1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s4:ldap_server: add support for tls channel bindings

ldap server require strong auth = allow_sasl_over_tls
is now an alias for 'allow_sasl_without_tls_channel_bindings'
and should be avoided and changed to 'yes' or
'allow_sasl_without_tls_channel_bindings'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Stefan Metzmacher 2024-01-23 14:20:24 +01:00 committed by Andrew Bartlett
parent 811d04fea7
commit 6c17e3d280
8 changed files with 123 additions and 17 deletions

View File

@ -7,20 +7,44 @@
<para> <para>
The <smbconfoption name="ldap server require strong auth"/> defines whether The <smbconfoption name="ldap server require strong auth"/> defines whether
the ldap server requires ldap traffic to be signed or signed and encrypted (sealed). the ldap server requires ldap traffic to be signed or signed and encrypted (sealed).
Possible values are <emphasis>no</emphasis>, <emphasis>allow_sasl_over_tls</emphasis> Possible values are <emphasis>no</emphasis>,
<emphasis>allow_sasl_without_tls_channel_bindings</emphasis>
and <emphasis>yes</emphasis>. and <emphasis>yes</emphasis>.
</para> </para>
<para>A value of <emphasis>no</emphasis> allows simple and sasl binds over <para>Windows has <emphasis>LdapEnforceChannelBinding</emphasis> under
all transports.</para> <emphasis>HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\</emphasis>.
</para>
<para>A value of <emphasis>allow_sasl_over_tls</emphasis> allows simple and sasl binds <para>A value of <emphasis>no</emphasis> allows simple and sasl binds over
(without sign or seal) over TLS encrypted connections. Unencrypted connections only all transports. This matches LdapEnforceChannelBinding=0.</para>
allow sasl binds with sign or seal.</para>
<para>A value of <emphasis>allow_sasl_without_tls_channel_bindings</emphasis>
allows simple and sasl binds (without sign or seal) over TLS encrypted connections.
Missing tls channel bindings are ignored, so only use this if a value of
<emphasis>yes</emphasis> is not possible.
Unencrypted connections only allow sasl binds with sign or seal.
This matches LdapEnforceChannelBinding=1.
</para>
<para>Before support for tls channel bindings existed in Samba,
a value of <emphasis>allow_sasl_over_tls</emphasis> was possible in order
to allow sasl binds without tls channel bindings. This now misleading
as a value of <emphasis>yes</emphasis> will now allow sasl binds
with tls channel bindings. Configurations should be changed to
<emphasis>yes</emphasis> instead or
<emphasis>allow_sasl_without_tls_channel_bindings</emphasis>
if really required. Currently <emphasis>allow_sasl_over_tls</emphasis>
is just an alias of <emphasis>allow_sasl_without_tls_channel_bindings</emphasis>,
but it will be removed in future versions.
</para>
<para>A value of <emphasis>yes</emphasis> allows only simple binds <para>A value of <emphasis>yes</emphasis> allows only simple binds
over TLS encrypted connections. Unencrypted connections only and sasl binds with correct tls channel bindings
allow sasl binds with sign or seal.</para> over TLS encrypted connections. sasl binds without tls channel bindings
are not allowed. Unencrypted connections only
allow sasl binds with sign or seal. This matches LdapEnforceChannelBinding=2.
</para>
</description> </description>
<value type="default">yes</value> <value type="default">yes</value>
</samba:parameter> </samba:parameter>

View File

@ -206,6 +206,7 @@ enum printing_types {PRINT_BSD,PRINT_SYSV,PRINT_AIX,PRINT_HPUX,
enum ldap_server_require_strong_auth { enum ldap_server_require_strong_auth {
LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, LDAP_SERVER_REQUIRE_STRONG_AUTH_NO,
LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS, LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS,
LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_WITHOUT_TLS_CB,
LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, LDAP_SERVER_REQUIRE_STRONG_AUTH_YES,
}; };

View File

@ -318,6 +318,8 @@ static const struct enum_list enum_ldap_server_require_strong_auth_vals[] = {
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "0" }, { LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "0" },
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS, { LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS,
"allow_sasl_over_tls" }, "allow_sasl_over_tls" },
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_WITHOUT_TLS_CB,
"allow_sasl_without_tls_channel_bindings" },
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "Yes" }, { LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "Yes" },
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "True" }, { LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "True" },
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "1" }, { LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "1" },

View File

@ -183,6 +183,16 @@ class cmd_testparm(Command):
"When acting as Active Directory domain controller, " + "When acting as Active Directory domain controller, " +
entry + " should be in vfs objects.") entry + " should be in vfs objects.")
strong_auth = lp.get("ldap server require strong auth")
if strong_auth == "allow_sasl_over_tls":
logger.warning(
"WARNING: You have not configured "
"'ldap server require strong auth = "
"allow_sasl_over_tls'.\n"
"Please change to 'yes' (preferred) or "
"'allow_sasl_without_tls_channel_bindings' "
"(if really needed).")
return valid return valid
def allow_access(self, deny_list, allow_list, cname, caddr): def allow_access(self, deny_list, allow_list, cname, caddr):

View File

@ -1625,7 +1625,7 @@ sub provision_ad_dc_ntvfs($$$)
print "PROVISIONING AD DC (NTVFS)...\n"; print "PROVISIONING AD DC (NTVFS)...\n";
my $extra_conf_options = "netbios aliases = localDC1-a my $extra_conf_options = "netbios aliases = localDC1-a
server services = +winbind -winbindd server services = +winbind -winbindd
ldap server require strong auth = allow_sasl_over_tls ldap server require strong auth = allow_sasl_without_tls_channel_bindings
raw NTLMv2 auth = yes raw NTLMv2 auth = yes
lsa over netlogon = yes lsa over netlogon = yes
rpc server port = 1027 rpc server port = 1027

View File

@ -615,6 +615,18 @@ static int do_global_checks(void)
ret = 1; ret = 1;
} }
if (lp_ldap_server_require_strong_auth() ==
LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS)
{
fprintf(stderr,
"WARNING: You have not configured "
"'ldap server require strong auth = "
"allow_sasl_over_tls'.\n"
"Please change to 'yes' (preferred) or "
"'allow_sasl_without_tls_channel_bindings' "
"(if really needed)\n\n");
}
if (lp_server_schannel() != true) { /* can be 'auto' */ if (lp_server_schannel() != true) { /* can be 'auto' */
fprintf(stderr, fprintf(stderr,
"WARNING: You have not configured " "WARNING: You have not configured "

View File

@ -27,6 +27,7 @@
#include "dsdb/samdb/samdb.h" #include "dsdb/samdb/samdb.h"
#include "auth/gensec/gensec.h" #include "auth/gensec/gensec.h"
#include "auth/gensec/gensec_tstream.h" #include "auth/gensec/gensec_tstream.h"
#include "lib/tls/tls.h"
#include "param/param.h" #include "param/param.h"
#include "../lib/util/tevent_ntstatus.h" #include "../lib/util/tevent_ntstatus.h"
#include "lib/util/time_basic.h" #include "lib/util/time_basic.h"
@ -359,6 +360,49 @@ static NTSTATUS ldapsrv_setup_gensec(struct ldapsrv_connection *conn,
gensec_want_feature(gensec_security, GENSEC_FEATURE_LDAP_STYLE); gensec_want_feature(gensec_security, GENSEC_FEATURE_LDAP_STYLE);
if (conn->sockets.active == conn->sockets.tls) { if (conn->sockets.active == conn->sockets.tls) {
uint32_t initiator_addrtype = 0;
const DATA_BLOB *initiator_address = NULL;
uint32_t acceptor_addrtype = 0;
const DATA_BLOB *acceptor_address = NULL;
const DATA_BLOB *application_data =
tstream_tls_channel_bindings(conn->sockets.tls);
status = gensec_set_channel_bindings(gensec_security,
initiator_addrtype,
initiator_address,
acceptor_addrtype,
acceptor_address,
application_data);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
/*
* By default channel bindings are required,
* so we only set GENSEC_FEATURE_CB_OPTIONAL
* for the legacy option:
*
* ldap server require strong auth = no
* or
* ldap server require strong auth =
* allow_sasl_without_tls_channel_bindings
*
* And this as an alias to cope with existing smb.conf
* files:
*
* ldap server require strong auth = allow_sasl_over_tls
*/
switch (conn->require_strong_auth) {
case LDAP_SERVER_REQUIRE_STRONG_AUTH_NO:
case LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS:
case LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_WITHOUT_TLS_CB:
gensec_want_feature(gensec_security,
GENSEC_FEATURE_CB_OPTIONAL);
break;
default:
break;
}
gensec_want_feature(gensec_security, GENSEC_FEATURE_LDAPS_TRANSPORT); gensec_want_feature(gensec_security, GENSEC_FEATURE_LDAPS_TRANSPORT);
} }
@ -496,6 +540,14 @@ static void ldapsrv_BindSASL_done(struct tevent_req *subreq)
goto do_reply; goto do_reply;
} }
if (NT_STATUS_EQUAL(status, NT_STATUS_BAD_BINDINGS)) {
result = LDAP_INVALID_CREDENTIALS;
errstr = ldapsrv_bind_error_msg(reply,
HRES_SEC_E_BAD_BINDINGS,
0x0C090711,
status);
goto do_reply;
}
if (!NT_STATUS_IS_OK(status)) { if (!NT_STATUS_IS_OK(status)) {
status = nt_status_squash(status); status = nt_status_squash(status);
result = LDAP_INVALID_CREDENTIALS; result = LDAP_INVALID_CREDENTIALS;
@ -539,17 +591,11 @@ static void ldapsrv_BindSASL_done(struct tevent_req *subreq)
case LDAP_SERVER_REQUIRE_STRONG_AUTH_NO: case LDAP_SERVER_REQUIRE_STRONG_AUTH_NO:
break; break;
case LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS: case LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS:
case LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_WITHOUT_TLS_CB:
case LDAP_SERVER_REQUIRE_STRONG_AUTH_YES:
if (call->conn->sockets.active == call->conn->sockets.tls) { if (call->conn->sockets.active == call->conn->sockets.tls) {
break; break;
} }
status = NT_STATUS_NETWORK_ACCESS_DENIED;
result = LDAP_STRONG_AUTH_REQUIRED;
errstr = talloc_asprintf(reply,
"SASL:[%s]: not allowed if TLS is used.",
req->creds.SASL.mechanism);
goto do_reply;
case LDAP_SERVER_REQUIRE_STRONG_AUTH_YES:
status = NT_STATUS_NETWORK_ACCESS_DENIED; status = NT_STATUS_NETWORK_ACCESS_DENIED;
result = LDAP_STRONG_AUTH_REQUIRED; result = LDAP_STRONG_AUTH_REQUIRED;
errstr = talloc_asprintf(reply, errstr = talloc_asprintf(reply,

View File

@ -378,6 +378,17 @@ static void ldapsrv_accept(struct stream_connection *c,
conn->require_strong_auth = lpcfg_ldap_server_require_strong_auth(conn->lp_ctx); conn->require_strong_auth = lpcfg_ldap_server_require_strong_auth(conn->lp_ctx);
} }
if (conn->require_strong_auth ==
LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS)
{
D_ERR("WARNING: You have not configured "
"'ldap server require strong auth = "
"allow_sasl_over_tls'.\n"
"Please change to 'yes' (preferred and default) or "
"'allow_sasl_without_tls_channel_bindings' "
"(if really needed)\n\n");
}
ret = ldapsrv_backend_Init(conn, &errstring); ret = ldapsrv_backend_Init(conn, &errstring);
if (ret != LDB_SUCCESS) { if (ret != LDB_SUCCESS) {
char *reason = talloc_asprintf(conn, char *reason = talloc_asprintf(conn,