[Samba] [resend] SAMBA and X509 certs ?

Thu Feb 9 08:05:26 GMT 2006

 >what about some vpn tunnels between you local and remote networks? 
(perhaps you already have this)  if you're considering using samba >over 
the internet, it seems like site-to-site or vpn would serve you best in 
terms of security.  that's what i do with my remote offices.

It's what we have for now, a vpn that allow distant users to have a 
subnetwork address and access an http server with teamwork onto.
For know the File server is located on an wired insulated lan (we uses a 
switch Rj45) to be sure nobody can come into.
now we want distant users log into the file server, with a security as 
secure as switching manually on this physical subnet, thats were ssl 
encryption play with certificates rsa keys.  It's a prove a security for 
us.

Anthony Messina a écrit :

> romain BOTTAN wrote:
>
>> thank you for your answer,
>> I will discuss with my team of active directory, kerberos and pkinit 
>> today.
>>
>> I think you understood our problem in the main facts, we have 
>> windowsXP clients (sp2, all fixes) and linux clients (debians, ubunto 
>> and others debian like).
>>
>> The main security problem is linked to the datas stored on the file 
>> server and the crossing of an open network (worldwide intranet) to 
>> connect our distant agencies.
>>
>> I think we're going to put as you propose a ssl tunnel controlled by 
>> a small openvpn server or ssltunel with a good control of 
>> certificates validity. The advantage of this solution is that we have 
>> lots of clients that implements certificates much better than 802.1X 
>> API in windows implements it.
>>
>>
>> But the problem with this, as you said, samba will not deal with it, 
>> and we're going to ask for our customers to remember another 
>> login/pass...
>>
>>
>>
>>
>> Andrew Bartlett a écrit :
>>
>>> On Tue, 2006-02-07 at 10:14 +0100, romain BOTTAN wrote:
>>>  
>>>
>>>> Hello everybody,
>>>>
>>>> I'll try to find out some info about Samba and a way to put x509 
>>>> authenticate method but i don't find anything clear about it.
>>>>   
>>>
>>>
>>>
>>> There are not many 'good' options to put x509 certificates into the
>>> Samba authentication space, and if very much depends on the client and
>>> domain environment.
>>>
>>> Perhaps you are looking for an AD implementation, with PKINIT on
>>> kerberos?  This is the only real solution for windows clients.
>>>
>>> If you control the clients (say they run Linux), you could push all 
>>> CIFS
>>> connections via a SSL tunnel, but Samba wouldn't 'know' about this, so
>>> would not actually authenticate the users as such.
>>>
>>> Perhaps you need to explain what you are trying to do a bit more.
>>>
>>> Andrew Bartlett
>>>
>
> what about some vpn tunnels between you local and remote networks? 
> (perhaps you already have this)  if you're considering using samba 
> over the internet, it seems like site-to-site or vpn would serve you 
> best in terms of security.  that's what i do with my remote offices.
>

-