[Samba] samba + start tls

Felipe Augusto van de Wiel felipe at paranacidade.org.br
Mon Sep 18 13:27:20 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/15/2006 05:09 PM, Matt Herzog escreveu:
> On Fri, Sep 15, 2006 at 04:32:13PM -0300, Felipe Augusto van de Wiel wrote:
>>>I have winbind working nicely with AD here. It took a while to 
>>>figure out but now AD user accounts can ssh into my Linux boxen
>>>reliably, which is really all I needed; just ssh access. But I
>>>want to make sure all the LDAP traffic is secured via TLS/SSL.
>>
>>	Ok, but this is not Samba part of the job. :)
>>
>>	If Samba is not talking with your LDAP server, then this
>>parameter has no effect. You should do the TLS/SSL configurations
>>on your LDAP server. And you should use kerberos to have real
>>security in your smb network.
> 
> There is no pure LDAP server. There is only the Win2K server that does
> Microsoft's AD which (unless I am mistaken) is part LDAP, part Kerberos 
> and part SMB. The Kerberos part works fine. The ssh logins through AD
> work fine. The problem is that I'm connected on port

	Ahhhh... got it. So, you are using AD as a LDAP Server.
Sorry, I can't help you further, I never did that setup. :-(
But 'ldap ssl' is the way to go. Perhaps you should change the
ldap port to force it use another port. Maybe you should check
you ldap.conf.

[...]

>>	If it is a PEM with private certificate, shouldn't be
>>world readable.
> 
> OK, so what should the perms be? 0400?

	0400 is the best. But maybe you need a group with
read access, so 0440 will do the trick. Just take care of
the user:group configuration.


>>	Ok, it is a configuration of libldap and other software
>>that will use resources to query LDAP server. But AIUI you are
>>not using Samba to query LDAP, you are using winbind to do that,
>>and then, your question is a little bit off-topic here. ;)
> 
> Yes. I suppose you are right. I need to subscribe to an LDAP 
> list as well.

	:-)

	Kind regards,

- --
Felipe Augusto van de Wiel <felipe at paranacidade.org.br>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFDp64Cj65ZxU4gPQRAl2eAJ9wVKeM60jNVzog2ldNV3uENVH0egCgivA5
sCsikInBy6HHcjYGDDzlSVA=
=d5SK
-----END PGP SIGNATURE-----

More information about the samba mailing list