== Subject:     The LDAP client and server don't enforce integrity protection
== CVE ID#:     CVE-2016-2112
== Versions:    Samba 3.0.0 to 4.4.0
== Summary:     A man in the middle is able to downgrade LDAP connections
==              to no integrity protection. It's possible to attack
==              client and server with this.


Samba uses various LDAP client libraries, a builtin one and/or the system
ldap libraries (typically openldap).

As active directory domain controller Samba also provides an LDAP server.

Samba takes care of doing SASL (GSS-SPNEGO) authentication with Kerberos or NTLMSSP
for LDAP connections, including possible integrity (sign) and privacy (seal)

Samba has support for an option called "client ldap sasl wrapping" since version
3.2.0. Its default value has changed from "plain" to "sign" with version 4.2.0.

Tools using the builtin LDAP client library do not obey the
"client ldap sasl wrapping" option. This applies to tools like:
"samba-tool", "ldbsearch", "ldbedit" and more. Some of them have command line
options like "--sign" and "--encrypt". With the security update they will
also obey the "client ldap sasl wrapping" option as default.

In all cases, even if explicitly request via "client ldap sasl wrapping",
"--sign" or "--encrypt", the protection can be downgraded by a man in the

The LDAP server doesn't have an option to enforce strong authentication
yet. The security patches will introduce a new option called
"ldap server require strong auth", possible values are "no",
"allow_sasl_over_tls" and "yes".

As the default behavior was as "no" before, you may
have to explicitly change this option until all clients have
been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors.
Windows clients and Samba member servers already use
integrity protection.

New smb.conf option

  ldap server require strong auth (G)

    The ldap server require strong auth defines whether the
    ldap server requires ldap traffic to be signed or
    signed and encrypted (sealed). Possible values are no,
    allow_sasl_over_tls and yes.

    A value of no allows simple and sasl binds over all transports.

    A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal)
    over TLS encrypted connections. Unencrypted connections only
    allow sasl binds with sign or seal.

    A value of yes allows only simple binds over TLS encrypted connections.
    Unencrypted connections only allow sasl binds with sign or seal.

    Default: ldap server require strong auth = yes

Behavior changes

  Tools like "samba-tool", "ldbsearch", "ldbedit" and more obey the
  default of "client ldap sasl wrapping = sign". Even with
  "client ldap sasl wrapping = plain" they will automatically upgrade
  to "sign" when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP

Patch Availability

A patch addressing this defect has been posted to

Additionally, Samba 4.4.2, 4.3.8 and 4.2.11 have been issued as
security releases to correct the defect. Samba vendors and administrators
running affected versions are advised to upgrade or apply the patch as
soon as possible.

Note that Samba 4.4.1, 4.3.7 and 4.2.10 were privately released to vendors,
but had a regression, which is fixed in 4.4.2, 4.3.8 and 4.2.11.




This vulnerability was discovered and researched by Stefan Metzmacher of
SerNet ( and the Samba Team (
He provides the fixes in collaboration with the Samba Team.