[Samba] TLS_CIPHER_SUITE - OpenLDAP connection

Harry Jede walk2sun at arcor.de
Mon Mar 14 13:38:34 UTC 2016 

On 13:36:45 wrote Leander Schäfer:
> Hi,
> 
> Thank you for your feedback, Andrew. Since Samba is not the only
> application making use of the TLS_CIPHER_SUITE negotiation rules in
> ldap.conf, I would like to ensure that all of them still use the
> highest encryption possible. Currently I had to remove
> "TLS_CIPHER_SUITE" as a workarrou d in order to let Samba work wirh
> LDAP in TLS mode. Does anyone have a suggestion how I can apply
> TLS_CIPHER_SUITE in such a way that Samba LDAP connection doesn't
> break?
Andrew Bartlett has already answered your question. But ...


RT(F)M

man smb.conf
search for tls priority (G)


Once more, Samba use GnuTLS *not* openssl. So, you must use GnuTLS names 
and *not* openssl names. i.e. 
openssl	TLSv1 
GnuTLS	VERS-TLS1.0

> I think this is a major configuration issue and should be mentioned
> in the official Samba Wiki. Samba <-> LDAP Isn't working unless the
> varialbe  "TLS_CIPHER_SUITE" is deactivated or set propper. What do
> you think?
> 
> Best regards
> Leander Schäfer
> 
> >> Am 14.03.2016 um 11:03 schrieb Andrew Bartlett
> >> <abartlet at samba.org>:
> >> 
> >> On Mon, 2016-03-14 at 01:55 +0100, Leander Schäfer wrote:
> >> What would be a working TLS_CIPHER_SUITE in ldap.conf for Samba 4.
> >> I'm
> >> asking, cause I had to remove
> >> 
> >> TLS_CIPHER_SUITE
> >> TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!MD5:!3DES:@STRENGTH
> >> 
> >> from my ldap.conf for samba to work. This wasn't documented
> >> anywhere.
RT(F)M
man ldap.conf is your friend.

ldap.conf is a *system wide conf file* for applications which are linked 
against the openldap libs.

If you set here params for openssl you will get trouble, because 
openldap is linked with GnuTLS (true for debian builds).

You may use a .ldprc file if you must set TLS_CIPHER_SUITE for your 
programs. 

You may use "tls priority" in smb.conf for samba.


> >> I
> >> think this should be mentoined in the wiki as well as in the man
> >> smb.conf under tls.
> > 
> > Aside from banning SSLv3, we just use whatever GnuTLS give us on
> > your platform, by default.  Modern Samba versions even let you
> > control that with an smb.conf option.
> > 
> > I hope this helps,
> > 
> > Andrew Bartlett


-- 

Regards
	Harry Jede

More information about the samba mailing list