[Samba] Possible incorrect file permissions in documentation for setting up Samba with LDAP(S)?
L.P.H. van Belle
belle at bazuin.nl
Tue Apr 9 12:14:10 UTC 2019
Hai,
Please note, this is how I setup, which is not related to the samba wiki.
This is what i currently see on my DC, these where created in 2015 and im NOT using these.
/var/lib/samba/private/tls# ls -al
total 20
drwx------ 2 root root 4096 Apr 28 2015 .
drwxr-xr-x 7 root root 4096 Apr 9 13:06 ..
-rw-r--r-- 1 root root 997 Apr 28 2015 ca.pem
-rw-r--r-- 1 root root 997 Apr 28 2015 cert.pem
-rw------- 1 root root 887 Apr 28 2015 key.pem
In above setup i would change this to:
-rw-r--r-- 1 root root 997 Apr 28 2015 ca.pem
-rw-r--r-- 1 root root 997 Apr 28 2015 cert.pem
-r--r----- 1 root root 887 Apr 28 2015 key.pem ( or 640 or 400 ).
Now, since im not useing above, this is assumes you run your own CA root
and you are not using automaticly generated certs.
Which is in a AD-DC, in my personal opinion, not good, yes it works fine, if you use only 1 DC.
With mutliple DC's, you should really think of seting up your own CA.
So here you go, a "possible" setup for your sslcert if you use your own CA.
A handy tool https://hohnstaedt.de/xca/ , which i personly use.
Difficult, naah.. See : https://hohnstaedt.de/xca/index.php/documentation/
Or create the CA yourself with openssl. Or tinyCa , etc lots of options here.
My current layout.
ls -al /etc/ssl/
total 84
drwxr-xr-x 9 root root 4096 Mar 14 16:15 .
drwxr-xr-x 112 root root 12288 Apr 9 09:46 ..
drwxr-xr-x 2 root root 28672 Mar 14 16:13 certs
drwxr-x--- 2 root root 4096 Mar 14 14:32 csr
-rw-r--r-- 1 root root 10771 Jun 5 2017 openssl.cnf
drwx--x--- 2 root ssl-cert 4096 Mar 14 16:17 private << Note the 710 chmod here.!
The files in "private" are the key files, these have 640
The services like samba,user root or let say apache, user www-data, squid proxy, user proxy,
which are using the keyfiles are member of ssl-cert group.
Now adding this in samba.
tls enabled = yes
tls keyfile = /etc/ssl/private/DC1.key.pem
tls certfile = /etc/ssl/certs/DC1.cert.pem
tls cafile = /etc/ssl/certs/ca-certificates.crt
# or define only the CAFILE needed for the DC cert and not the bundle ca-certificates.crt.
# for the bundle file, see :
Adding LDAP (client support) ldap.conf
BASE dc=your,dc=domain,dc=tld
URI ldaps://dc1.your.domain.tld ldaps://dc2.your.domain.tld
# note, i have a separeted OU for my service-accounts. ( OU=Srv-Acc )
# su-service stands for 'ServiceUser'-'the_service_its_used_for' so its easy to identify.
BIND_DN = CN=su-ldap,OU=Srv-Acc,CN=your,DC=domain,DC=tld
BIND_PW = yourpass
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT allow
And now you can deploy your root CA.
Open the Group Policy Management Console.
1 Select a GPO to edit, or create a new GPO to deploy the certificate.
2 Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities
3 Right-click on Trusted Root Certification Authorities and select Import.
4 Click Next.
5 Select the root certificate and click Next.
6 Verify that the certificate is being placed into the Trusted Root Certification Authorities certificate store and click Next.
7 Review the settings and click Finish.
Now for all of above, you can change/adjust the path's, your use an extra group to protect your key files.
I hope this helped a bit.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Stephen via samba
> Verzonden: dinsdag 9 april 2019 12:54
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Possible incorrect file permissions in
> documentation for setting up Samba with LDAP(S)?
>
> Hi All,
>
> This Samba release changelog
> (https://wiki.samba.org/index.php/Updating_Samba#Incorrect_TLS
> _File_Permissions)
> specifically mentions a security issue and that that the
> multiple *.pem
> files needed for LDAP via TLS all need "special permissions" - and
> mentions to delete old files without the required permissions
> to force
> file renewal.
>
> Yet in the official Samba documentation for setting up LDAPS here
> (https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(L
> DAPS)_on_a_Samba_AD_DC)
> it says only to set these special permissions on ONE of the generated
> certificate *.pem files - the private key file. Is this definitely
> correct? Should we not set root owner on the additional cert.pem and
> ca.pem too?
>
> I ask because I wanted to flag this. It seems like a
> contradiction and I
> am concerned this might lead to insecure by default setups...
>
> Thanks
> Stephen Ellwood
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list