[Samba] TLS_REQCERT and Samba AD DC
L.P.H. van Belle
belle at bazuin.nl
Wed Aug 28 09:24:54 UTC 2019
Hai Andrew,
> -----Oorspronkelijk bericht-----
> Van: Andrew Bartlett [mailto:abartlet at samba.org]
> Verzonden: woensdag 28 augustus 2019 10:19
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: TLS_REQCERT and Samba AD DC
>
> On Wed, 2019-08-28 at 10:08 +0200, L.P.H. van Belle via samba wrote:
> >
> > What is in /etc/ldap/ldap.conf
> > Does it have : TLS_REQCERT allow ?
> > If not add it.
>
> I would just like to clarify that no aspect of the Samba AD DC uses
> this config file or TLS_REQCERT. We have smb.conf options
> that control
> this behaviour. See 'tls verify peer'.
>
> Also, TLS_REQCERT is dangerous:
>
> TLS_REQCERT <level>
> Specifies what checks to perform on server
> certificates in a TLS
> session, if any. The <level> can be specified
> as one of the fol???
> lowing keywords:
>
> ..
>
> allow The server certificate is requested. If
> no certificate is
> provided, the session proceeds
> normally. If a bad cer???
> tificate is provided, it will be ignored
> and the session
> proceeds normally.
>
> It totally removes the mutual authentication properties of TLS. It
> should not be used, instead a proper certificate should be
> used and the
> CA should be trusted.
Thank you for clarifying this.
Hmm. this is one I set based on samba's adviced install.
Please note, from years a go.. !samba 4.1-4.2 or so.
Later on in 4.5 i used it most probely to avoid bug:
https://bugzilla.samba.org/show_bug.cgi?id=13124
And yes, this is a bit of a risk.
But if i ask who did configure a CA for there Samba AD-DC's, I expect only 20% to say yes.
I adviced this because, i did see that he did not configure tls in his config for the DC.
So to avoid errors from a "client" perspective on the server and not "samba-ad-dc server" prespective.
I say set it because it is a simple adjustment, from the client perspective on the server,
you "might" want to try this if you have errors.
Now that 'tls verify peer', now this is one i totaly missed.
Good you pointed this out.
I've been able to back track this to changes 4.4.0-> 4.4.1 and i'll adjust my setups for it.
Thanks so far,
Greetz,
Louis
More information about the samba
mailing list