[Samba] TLS_REQCERT and Samba AD DC
Andrew Bartlett
abartlet at samba.org
Wed Aug 28 08:18:33 UTC 2019
On Wed, 2019-08-28 at 10:08 +0200, L.P.H. van Belle via samba wrote:
>
> What is in /etc/ldap/ldap.conf
> Does it have : TLS_REQCERT allow ?
> If not add it.
I would just like to clarify that no aspect of the Samba AD DC uses
this config file or TLS_REQCERT. We have smb.conf options that control
this behaviour. See 'tls verify peer'.
Also, TLS_REQCERT is dangerous:
TLS_REQCERT <level>
Specifies what checks to perform on server certificates in a TLS
session, if any. The <level> can be specified as one of the fol‐
lowing keywords:
..
allow The server certificate is requested. If no certificate is
provided, the session proceeds normally. If a bad cer‐
tificate is provided, it will be ignored and the session
proceeds normally.
It totally removes the mutual authentication properties of TLS. It
should not be used, instead a proper certificate should be used and the
CA should be trusted.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list