[Samba] [resend] SAMBA and X509 certs ?

Anthony Messina amessina at messinet.com
Thu Feb 9 07:56:58 GMT 2006


romain BOTTAN wrote:
> thank you for your answer,
> I will discuss with my team of active directory, kerberos and pkinit today.
> 
> I think you understood our problem in the main facts, we have windowsXP 
> clients (sp2, all fixes) and linux clients (debians, ubunto and others 
> debian like).
> 
> The main security problem is linked to the datas stored on the file 
> server and the crossing of an open network (worldwide intranet) to 
> connect our distant agencies.
> 
> I think we're going to put as you propose a ssl tunnel controlled by a 
> small openvpn server or ssltunel with a good control of certificates 
> validity. The advantage of this solution is that we have lots of clients 
> that implements certificates much better than 802.1X API in windows 
> implements it.
> 
> 
> But the problem with this, as you said, samba will not deal with it, and 
> we're going to ask for our customers to remember another login/pass...
> 
> 
> 
> 
> Andrew Bartlett a écrit :
> 
>> On Tue, 2006-02-07 at 10:14 +0100, romain BOTTAN wrote:
>>  
>>
>>> Hello everybody,
>>>
>>> I'll try to find out some info about Samba and a way to put x509 
>>> authenticate method but i don't find anything clear about it.
>>>   
>>
>>
>> There are not many 'good' options to put x509 certificates into the
>> Samba authentication space, and if very much depends on the client and
>> domain environment.
>>
>> Perhaps you are looking for an AD implementation, with PKINIT on
>> kerberos?  This is the only real solution for windows clients.
>>
>> If you control the clients (say they run Linux), you could push all CIFS
>> connections via a SSL tunnel, but Samba wouldn't 'know' about this, so
>> would not actually authenticate the users as such.
>>
>> Perhaps you need to explain what you are trying to do a bit more.
>>
>> Andrew Bartlett
>>

what about some vpn tunnels between you local and remote networks? 
(perhaps you already have this)  if you're considering using samba over 
the internet, it seems like site-to-site or vpn would serve you best in 
terms of security.  that's what i do with my remote offices.

-- 
My Website: http://messinet.com
My Online Gallery: 
http://messinet.com/modules.php?name=Web_Links&l_op=visit&lid=3


More information about the samba mailing list