[Samba] [resend] SAMBA and X509 certs ?

romain BOTTAN romain.bottan at celsecat.com
Thu Feb 9 07:32:00 GMT 2006


thank you for your answer,
I will discuss with my team of active directory, kerberos and pkinit today.

I think you understood our problem in the main facts, we have windowsXP 
clients (sp2, all fixes) and linux clients (debians, ubunto and others 
debian like).

The main security problem is linked to the datas stored on the file 
server and the crossing of an open network (worldwide intranet) to 
connect our distant agencies.

I think we're going to put as you propose a ssl tunnel controlled by a 
small openvpn server or ssltunel with a good control of certificates 
validity. The advantage of this solution is that we have lots of clients 
that implements certificates much better than 802.1X API in windows 
implements it.


But the problem with this, as you said, samba will not deal with it, and 
we're going to ask for our customers to remember another login/pass...




Andrew Bartlett a écrit :

>On Tue, 2006-02-07 at 10:14 +0100, romain BOTTAN wrote:
>  
>
>>Hello everybody,
>>
>>I'll try to find out some info about Samba and a way to put x509 
>>authenticate method but i don't find anything clear about it.
>>    
>>
>
>There are not many 'good' options to put x509 certificates into the
>Samba authentication space, and if very much depends on the client and
>domain environment.
>
>Perhaps you are looking for an AD implementation, with PKINIT on
>kerberos?  This is the only real solution for windows clients.
>
>If you control the clients (say they run Linux), you could push all CIFS
>connections via a SSL tunnel, but Samba wouldn't 'know' about this, so
>would not actually authenticate the users as such.
>
>Perhaps you need to explain what you are trying to do a bit more.
>
>Andrew Bartlett
>
>  
>

-- 
=============
Romain BOTTAN
ALCATEL CIT - Service Sécurité
26 Av. JF Champollion - BP 1076
31035 TOULOUSE cedex 1
Tél: +33(0)5 34 35 33 74
Port: +33(0)6 15 41 44 50
Fax: +33(0)5 34 35 33 99



More information about the samba mailing list