[Samba] Auth Systems Security mini-audit

Jim C jcllings at tsunamicomm.net
Mon Jan 20 09:37:00 GMT 2003 

> You should set tls parameters in slapd.conf. You have tem commented in 
> the default slapd.conf, just uncomment them. Also, you should make the 
> tls key signature in /usr/share/ssl/certs/ (rh7.3), or wherever tls 
> places them.

They are not commented. See below.

 From /etc/openldap/slapd.conf:

# To allow TLS-enabled connections, create /usr/share/ssl/certs/slapd.pem
# and uncomment the following lines.
TLSRandFile            /dev/random
TLSCipherSuite         HIGH:MEDIUM:+SSLv2
TLSCertificateFile      /etc/ssl/openldap/ldap.pem
TLSCertificateKeyFile   /etc/ssl/openldap/ldap.pem
TLSCACertificatePath   /etc/ssl/openldap/
TLSCACertificateFile    /etc/ssl/openldap/ldap.pem
#TLSVerifyClient 0

Also, I'm on Mandrake so the certs are here:
[root at enigma ssl]# pwd
/usr/lib/ssl
[root at enigma ssl]# ls
certs/  lib/  misc/  mod_ssl/  openssl.cnf  private/
[root at enigma ssl]#

Not that it matters to awful much where certs are kept since I am using 
the default self-signed cert generated by the scripts.  Perhaps later I 
will install the one I made today and run a CA.

> If you are using ldap authentification on your network for linux 
> machines, then you should do the ldap client setting to use ssl in 
> openldap's ldap.conf. It is on rh placed in /etc/ldap.conf, put:
> ssl yes. Also on the same machine, as it is a client when one logs in. 
> The ldap authentification is set by nss_ldap package on rh. then you use 
> pam settings from that package instead of default pam settings.

Yes BUT this does not work on the server itself. It must be turned off 
creating the nescesity of running in two modes, encrypted and 
unencryted.  A pain in the aft quadrant.  Anybody know a way around 
this?  I sure would like to hear it.

> Samba itself is a client, so, its setting ldap ssl = yes is required.

Sorry, as previously stated I can only get access if ssl = off (in 
smb.conf) despite the settings in slapd.conf  My understanding is that 
ldap and ldaps are set up on Mandrake such that both run on the same 
port.  No trouble there but I sure wish I could completely eliminate the 
unencrypted option.  It would force clients into good behaviour.

> I guess that's it.
> 
> Being consistent, you should check that in slapd.conf you put something 
> like this, to forbid reading of (encrypted) passwords (for the sake of 
> cracking):
> access to attrs=userPassword by self write by anonymous auth by * none
> access to attrs=lmPassword by self write by anonymous auth by * none
> access to attrs=ntPassword by self write by anonymous auth by * none

Done. My ACLs are good.

>> understanding is that communicatons for the purpose of authentication 
...
>> that no encryption is required.  Can anyone verify this?
> Yes, the kernel then firewires the communication and one can not hear 
> anything on the net.

Excelent! This is at least in part what I needed to hear.  BTW, I put a 
packet sniffer on the internal interface to see if I could see anything 
like a clear text password or what-not slideing through during 
login/logout proceedures but none of what I saw was discernable.  I 
guess that is a pluss but I still don't really know what that means 
about the encryption on the windows side.  I guess it doesn't matter 
since if I enable it, the system automatically wants to encrypt it's 
communication with the ldap server and slapd refuses to do it locally.
Perhaps I should report this as a bug?

> So if samba and ldap server are on the same computer encryption is 
> notrequired. So, forget all that stuff about tls, it is only needed for 
> authentication of unix machines - to be encrypted. But only 
> authentication, nfs is still unencrypted.

More information about the samba mailing list