[Samba] TLS_REQCERT and Samba AD DC

Andrew Bartlett abartlet at samba.org
Wed Aug 28 08:18:33 UTC 2019


On Wed, 2019-08-28 at 10:08 +0200, L.P.H. van Belle via samba wrote:
> 
> What is in /etc/ldap/ldap.conf
> Does it have : TLS_REQCERT allow ? 
> If not add it. 

I would just like to clarify that no aspect of the Samba AD DC uses
this config file or TLS_REQCERT.  We have smb.conf options that control
this behaviour.  See 'tls verify peer'.

Also, TLS_REQCERT is dangerous:

    TLS_REQCERT <level>
              Specifies what checks to perform on server certificates in a TLS
              session, if any. The <level> can be specified as one of the fol‐
              lowing keywords:

..

              allow  The server certificate is requested. If no certificate is
                     provided,  the  session  proceeds normally. If a bad cer‐
                     tificate is provided, it will be ignored and the  session
                     proceeds normally.

It totally removes the mutual authentication properties of TLS.  It
should not be used, instead a proper certificate should be used and the
CA should be trusted.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba





More information about the samba mailing list