Discussion:
LDAP signing and Linux clients
(too old to reply)
Jonas Back
2005-04-21 17:46:06 UTC
Permalink
We have an AD running on Win 2003 servers. We have secured our domain and one
of the settings we've secured is "Network security: LDAP client signing
requirements" and to "Negotiate signing".

In our lab I successfully installed SFU (service for unix) and wanted our
Linux (Red Hat) clients to be able to ask LDAP questions to our DC's and also
make it possible for them to share drives using Samba and let the users
authenticate against our AD. I know that Win 2003 doesn't support anonymous
bind so I use a user to bind LDAP. Both these scenarios works fine in my lab
using Fedora Core 3 clients.

Now when I try this in our production environment where we have RH ES 3
servers it doesn't work and that's probably because we demand LDAP signing. I
found some bug on the Samba website regarding this:
https://bugzilla.samba.org/show_bug.cgi?id=765
It recommends using certificates to SSL/TLS instead of just signing but
we're in a phase that we don't want to go to deep into certificates - we just
want it to get to work.

I can go into detail in this matter but I just want to hear if someone else
have had this problem or if someone can explain the details in this issue. Is
there some kind of depnedence between LDAP (OpenLDAP) and Samba? Specially
when it comes to securing the above LDAP setting. I'm no Linux expert and
since Linux-experts seldom are Active Directory-experts I find it hard to
find this kind of information.

Thanks!
Jason Tan (MSFT)
2005-04-22 09:09:49 UTC
Permalink
Hi

Thanks for posting!

Please understand that our newsgroup is focused on the break/fix issues
that are neither urgent nor complex. It is recommended you contact your
local Microsoft Consulting Service (MCS) for the most efficient solution
and best results. Some issues may require a bit more in-depth attention
and may fall under the umbrella of Microsoft Consulting Services.

For more information on MCS, Please see:
http://www.microsoft.com/business/services/mcs.asp?&SD=GN&LN=EN-US&gssnb=1

Also, you may contact Microsoft Customer Support Services (CSS) via
telephone so that a dedicated Support Professional can assist you. Please
be advised that contacting phone support will be a charged call.

To obtain the phone numbers for specific technology request please take a
look at the web site listed below.

http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS

If you are outside the US please see http://support.microsoft.com for
regional support phone numbers.

Thanks & Regards,

Jason Tan

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Paul Nelson
2005-04-23 23:49:07 UTC
Permalink
I have done some work on getting LDAP signing and encryption to work with
Kerberos. Some versions of GSSAPI do not work properly with encryption, but
do work with signing. I also believe there is a bug in Microsoft's LDAP
signing implementation, but that isn't a big deal. This has do with how
they interpret certain bits in the GSS authentication.

If you want to email me directly, I could give you more info.

Paul Nelson
Thursby Software Systems
Post by Jonas Back
We have an AD running on Win 2003 servers. We have secured our domain and one
of the settings we've secured is "Network security: LDAP client signing
requirements" and to "Negotiate signing".
In our lab I successfully installed SFU (service for unix) and wanted our
Linux (Red Hat) clients to be able to ask LDAP questions to our DC's and also
make it possible for them to share drives using Samba and let the users
authenticate against our AD. I know that Win 2003 doesn't support anonymous
bind so I use a user to bind LDAP. Both these scenarios works fine in my lab
using Fedora Core 3 clients.
Now when I try this in our production environment where we have RH ES 3
servers it doesn't work and that's probably because we demand LDAP signing. I
https://bugzilla.samba.org/show_bug.cgi?id=765
It recommends using certificates to SSL/TLS instead of just signing but
we're in a phase that we don't want to go to deep into certificates - we just
want it to get to work.
I can go into detail in this matter but I just want to hear if someone else
have had this problem or if someone can explain the details in this issue. Is
there some kind of depnedence between LDAP (OpenLDAP) and Samba? Specially
when it comes to securing the above LDAP setting. I'm no Linux expert and
since Linux-experts seldom are Active Directory-experts I find it hard to
find this kind of information.
Thanks!
Al Mulnick
2005-04-24 01:50:31 UTC
Permalink
I remember trying some of these as well. I thought this was a better use of
time http://www.centrify.com
Much simpler and MUCH less time to implement.

Al
Post by Paul Nelson
I have done some work on getting LDAP signing and encryption to work with
Kerberos. Some versions of GSSAPI do not work properly with encryption, but
do work with signing. I also believe there is a bug in Microsoft's LDAP
signing implementation, but that isn't a big deal. This has do with how
they interpret certain bits in the GSS authentication.
If you want to email me directly, I could give you more info.
Paul Nelson
Thursby Software Systems
Post by Jonas Back
We have an AD running on Win 2003 servers. We have secured our domain and one
of the settings we've secured is "Network security: LDAP client signing
requirements" and to "Negotiate signing".
In our lab I successfully installed SFU (service for unix) and wanted our
Linux (Red Hat) clients to be able to ask LDAP questions to our DC's and also
make it possible for them to share drives using Samba and let the users
authenticate against our AD. I know that Win 2003 doesn't support anonymous
bind so I use a user to bind LDAP. Both these scenarios works fine in my lab
using Fedora Core 3 clients.
Now when I try this in our production environment where we have RH ES 3
servers it doesn't work and that's probably because we demand LDAP signing. I
https://bugzilla.samba.org/show_bug.cgi?id=765
It recommends using certificates to SSL/TLS instead of just signing but
we're in a phase that we don't want to go to deep into certificates - we just
want it to get to work.
I can go into detail in this matter but I just want to hear if someone else
have had this problem or if someone can explain the details in this issue. Is
there some kind of depnedence between LDAP (OpenLDAP) and Samba? Specially
when it comes to securing the above LDAP setting. I'm no Linux expert and
since Linux-experts seldom are Active Directory-experts I find it hard to
find this kind of information.
Thanks!
Paul Nelson
2005-04-25 15:40:19 UTC
Permalink
Does Centrify work with domain controllers with the HISECDC template
applied?
Post by Al Mulnick
I remember trying some of these as well. I thought this was a better use of
time http://www.centrify.com
Much simpler and MUCH less time to implement.
Al
Post by Paul Nelson
I have done some work on getting LDAP signing and encryption to work with
Kerberos. Some versions of GSSAPI do not work properly with encryption, but
do work with signing. I also believe there is a bug in Microsoft's LDAP
signing implementation, but that isn't a big deal. This has do with how
they interpret certain bits in the GSS authentication.
If you want to email me directly, I could give you more info.
Paul Nelson
Thursby Software Systems
Post by Jonas Back
We have an AD running on Win 2003 servers. We have secured our domain and one
of the settings we've secured is "Network security: LDAP client signing
requirements" and to "Negotiate signing".
In our lab I successfully installed SFU (service for unix) and wanted our
Linux (Red Hat) clients to be able to ask LDAP questions to our DC's and also
make it possible for them to share drives using Samba and let the users
authenticate against our AD. I know that Win 2003 doesn't support anonymous
bind so I use a user to bind LDAP. Both these scenarios works fine in my lab
using Fedora Core 3 clients.
Now when I try this in our production environment where we have RH ES 3
servers it doesn't work and that's probably because we demand LDAP signing. I
https://bugzilla.samba.org/show_bug.cgi?id=765
It recommends using certificates to SSL/TLS instead of just signing but
we're in a phase that we don't want to go to deep into certificates - we just
want it to get to work.
I can go into detail in this matter but I just want to hear if someone else
have had this problem or if someone can explain the details in this issue. Is
there some kind of depnedence between LDAP (OpenLDAP) and Samba? Specially
when it comes to securing the above LDAP setting. I'm no Linux expert and
since Linux-experts seldom are Active Directory-experts I find it hard to
find this kind of information.
Thanks!
Al Mulnick
2005-05-01 22:04:31 UTC
Permalink
That would be a great question to ask them, Paul. I've not had reason to
test that out, although I can't think of a reason it would not at the
moment. I can tell you that no matter what template you use, you'll want to
test the clients that access it extensively.

Al
Post by Paul Nelson
Does Centrify work with domain controllers with the HISECDC template
applied?
Post by Al Mulnick
I remember trying some of these as well. I thought this was a better use of
time http://www.centrify.com
Much simpler and MUCH less time to implement.
Al
Post by Paul Nelson
I have done some work on getting LDAP signing and encryption to work with
Kerberos. Some versions of GSSAPI do not work properly with encryption, but
do work with signing. I also believe there is a bug in Microsoft's LDAP
signing implementation, but that isn't a big deal. This has do with how
they interpret certain bits in the GSS authentication.
If you want to email me directly, I could give you more info.
Paul Nelson
Thursby Software Systems
Back
at
Post by Jonas Back
We have an AD running on Win 2003 servers. We have secured our domain
and
one
of the settings we've secured is "Network security: LDAP client signing
requirements" and to "Negotiate signing".
In our lab I successfully installed SFU (service for unix) and wanted our
Linux (Red Hat) clients to be able to ask LDAP questions to our DC's
and
also
make it possible for them to share drives using Samba and let the users
authenticate against our AD. I know that Win 2003 doesn't support anonymous
bind so I use a user to bind LDAP. Both these scenarios works fine in
my
lab
using Fedora Core 3 clients.
Now when I try this in our production environment where we have RH ES 3
servers it doesn't work and that's probably because we demand LDAP signing. I
https://bugzilla.samba.org/show_bug.cgi?id=765
It recommends using certificates to SSL/TLS instead of just signing but
we're in a phase that we don't want to go to deep into certificates -
we
just
want it to get to work.
I can go into detail in this matter but I just want to hear if someone else
have had this problem or if someone can explain the details in this issue. Is
there some kind of depnedence between LDAP (OpenLDAP) and Samba? Specially
when it comes to securing the above LDAP setting. I'm no Linux expert and
since Linux-experts seldom are Active Directory-experts I find it hard to
find this kind of information.
Thanks!
Loading...