mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s4:ldap_server: add support for tls channel bindings
ldap server require strong auth = allow_sasl_over_tls is now an alias for 'allow_sasl_without_tls_channel_bindings' and should be avoided and changed to 'yes' or 'allow_sasl_without_tls_channel_bindings'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
811d04fea7
commit
6c17e3d280
@ -7,20 +7,44 @@
|
||||
<para>
|
||||
The <smbconfoption name="ldap server require strong auth"/> defines whether
|
||||
the ldap server requires ldap traffic to be signed or signed and encrypted (sealed).
|
||||
Possible values are <emphasis>no</emphasis>, <emphasis>allow_sasl_over_tls</emphasis>
|
||||
Possible values are <emphasis>no</emphasis>,
|
||||
<emphasis>allow_sasl_without_tls_channel_bindings</emphasis>
|
||||
and <emphasis>yes</emphasis>.
|
||||
</para>
|
||||
|
||||
<para>A value of <emphasis>no</emphasis> allows simple and sasl binds over
|
||||
all transports.</para>
|
||||
<para>Windows has <emphasis>LdapEnforceChannelBinding</emphasis> under
|
||||
<emphasis>HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\</emphasis>.
|
||||
</para>
|
||||
|
||||
<para>A value of <emphasis>allow_sasl_over_tls</emphasis> allows simple and sasl binds
|
||||
(without sign or seal) over TLS encrypted connections. Unencrypted connections only
|
||||
allow sasl binds with sign or seal.</para>
|
||||
<para>A value of <emphasis>no</emphasis> allows simple and sasl binds over
|
||||
all transports. This matches LdapEnforceChannelBinding=0.</para>
|
||||
|
||||
<para>A value of <emphasis>allow_sasl_without_tls_channel_bindings</emphasis>
|
||||
allows simple and sasl binds (without sign or seal) over TLS encrypted connections.
|
||||
Missing tls channel bindings are ignored, so only use this if a value of
|
||||
<emphasis>yes</emphasis> is not possible.
|
||||
Unencrypted connections only allow sasl binds with sign or seal.
|
||||
This matches LdapEnforceChannelBinding=1.
|
||||
</para>
|
||||
|
||||
<para>Before support for tls channel bindings existed in Samba,
|
||||
a value of <emphasis>allow_sasl_over_tls</emphasis> was possible in order
|
||||
to allow sasl binds without tls channel bindings. This now misleading
|
||||
as a value of <emphasis>yes</emphasis> will now allow sasl binds
|
||||
with tls channel bindings. Configurations should be changed to
|
||||
<emphasis>yes</emphasis> instead or
|
||||
<emphasis>allow_sasl_without_tls_channel_bindings</emphasis>
|
||||
if really required. Currently <emphasis>allow_sasl_over_tls</emphasis>
|
||||
is just an alias of <emphasis>allow_sasl_without_tls_channel_bindings</emphasis>,
|
||||
but it will be removed in future versions.
|
||||
</para>
|
||||
|
||||
<para>A value of <emphasis>yes</emphasis> allows only simple binds
|
||||
over TLS encrypted connections. Unencrypted connections only
|
||||
allow sasl binds with sign or seal.</para>
|
||||
and sasl binds with correct tls channel bindings
|
||||
over TLS encrypted connections. sasl binds without tls channel bindings
|
||||
are not allowed. Unencrypted connections only
|
||||
allow sasl binds with sign or seal. This matches LdapEnforceChannelBinding=2.
|
||||
</para>
|
||||
</description>
|
||||
<value type="default">yes</value>
|
||||
</samba:parameter>
|
||||
|
@ -206,6 +206,7 @@ enum printing_types {PRINT_BSD,PRINT_SYSV,PRINT_AIX,PRINT_HPUX,
|
||||
enum ldap_server_require_strong_auth {
|
||||
LDAP_SERVER_REQUIRE_STRONG_AUTH_NO,
|
||||
LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS,
|
||||
LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_WITHOUT_TLS_CB,
|
||||
LDAP_SERVER_REQUIRE_STRONG_AUTH_YES,
|
||||
};
|
||||
|
||||
|
@ -318,6 +318,8 @@ static const struct enum_list enum_ldap_server_require_strong_auth_vals[] = {
|
||||
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_NO, "0" },
|
||||
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS,
|
||||
"allow_sasl_over_tls" },
|
||||
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_WITHOUT_TLS_CB,
|
||||
"allow_sasl_without_tls_channel_bindings" },
|
||||
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "Yes" },
|
||||
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "True" },
|
||||
{ LDAP_SERVER_REQUIRE_STRONG_AUTH_YES, "1" },
|
||||
|
@ -183,6 +183,16 @@ class cmd_testparm(Command):
|
||||
"When acting as Active Directory domain controller, " +
|
||||
entry + " should be in vfs objects.")
|
||||
|
||||
strong_auth = lp.get("ldap server require strong auth")
|
||||
if strong_auth == "allow_sasl_over_tls":
|
||||
logger.warning(
|
||||
"WARNING: You have not configured "
|
||||
"'ldap server require strong auth = "
|
||||
"allow_sasl_over_tls'.\n"
|
||||
"Please change to 'yes' (preferred) or "
|
||||
"'allow_sasl_without_tls_channel_bindings' "
|
||||
"(if really needed).")
|
||||
|
||||
return valid
|
||||
|
||||
def allow_access(self, deny_list, allow_list, cname, caddr):
|
||||
|
@ -1625,7 +1625,7 @@ sub provision_ad_dc_ntvfs($$$)
|
||||
print "PROVISIONING AD DC (NTVFS)...\n";
|
||||
my $extra_conf_options = "netbios aliases = localDC1-a
|
||||
server services = +winbind -winbindd
|
||||
ldap server require strong auth = allow_sasl_over_tls
|
||||
ldap server require strong auth = allow_sasl_without_tls_channel_bindings
|
||||
raw NTLMv2 auth = yes
|
||||
lsa over netlogon = yes
|
||||
rpc server port = 1027
|
||||
|
@ -615,6 +615,18 @@ static int do_global_checks(void)
|
||||
ret = 1;
|
||||
}
|
||||
|
||||
if (lp_ldap_server_require_strong_auth() ==
|
||||
LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS)
|
||||
{
|
||||
fprintf(stderr,
|
||||
"WARNING: You have not configured "
|
||||
"'ldap server require strong auth = "
|
||||
"allow_sasl_over_tls'.\n"
|
||||
"Please change to 'yes' (preferred) or "
|
||||
"'allow_sasl_without_tls_channel_bindings' "
|
||||
"(if really needed)\n\n");
|
||||
}
|
||||
|
||||
if (lp_server_schannel() != true) { /* can be 'auto' */
|
||||
fprintf(stderr,
|
||||
"WARNING: You have not configured "
|
||||
|
@ -27,6 +27,7 @@
|
||||
#include "dsdb/samdb/samdb.h"
|
||||
#include "auth/gensec/gensec.h"
|
||||
#include "auth/gensec/gensec_tstream.h"
|
||||
#include "lib/tls/tls.h"
|
||||
#include "param/param.h"
|
||||
#include "../lib/util/tevent_ntstatus.h"
|
||||
#include "lib/util/time_basic.h"
|
||||
@ -359,6 +360,49 @@ static NTSTATUS ldapsrv_setup_gensec(struct ldapsrv_connection *conn,
|
||||
gensec_want_feature(gensec_security, GENSEC_FEATURE_LDAP_STYLE);
|
||||
|
||||
if (conn->sockets.active == conn->sockets.tls) {
|
||||
uint32_t initiator_addrtype = 0;
|
||||
const DATA_BLOB *initiator_address = NULL;
|
||||
uint32_t acceptor_addrtype = 0;
|
||||
const DATA_BLOB *acceptor_address = NULL;
|
||||
const DATA_BLOB *application_data =
|
||||
tstream_tls_channel_bindings(conn->sockets.tls);
|
||||
|
||||
status = gensec_set_channel_bindings(gensec_security,
|
||||
initiator_addrtype,
|
||||
initiator_address,
|
||||
acceptor_addrtype,
|
||||
acceptor_address,
|
||||
application_data);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
return status;
|
||||
}
|
||||
|
||||
/*
|
||||
* By default channel bindings are required,
|
||||
* so we only set GENSEC_FEATURE_CB_OPTIONAL
|
||||
* for the legacy option:
|
||||
*
|
||||
* ldap server require strong auth = no
|
||||
* or
|
||||
* ldap server require strong auth =
|
||||
* allow_sasl_without_tls_channel_bindings
|
||||
*
|
||||
* And this as an alias to cope with existing smb.conf
|
||||
* files:
|
||||
*
|
||||
* ldap server require strong auth = allow_sasl_over_tls
|
||||
*/
|
||||
switch (conn->require_strong_auth) {
|
||||
case LDAP_SERVER_REQUIRE_STRONG_AUTH_NO:
|
||||
case LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS:
|
||||
case LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_WITHOUT_TLS_CB:
|
||||
gensec_want_feature(gensec_security,
|
||||
GENSEC_FEATURE_CB_OPTIONAL);
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
gensec_want_feature(gensec_security, GENSEC_FEATURE_LDAPS_TRANSPORT);
|
||||
}
|
||||
|
||||
@ -496,6 +540,14 @@ static void ldapsrv_BindSASL_done(struct tevent_req *subreq)
|
||||
goto do_reply;
|
||||
}
|
||||
|
||||
if (NT_STATUS_EQUAL(status, NT_STATUS_BAD_BINDINGS)) {
|
||||
result = LDAP_INVALID_CREDENTIALS;
|
||||
errstr = ldapsrv_bind_error_msg(reply,
|
||||
HRES_SEC_E_BAD_BINDINGS,
|
||||
0x0C090711,
|
||||
status);
|
||||
goto do_reply;
|
||||
}
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
status = nt_status_squash(status);
|
||||
result = LDAP_INVALID_CREDENTIALS;
|
||||
@ -539,17 +591,11 @@ static void ldapsrv_BindSASL_done(struct tevent_req *subreq)
|
||||
case LDAP_SERVER_REQUIRE_STRONG_AUTH_NO:
|
||||
break;
|
||||
case LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS:
|
||||
case LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_WITHOUT_TLS_CB:
|
||||
case LDAP_SERVER_REQUIRE_STRONG_AUTH_YES:
|
||||
if (call->conn->sockets.active == call->conn->sockets.tls) {
|
||||
break;
|
||||
}
|
||||
status = NT_STATUS_NETWORK_ACCESS_DENIED;
|
||||
result = LDAP_STRONG_AUTH_REQUIRED;
|
||||
errstr = talloc_asprintf(reply,
|
||||
"SASL:[%s]: not allowed if TLS is used.",
|
||||
req->creds.SASL.mechanism);
|
||||
goto do_reply;
|
||||
|
||||
case LDAP_SERVER_REQUIRE_STRONG_AUTH_YES:
|
||||
status = NT_STATUS_NETWORK_ACCESS_DENIED;
|
||||
result = LDAP_STRONG_AUTH_REQUIRED;
|
||||
errstr = talloc_asprintf(reply,
|
||||
|
@ -378,6 +378,17 @@ static void ldapsrv_accept(struct stream_connection *c,
|
||||
conn->require_strong_auth = lpcfg_ldap_server_require_strong_auth(conn->lp_ctx);
|
||||
}
|
||||
|
||||
if (conn->require_strong_auth ==
|
||||
LDAP_SERVER_REQUIRE_STRONG_AUTH_ALLOW_SASL_OVER_TLS)
|
||||
{
|
||||
D_ERR("WARNING: You have not configured "
|
||||
"'ldap server require strong auth = "
|
||||
"allow_sasl_over_tls'.\n"
|
||||
"Please change to 'yes' (preferred and default) or "
|
||||
"'allow_sasl_without_tls_channel_bindings' "
|
||||
"(if really needed)\n\n");
|
||||
}
|
||||
|
||||
ret = ldapsrv_backend_Init(conn, &errstring);
|
||||
if (ret != LDB_SUCCESS) {
|
||||
char *reason = talloc_asprintf(conn,
|
||||
|
Loading…
Reference in New Issue
Block a user