[Samba] samba + start tls
Matt Herzog
msh at blisses.org
Fri Sep 15 20:09:51 GMT 2006
On Fri, Sep 15, 2006 at 04:32:13PM -0300, Felipe Augusto van de Wiel wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > I have winbind working nicely with AD here. It took a while to
> > figure out but now AD user accounts can ssh into my Linux boxen
> > reliably, which is really all I needed; just ssh access. But I
> > want to make sure all the LDAP traffic is secured via TLS/SSL.
>
> Ok, but this is not Samba part of the job. :)
>
> If Samba is not talking with your LDAP server, then this
> parameter has no effect. You should do the TLS/SSL configurations
> on your LDAP server. And you should use kerberos to have real
> security in your smb network.
There is no pure LDAP server. There is only the Win2K server that does
Microsoft's AD which (unless I am mistaken) is part LDAP, part Kerberos and part SMB.
The Kerberos part works fine. The ssh logins through AD work fine. The
problem is that I'm connected on port
[root at province ~]# net ads info
LDAP server: 198.78.123.2
LDAP server name: battu
Realm: BINTERACTIVE.COM
Bind Path: dc=BINTERACTIVE,dc=COM
LDAP port: 389
Server time: Fri, 15 Sep 2006 15:53:49 GMT
KDC server: 198.78.123.2
Server time offset: 97
> If it is a PEM with private certificate, shouldn't be
> world readable.
OK, so what should the perms be? 0400?
> Ok, it is a configuration of libldap and other software
> that will use resources to query LDAP server. But AIUI you are
> not using Samba to query LDAP, you are using winbind to do that,
> and then, your question is a little bit off-topic here. ;)
Yes. I suppose you are right. I need to subscribe to an LDAP list as well.
--
Announcing your plans is a good way to hear the gods' laughter.
More information about the samba
mailing list