[Samba] Possible incorrect file permissions in documentation for setting up Samba with LDAP(S)?

L.P.H. van Belle belle at bazuin.nl
Tue Apr 9 12:14:10 UTC 2019 

Hai, 

Please note, this is how I setup, which is not related to the samba wiki. 

This is what i currently see on my DC, these where created in 2015 and im NOT using these.
/var/lib/samba/private/tls# ls -al
total 20
drwx------ 2 root root 4096 Apr 28  2015 .
drwxr-xr-x 7 root root 4096 Apr  9 13:06 ..
-rw-r--r-- 1 root root  997 Apr 28  2015 ca.pem
-rw-r--r-- 1 root root  997 Apr 28  2015 cert.pem
-rw------- 1 root root  887 Apr 28  2015 key.pem
In above setup i would change this to: 
-rw-r--r-- 1 root root  997 Apr 28  2015 ca.pem
-rw-r--r-- 1 root root  997 Apr 28  2015 cert.pem
-r--r----- 1 root root  887 Apr 28  2015 key.pem	( or 640 or 400 ). 


Now, since im not useing above, this is assumes you run your own CA root 
and you are not using automaticly generated certs.

Which is in a AD-DC, in my personal opinion, not good, yes it works fine, if you use only 1 DC. 
With mutliple DC's, you should really think of seting up your own CA. 

So here you go, a "possible" setup for your sslcert if you use your own CA. 

A handy tool https://hohnstaedt.de/xca/ , which i personly use. 
Difficult, naah.. See : https://hohnstaedt.de/xca/index.php/documentation/
Or create the CA yourself with openssl. Or tinyCa , etc lots of options here. 


My current layout. 

ls -al /etc/ssl/
total 84
drwxr-xr-x   9 root root      4096 Mar 14 16:15 .
drwxr-xr-x 112 root root     12288 Apr  9 09:46 ..
drwxr-xr-x   2 root root     28672 Mar 14 16:13 certs
drwxr-x---   2 root root      4096 Mar 14 14:32 csr
-rw-r--r--   1 root root     10771 Jun  5  2017 openssl.cnf
drwx--x---   2 root ssl-cert  4096 Mar 14 16:17 private		<< Note the 710 chmod here.! 

The files in "private" are the key files, these have 640
The services like samba,user root or let say apache, user www-data, squid proxy, user proxy,
which are using the keyfiles are member of ssl-cert group.

Now adding this in samba.

        tls enabled = yes
        tls keyfile = /etc/ssl/private/DC1.key.pem
        tls certfile = /etc/ssl/certs/DC1.cert.pem
        tls cafile = /etc/ssl/certs/ca-certificates.crt
	  # or define only the CAFILE needed for the DC cert and not the bundle ca-certificates.crt.
	  # for the bundle file, see : 

Adding LDAP (client support) ldap.conf


BASE    dc=your,dc=domain,dc=tld
URI     ldaps://dc1.your.domain.tld ldaps://dc2.your.domain.tld

# note, i have a separeted OU for my service-accounts. ( OU=Srv-Acc ) 
# su-service stands for 'ServiceUser'-'the_service_its_used_for' so its easy to identify.
BIND_DN = CN=su-ldap,OU=Srv-Acc,CN=your,DC=domain,DC=tld
BIND_PW = yourpass 

TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT allow

And now you can deploy your root CA. 
Open the Group Policy Management Console.
1 Select a GPO to edit, or create a new GPO to deploy the certificate.
2 Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities
3 Right-click on Trusted Root Certification Authorities and select Import.
4 Click Next.
5 Select the root certificate and click Next.
6 Verify that the certificate is being placed into the Trusted Root Certification Authorities certificate store and click Next.
7 Review the settings and click Finish.

Now for all of above, you can change/adjust the path's, your use an extra group to protect your key files. 

I hope this helped a bit. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stephen via samba
> Verzonden: dinsdag 9 april 2019 12:54
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Possible incorrect file permissions in 
> documentation for setting up Samba with LDAP(S)?
> 
> Hi All,
> 
> This Samba release changelog 
> (https://wiki.samba.org/index.php/Updating_Samba#Incorrect_TLS
> _File_Permissions) 
> specifically mentions a security issue and that that the 
> multiple *.pem 
> files needed for LDAP via TLS all need "special permissions" - and 
> mentions to delete old files without the required permissions 
> to force 
> file renewal.
> 
> Yet in the official Samba documentation for setting up LDAPS here 
> (https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(L
> DAPS)_on_a_Samba_AD_DC) 
> it says only to set these special permissions on ONE of the generated 
> certificate *.pem files - the private key file. Is this definitely 
> correct? Should we not set root owner on the additional cert.pem and 
> ca.pem too?
> 
> I ask because I wanted to flag this. It seems like a 
> contradiction and I 
> am concerned this might lead to insecure by default setups...
> 
> Thanks
> Stephen Ellwood
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list