER_REQUIRE_STRONG_AUTH_YES:
if (call->conn->sockets.active == call->conn->sockets.tls) {
break;
}
- status = NT_STATUS_NETWORK_ACCESS_DENIED;
- result = LDAP_STRONG_AUTH_REQUIRED;
- errstr = talloc_asprintf(reply,
- "SASL:[%s]: not allowed if TLS is used.",
- req->creds.SASL.mechanism);
- goto do_reply;
-
- case LDAP_SERVER_REQUIRE_STRONG_AUTH_YES:
status = NT_STATUS_NETWORK_ACCESS_DENIED;
result = LDAP_STRONG_AUTH_REQUIRED;
errstr = talloc_asprintf(reply,
conn->require_strong_auth = lpcfg_ldap_server_require_strong_auth(conn->lp_ctx);
}
+ if (conn->require_strong_auth ==
+ LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS)
+ {
+ D_ERR("WARNING: You have not configured "
+ "'ldap server require strong auth = "
+ "allow_sasl_over_tls'.\n"
+ "Please change to 'yes' (preferred and default) or "
+ "'allow_sasl_without_tls_channel_bindings' "
+ "(if really needed)\n\n");
+ }
+
ret = ldapsrv_backend_Init(conn, &errstring);
if (ret != LDB_SUCCESS) {
char *reason = talloc_asprintf(conn,
git.samba.org / samba.git / commitdiff