[Samba] Auth Systems Security mini-audit
Jim
jcllings at tsunamicomm.net
Mon Jan 20 04:15:01 GMT 2003
Being a responsible sort of guy, I want to check and make sure I have
some decent encryption settings for my authentication systems. Namely
Samba PDC (2.2.7a) with an LDAP backend that also authenticates Linux
clients (which I've finally gotten running the way I want :-)).
According to some documentation I've found, the samba ports are
137/udp,138/udp and 139/tcp. Samba changes rapidly though so can anyone
verify that this is still the case? Will it still be the case when 3.0
comes out?
LDAP runs on 636 and 389. I believe mine is configured to run both
ldaps and ldap on 636. How can I check this?
/etc/services says:
> [root at enigma etc]# cat /etc/services | grep bios
> netbios-ns 137/tcp # NETBIOS Name Service
> netbios-ns 137/udp
> netbios-dgm 138/tcp # NETBIOS Datagram Service
> netbios-dgm 138/udp
> netbios-ssn 139/tcp # NETBIOS session service
> netbios-ssn 139/udp
> [root at enigma etc]# cat /etc/services | grep ldap
> ldap 389/tcp
> ldap 389/udp
> ldaps 636/tcp # LDAP over SSL
> ldaps 636/udp # LDAP over SSL
> [root at enigma etc]#
However the startup script says:
>[root at enigma samba]# service ldap stop;service ldap start
>Stopping slapd: [ OK ]
>ldaps
>Starting slapd (ldap + ldaps): [ OK ]
and the tutorial I used for setup says:
>Once you restart the server, TLS will be used on the standard LDAP
port >of 389. The LDAP server will handle TLS and unencrypted traffic on
the >same port.
What exactly does enableing start_tls in smb.conf do? Does it encrypt
communications to the client or to the ldap server or both? My
understanding is that communicatons for the purpose of authentication
between the client machine and the Samba machine are encrypted by
default. I note that if I enable start_tls in Samba, I suddently have
no access. It is also my understanding that, generally speaking, if the
systems that need to communicate are located on the same system that no
encryption is required. Can anyone verify this?
Thanks,
Jim C.
More information about the samba
mailing list