[Samba] Possible incorrect file permissions in documentation for setting up Samba with LDAP(S)?

Stephen stephen at ogdenradar.com
Tue Apr 9 13:03:06 UTC 2019 

Louis, it obviously took you some time to write that and its extremely 
helpful.

Thanks Again

Stephen Ellwood

On 09/04/2019 13:14, L.P.H. van Belle via samba wrote:
> Hai,
>
> Please note, this is how I setup, which is not related to the samba wiki.
>
> This is what i currently see on my DC, these where created in 2015 and im NOT using these.
> /var/lib/samba/private/tls# ls -al
> total 20
> drwx------ 2 root root 4096 Apr 28  2015 .
> drwxr-xr-x 7 root root 4096 Apr  9 13:06 ..
> -rw-r--r-- 1 root root  997 Apr 28  2015 ca.pem
> -rw-r--r-- 1 root root  997 Apr 28  2015 cert.pem
> -rw------- 1 root root  887 Apr 28  2015 key.pem
> In above setup i would change this to:
> -rw-r--r-- 1 root root  997 Apr 28  2015 ca.pem
> -rw-r--r-- 1 root root  997 Apr 28  2015 cert.pem
> -r--r----- 1 root root  887 Apr 28  2015 key.pem	( or 640 or 400 ).
>
>
> Now, since im not useing above, this is assumes you run your own CA root
> and you are not using automaticly generated certs.
>
> Which is in a AD-DC, in my personal opinion, not good, yes it works fine, if you use only 1 DC.
> With mutliple DC's, you should really think of seting up your own CA.
>
> So here you go, a "possible" setup for your sslcert if you use your own CA.
>
> A handy tool https://hohnstaedt.de/xca/ , which i personly use.
> Difficult, naah.. See : https://hohnstaedt.de/xca/index.php/documentation/
> Or create the CA yourself with openssl. Or tinyCa , etc lots of options here.
>
>
> My current layout.
>
> ls -al /etc/ssl/
> total 84
> drwxr-xr-x   9 root root      4096 Mar 14 16:15 .
> drwxr-xr-x 112 root root     12288 Apr  9 09:46 ..
> drwxr-xr-x   2 root root     28672 Mar 14 16:13 certs
> drwxr-x---   2 root root      4096 Mar 14 14:32 csr
> -rw-r--r--   1 root root     10771 Jun  5  2017 openssl.cnf
> drwx--x---   2 root ssl-cert  4096 Mar 14 16:17 private		<< Note the 710 chmod here.!
>
> The files in "private" are the key files, these have 640
> The services like samba,user root or let say apache, user www-data, squid proxy, user proxy,
> which are using the keyfiles are member of ssl-cert group.
>
> Now adding this in samba.
>
>          tls enabled = yes
>          tls keyfile = /etc/ssl/private/DC1.key.pem
>          tls certfile = /etc/ssl/certs/DC1.cert.pem
>          tls cafile = /etc/ssl/certs/ca-certificates.crt
> 	  # or define only the CAFILE needed for the DC cert and not the bundle ca-certificates.crt.
> 	  # for the bundle file, see :
>
> Adding LDAP (client support) ldap.conf
>
>
> BASE    dc=your,dc=domain,dc=tld
> URI     ldaps://dc1.your.domain.tld ldaps://dc2.your.domain.tld
>
> # note, i have a separeted OU for my service-accounts. ( OU=Srv-Acc )
> # su-service stands for 'ServiceUser'-'the_service_its_used_for' so its easy to identify.
> BIND_DN = CN=su-ldap,OU=Srv-Acc,CN=your,DC=domain,DC=tld
> BIND_PW = yourpass
>
> TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
> TLS_REQCERT allow
>
> And now you can deploy your root CA.
> Open the Group Policy Management Console.
> 1 Select a GPO to edit, or create a new GPO to deploy the certificate.
> 2 Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities
> 3 Right-click on Trusted Root Certification Authorities and select Import.
> 4 Click Next.
> 5 Select the root certificate and click Next.
> 6 Verify that the certificate is being placed into the Trusted Root Certification Authorities certificate store and click Next.
> 7 Review the settings and click Finish.
>
> Now for all of above, you can change/adjust the path's, your use an extra group to protect your key files.
>
> I hope this helped a bit.
>
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Stephen via samba
>> Verzonden: dinsdag 9 april 2019 12:54
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Possible incorrect file permissions in
>> documentation for setting up Samba with LDAP(S)?
>>
>> Hi All,
>>
>> This Samba release changelog
>> (https://wiki.samba.org/index.php/Updating_Samba#Incorrect_TLS
>> _File_Permissions)
>> specifically mentions a security issue and that that the
>> multiple *.pem
>> files needed for LDAP via TLS all need "special permissions" - and
>> mentions to delete old files without the required permissions
>> to force
>> file renewal.
>>
>> Yet in the official Samba documentation for setting up LDAPS here
>> (https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(L
>> DAPS)_on_a_Samba_AD_DC)
>> it says only to set these special permissions on ONE of the generated
>> certificate *.pem files - the private key file. Is this definitely
>> correct? Should we not set root owner on the additional cert.pem and
>> ca.pem too?
>>
>> I ask because I wanted to flag this. It seems like a
>> contradiction and I
>> am concerned this might lead to insecure by default setups...
>>
>> Thanks
>> Stephen Ellwood
>>
>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>

More information about the samba mailing list