mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s4:ldap_server: add support for tls channel bindings
ldap server require strong auth = allow_sasl_over_tls is now an alias for 'allow_sasl_without_tls_channel_bindings' and should be avoided and changed to 'yes' or 'allow_sasl_without_tls_channel_bindings'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
811d04fea7
commit
6c17e3d280
@ -7,20 +7,44 @@
|
|||||||
<para>
|
<para>
|
||||||
The <smbconfoption name="ldap server require strong auth"/> defines whether
|
The <smbconfoption name="ldap server require strong auth"/> defines whether
|
||||||
the ldap server requires ldap traffic to be signed or signed and encrypted (sealed).
|
the ldap server requires ldap traffic to be signed or signed and encrypted (sealed).
|
||||||
Possible values are <emphasis>no</emphasis>, <emphasis>allow_sasl_over_tls</emphasis>
|
Possible values are <emphasis>no</emphasis>,
|
||||||
|
<emphasis>allow_sasl_without_tls_channel_bindings</emphasis>
|
||||||
and <emphasis>yes</emphasis>.
|
and <emphasis>yes</emphasis>.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<para>A value of <emphasis>no</emphasis> allows simple and sasl binds over
|
<para>Windows has <emphasis>LdapEnforceChannelBinding</emphasis> under
|
||||||
all transports.</para>
|
<emphasis>HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\</emphasis>.
|
||||||
|
</para>
|
||||||
|
|
||||||
<para>A value of <emphasis>allow_sasl_over_tls</emphasis> allows simple and sasl binds
|
<para>A value of <emphasis>no</emphasis> allows simple and sasl binds over
|
||||||
(without sign or seal) over TLS encrypted connections. Unencrypted connections only
|
all transports. This matches LdapEnforceChannelBinding=0.</para>
|
||||||
allow sasl binds with sign or seal.</para>
|
|
||||||
|
<para>A value of <emphasis>allow_sasl_without_tls_channel_bindings</emphasis>
|
||||||
|
allows simple and sasl binds (without sign or seal) over TLS encrypted connections.
|
||||||
|
Missing tls channel bindings are ignored, so only use this if a value of
|
||||||
|
<emphasis>yes</emphasis> is not possible.
|
||||||
|
Unencrypted connections only allow sasl binds with sign or seal.
|
||||||
|
This matches LdapEnforceChannelBinding=1.
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<para>Before support for tls channel bindings existed in Samba,
|
||||||
|
a value of <emphasis>allow_sasl_over_tls</emphasis> was possible in order
|
||||||
|
to allow sasl binds without tls channel bindings. This now misleading
|
||||||
|
as a value of <emphasis>yes</emphasis> will now allow sasl binds
|
||||||
|
with tls channel bindings. Configurations should be changed to
|
||||||
|
<emphasis>yes</emphasis> instead or
|
||||||
|
<emphasis>allow_sasl_without_tls_channel_bindings</emphasis>
|
||||||
|
if really required. Currently <emphasis>allow_sasl_over_tls</emphasis>
|
||||||
|
is just an alias of <emphasis>allow_sasl_without_tls_channel_bindings</emphasis>,
|
||||||
|
but it will be removed in future versions.
|
||||||
|
</para>
|
||||||
|
|
||||||
<para>A value of <emphasis>yes</emphasis> allows only simple binds
|
<para>A value of <emphasis>yes</emphasis> allows only simple binds
|
||||||
over TLS encrypted connections. Unencrypted connections only
|
and sasl binds with correct tls channel bindings
|
||||||
allow sasl binds with sign or seal.</para>
|
over TLS encrypted connections. sasl binds without tls channel bindings
|
||||||
|
are not allowed. Unencrypted connections only
|
||||||
|
allow sasl binds with sign or seal. This matches LdapEnforceChannelBinding=2.
|
||||||
|
</para>
|
||||||
</description>
|
</description>
|
||||||
<value type="default">yes</value>
|
<value type="default">yes</value>
|
||||||
</samba:parameter>
|
</samba:parameter>
|
||||||
|
@ -206,6 +206,7 @@ enum printing_types {PRINT_BSD,PRINT_SYSV,PRINT_AIX,PRINT_HPUX,
|
|||||||
enum ldap_server_require_strong_auth {
|
enum ldap_server_require_strong_auth {
|
||||||
LDAP_SERVER_REQUIRE_STRONG_AUTH_NO,
|
LDAP_SERVER_REQUIRE_STRONG_AUTH_NO,
|
||||||
LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS,
|
LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS,
|
||||||
|
LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_WITHOUT_TLS_CB,
|
||||||
LDAP_SERVER_REQUIRE_STRONG_AUTH_YES,
|
LDAP_SERVER_REQUIRE_STRONG_AUTH_YES,
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -318,6 +318,8 @@ static const struct enum_list enum_ldap_server_require_strong_auth_vals[] = {
|
|||||||
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "0" },
|
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "0" },
|
||||||
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS,
|
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS,
|
||||||
"allow_sasl_over_tls" },
|
"allow_sasl_over_tls" },
|
||||||
|
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_WITHOUT_TLS_CB,
|
||||||
|
"allow_sasl_without_tls_channel_bindings" },
|
||||||
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "Yes" },
|
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "Yes" },
|
||||||
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "True" },
|
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "True" },
|
||||||
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "1" },
|
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "1" },
|
||||||
|
@ -183,6 +183,16 @@ class cmd_testparm(Command):
|
|||||||
"When acting as Active Directory domain controller, " +
|
"When acting as Active Directory domain controller, " +
|
||||||
entry + " should be in vfs objects.")
|
entry + " should be in vfs objects.")
|
||||||
|
|
||||||
|
strong_auth = lp.get("ldap server require strong auth")
|
||||||
|
if strong_auth == "allow_sasl_over_tls":
|
||||||
|
logger.warning(
|
||||||
|
"WARNING: You have not configured "
|
||||||
|
"'ldap server require strong auth = "
|
||||||
|
"allow_sasl_over_tls'.\n"
|
||||||
|
"Please change to 'yes' (preferred) or "
|
||||||
|
"'allow_sasl_without_tls_channel_bindings' "
|
||||||
|
"(if really needed).")
|
||||||
|
|
||||||
return valid
|
return valid
|
||||||
|
|
||||||
def allow_access(self, deny_list, allow_list, cname, caddr):
|
def allow_access(self, deny_list, allow_list, cname, caddr):
|
||||||
|
@ -1625,7 +1625,7 @@ sub provision_ad_dc_ntvfs($$$)
|
|||||||
print "PROVISIONING AD DC (NTVFS)...\n";
|
print "PROVISIONING AD DC (NTVFS)...\n";
|
||||||
my $extra_conf_options = "netbios aliases = localDC1-a
|
my $extra_conf_options = "netbios aliases = localDC1-a
|
||||||
server services = +winbind -winbindd
|
server services = +winbind -winbindd
|
||||||
ldap server require strong auth = allow_sasl_over_tls
|
ldap server require strong auth = allow_sasl_without_tls_channel_bindings
|
||||||
raw NTLMv2 auth = yes
|
raw NTLMv2 auth = yes
|
||||||
lsa over netlogon = yes
|
lsa over netlogon = yes
|
||||||
rpc server port = 1027
|
rpc server port = 1027
|
||||||
|
@ -615,6 +615,18 @@ static int do_global_checks(void)
|
|||||||
ret = 1;
|
ret = 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (lp_ldap_server_require_strong_auth() ==
|
||||||
|
LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS)
|
||||||
|
{
|
||||||
|
fprintf(stderr,
|
||||||
|
"WARNING: You have not configured "
|
||||||
|
"'ldap server require strong auth = "
|
||||||
|
"allow_sasl_over_tls'.\n"
|
||||||
|
"Please change to 'yes' (preferred) or "
|
||||||
|
"'allow_sasl_without_tls_channel_bindings' "
|
||||||
|
"(if really needed)\n\n");
|
||||||
|
}
|
||||||
|
|
||||||
if (lp_server_schannel() != true) { /* can be 'auto' */
|
if (lp_server_schannel() != true) { /* can be 'auto' */
|
||||||
fprintf(stderr,
|
fprintf(stderr,
|
||||||
"WARNING: You have not configured "
|
"WARNING: You have not configured "
|
||||||
|
@ -27,6 +27,7 @@
|
|||||||
#include "dsdb/samdb/samdb.h"
|
#include "dsdb/samdb/samdb.h"
|
||||||
#include "auth/gensec/gensec.h"
|
#include "auth/gensec/gensec.h"
|
||||||
#include "auth/gensec/gensec_tstream.h"
|
#include "auth/gensec/gensec_tstream.h"
|
||||||
|
#include "lib/tls/tls.h"
|
||||||
#include "param/param.h"
|
#include "param/param.h"
|
||||||
#include "../lib/util/tevent_ntstatus.h"
|
#include "../lib/util/tevent_ntstatus.h"
|
||||||
#include "lib/util/time_basic.h"
|
#include "lib/util/time_basic.h"
|
||||||
@ -359,6 +360,49 @@ static NTSTATUS ldapsrv_setup_gensec(struct ldapsrv_connection *conn,
|
|||||||
gensec_want_feature(gensec_security, GENSEC_FEATURE_LDAP_STYLE);
|
gensec_want_feature(gensec_security, GENSEC_FEATURE_LDAP_STYLE);
|
||||||
|
|
||||||
if (conn->sockets.active == conn->sockets.tls) {
|
if (conn->sockets.active == conn->sockets.tls) {
|
||||||
|
uint32_t initiator_addrtype = 0;
|
||||||
|
const DATA_BLOB *initiator_address = NULL;
|
||||||
|
uint32_t acceptor_addrtype = 0;
|
||||||
|
const DATA_BLOB *acceptor_address = NULL;
|
||||||
|
const DATA_BLOB *application_data =
|
||||||
|
tstream_tls_channel_bindings(conn->sockets.tls);
|
||||||
|
|
||||||
|
status = gensec_set_channel_bindings(gensec_security,
|
||||||
|
initiator_addrtype,
|
||||||
|
initiator_address,
|
||||||
|
acceptor_addrtype,
|
||||||
|
acceptor_address,
|
||||||
|
application_data);
|
||||||
|
if (!NT_STATUS_IS_OK(status)) {
|
||||||
|
return status;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* By default channel bindings are required,
|
||||||
|
* so we only set GENSEC_FEATURE_CB_OPTIONAL
|
||||||
|
* for the legacy option:
|
||||||
|
*
|
||||||
|
* ldap server require strong auth = no
|
||||||
|
* or
|
||||||
|
* ldap server require strong auth =
|
||||||
|
* allow_sasl_without_tls_channel_bindings
|
||||||
|
*
|
||||||
|
* And this as an alias to cope with existing smb.conf
|
||||||
|
* files:
|
||||||
|
*
|
||||||
|
* ldap server require strong auth = allow_sasl_over_tls
|
||||||
|
*/
|
||||||
|
switch (conn->require_strong_auth) {
|
||||||
|
case LDAP_SERVER_REQUIRE_STRONG_AUTH_NO:
|
||||||
|
case LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS:
|
||||||
|
case LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_WITHOUT_TLS_CB:
|
||||||
|
gensec_want_feature(gensec_security,
|
||||||
|
GENSEC_FEATURE_CB_OPTIONAL);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
gensec_want_feature(gensec_security, GENSEC_FEATURE_LDAPS_TRANSPORT);
|
gensec_want_feature(gensec_security, GENSEC_FEATURE_LDAPS_TRANSPORT);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -496,6 +540,14 @@ static void ldapsrv_BindSASL_done(struct tevent_req *subreq)
|
|||||||
goto do_reply;
|
goto do_reply;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (NT_STATUS_EQUAL(status, NT_STATUS_BAD_BINDINGS)) {
|
||||||
|
result = LDAP_INVALID_CREDENTIALS;
|
||||||
|
errstr = ldapsrv_bind_error_msg(reply,
|
||||||
|
HRES_SEC_E_BAD_BINDINGS,
|
||||||
|
0x0C090711,
|
||||||
|
status);
|
||||||
|
goto do_reply;
|
||||||
|
}
|
||||||
if (!NT_STATUS_IS_OK(status)) {
|
if (!NT_STATUS_IS_OK(status)) {
|
||||||
status = nt_status_squash(status);
|
status = nt_status_squash(status);
|
||||||
result = LDAP_INVALID_CREDENTIALS;
|
result = LDAP_INVALID_CREDENTIALS;
|
||||||
@ -539,17 +591,11 @@ static void ldapsrv_BindSASL_done(struct tevent_req *subreq)
|
|||||||
case LDAP_SERVER_REQUIRE_STRONG_AUTH_NO:
|
case LDAP_SERVER_REQUIRE_STRONG_AUTH_NO:
|
||||||
break;
|
break;
|
||||||
case LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS:
|
case LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS:
|
||||||
|
case LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_WITHOUT_TLS_CB:
|
||||||
|
case LDAP_SERVER_REQUIRE_STRONG_AUTH_YES:
|
||||||
if (call->conn->sockets.active == call->conn->sockets.tls) {
|
if (call->conn->sockets.active == call->conn->sockets.tls) {
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
status = NT_STATUS_NETWORK_ACCESS_DENIED;
|
|
||||||
result = LDAP_STRONG_AUTH_REQUIRED;
|
|
||||||
errstr = talloc_asprintf(reply,
|
|
||||||
"SASL:[%s]: not allowed if TLS is used.",
|
|
||||||
req->creds.SASL.mechanism);
|
|
||||||
goto do_reply;
|
|
||||||
|
|
||||||
case LDAP_SERVER_REQUIRE_STRONG_AUTH_YES:
|
|
||||||
status = NT_STATUS_NETWORK_ACCESS_DENIED;
|
status = NT_STATUS_NETWORK_ACCESS_DENIED;
|
||||||
result = LDAP_STRONG_AUTH_REQUIRED;
|
result = LDAP_STRONG_AUTH_REQUIRED;
|
||||||
errstr = talloc_asprintf(reply,
|
errstr = talloc_asprintf(reply,
|
||||||
|
@ -378,6 +378,17 @@ static void ldapsrv_accept(struct stream_connection *c,
|
|||||||
conn->require_strong_auth = lpcfg_ldap_server_require_strong_auth(conn->lp_ctx);
|
conn->require_strong_auth = lpcfg_ldap_server_require_strong_auth(conn->lp_ctx);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (conn->require_strong_auth ==
|
||||||
|
LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS)
|
||||||
|
{
|
||||||
|
D_ERR("WARNING: You have not configured "
|
||||||
|
"'ldap server require strong auth = "
|
||||||
|
"allow_sasl_over_tls'.\n"
|
||||||
|
"Please change to 'yes' (preferred and default) or "
|
||||||
|
"'allow_sasl_without_tls_channel_bindings' "
|
||||||
|
"(if really needed)\n\n");
|
||||||
|
}
|
||||||
|
|
||||||
ret = ldapsrv_backend_Init(conn, &errstring);
|
ret = ldapsrv_backend_Init(conn, &errstring);
|
||||||
if (ret != LDB_SUCCESS) {
|
if (ret != LDB_SUCCESS) {
|
||||||
char *reason = talloc_asprintf(conn,
|
char *reason = talloc_asprintf(conn,
|
||||||
|
Loading…
Reference in New Issue
Block a user