[Samba] Possible incorrect file permissions in documentation for setting up Samba with LDAP(S)?
Stephen
stephen at ogdenradar.com
Tue Apr 9 10:54:23 UTC 2019
Hi All,
This Samba release changelog
(https://wiki.samba.org/index.php/Updating_Samba#Incorrect_TLS_File_Permissions)
specifically mentions a security issue and that that the multiple *.pem
files needed for LDAP via TLS all need "special permissions" - and
mentions to delete old files without the required permissions to force
file renewal.
Yet in the official Samba documentation for setting up LDAPS here
(https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC)
it says only to set these special permissions on ONE of the generated
certificate *.pem files - the private key file. Is this definitely
correct? Should we not set root owner on the additional cert.pem and
ca.pem too?
I ask because I wanted to flag this. It seems like a contradiction and I
am concerned this might lead to insecure by default setups...
Thanks
Stephen Ellwood
More information about the samba
mailing list