[Samba] [resend] SAMBA and X509 certs ?
Anthony Messina
amessina at messinet.com
Thu Feb 9 07:56:58 GMT 2006
romain BOTTAN wrote:
> thank you for your answer,
> I will discuss with my team of active directory, kerberos and pkinit today.
>
> I think you understood our problem in the main facts, we have windowsXP
> clients (sp2, all fixes) and linux clients (debians, ubunto and others
> debian like).
>
> The main security problem is linked to the datas stored on the file
> server and the crossing of an open network (worldwide intranet) to
> connect our distant agencies.
>
> I think we're going to put as you propose a ssl tunnel controlled by a
> small openvpn server or ssltunel with a good control of certificates
> validity. The advantage of this solution is that we have lots of clients
> that implements certificates much better than 802.1X API in windows
> implements it.
>
>
> But the problem with this, as you said, samba will not deal with it, and
> we're going to ask for our customers to remember another login/pass...
>
>
>
>
> Andrew Bartlett a écrit :
>
>> On Tue, 2006-02-07 at 10:14 +0100, romain BOTTAN wrote:
>>
>>
>>> Hello everybody,
>>>
>>> I'll try to find out some info about Samba and a way to put x509
>>> authenticate method but i don't find anything clear about it.
>>>
>>
>>
>> There are not many 'good' options to put x509 certificates into the
>> Samba authentication space, and if very much depends on the client and
>> domain environment.
>>
>> Perhaps you are looking for an AD implementation, with PKINIT on
>> kerberos? This is the only real solution for windows clients.
>>
>> If you control the clients (say they run Linux), you could push all CIFS
>> connections via a SSL tunnel, but Samba wouldn't 'know' about this, so
>> would not actually authenticate the users as such.
>>
>> Perhaps you need to explain what you are trying to do a bit more.
>>
>> Andrew Bartlett
>>
what about some vpn tunnels between you local and remote networks?
(perhaps you already have this) if you're considering using samba over
the internet, it seems like site-to-site or vpn would serve you best in
terms of security. that's what i do with my remote offices.
--
My Website: http://messinet.com
My Online Gallery:
http://messinet.com/modules.php?name=Web_Links&l_op=visit&lid=3
More information about the samba
mailing list