[Samba] [resend] SAMBA and X509 certs ?
romain BOTTAN
romain.bottan at celsecat.com
Thu Feb 9 08:05:26 GMT 2006
>what about some vpn tunnels between you local and remote networks?
(perhaps you already have this) if you're considering using samba >over
the internet, it seems like site-to-site or vpn would serve you best in
terms of security. that's what i do with my remote offices.
It's what we have for now, a vpn that allow distant users to have a
subnetwork address and access an http server with teamwork onto.
For know the File server is located on an wired insulated lan (we uses a
switch Rj45) to be sure nobody can come into.
now we want distant users log into the file server, with a security as
secure as switching manually on this physical subnet, thats were ssl
encryption play with certificates rsa keys. It's a prove a security for
us.
Anthony Messina a écrit :
> romain BOTTAN wrote:
>
>> thank you for your answer,
>> I will discuss with my team of active directory, kerberos and pkinit
>> today.
>>
>> I think you understood our problem in the main facts, we have
>> windowsXP clients (sp2, all fixes) and linux clients (debians, ubunto
>> and others debian like).
>>
>> The main security problem is linked to the datas stored on the file
>> server and the crossing of an open network (worldwide intranet) to
>> connect our distant agencies.
>>
>> I think we're going to put as you propose a ssl tunnel controlled by
>> a small openvpn server or ssltunel with a good control of
>> certificates validity. The advantage of this solution is that we have
>> lots of clients that implements certificates much better than 802.1X
>> API in windows implements it.
>>
>>
>> But the problem with this, as you said, samba will not deal with it,
>> and we're going to ask for our customers to remember another
>> login/pass...
>>
>>
>>
>>
>> Andrew Bartlett a écrit :
>>
>>> On Tue, 2006-02-07 at 10:14 +0100, romain BOTTAN wrote:
>>>
>>>
>>>> Hello everybody,
>>>>
>>>> I'll try to find out some info about Samba and a way to put x509
>>>> authenticate method but i don't find anything clear about it.
>>>>
>>>
>>>
>>>
>>> There are not many 'good' options to put x509 certificates into the
>>> Samba authentication space, and if very much depends on the client and
>>> domain environment.
>>>
>>> Perhaps you are looking for an AD implementation, with PKINIT on
>>> kerberos? This is the only real solution for windows clients.
>>>
>>> If you control the clients (say they run Linux), you could push all
>>> CIFS
>>> connections via a SSL tunnel, but Samba wouldn't 'know' about this, so
>>> would not actually authenticate the users as such.
>>>
>>> Perhaps you need to explain what you are trying to do a bit more.
>>>
>>> Andrew Bartlett
>>>
>
> what about some vpn tunnels between you local and remote networks?
> (perhaps you already have this) if you're considering using samba
> over the internet, it seems like site-to-site or vpn would serve you
> best in terms of security. that's what i do with my remote offices.
>
-
More information about the samba
mailing list