[Samba] TLS_REQCERT and Samba AD DC

L.P.H. van Belle belle at bazuin.nl
Wed Aug 28 09:24:54 UTC 2019


Hai Andrew,

> -----Oorspronkelijk bericht-----
> Van: Andrew Bartlett [mailto:abartlet at samba.org] 
> Verzonden: woensdag 28 augustus 2019 10:19
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: TLS_REQCERT and Samba AD DC
> 
> On Wed, 2019-08-28 at 10:08 +0200, L.P.H. van Belle via samba wrote:
> > 
> > What is in /etc/ldap/ldap.conf
> > Does it have : TLS_REQCERT allow ? 
> > If not add it. 
> 
> I would just like to clarify that no aspect of the Samba AD DC uses
> this config file or TLS_REQCERT.  We have smb.conf options 
> that control
> this behaviour.  See 'tls verify peer'.
> 
> Also, TLS_REQCERT is dangerous:
> 
>     TLS_REQCERT <level>
>               Specifies what checks to perform on server 
> certificates in a TLS
>               session, if any. The <level> can be specified 
> as one of the fol???
>               lowing keywords:
> 
> ..
> 
>               allow  The server certificate is requested. If 
> no certificate is
>                      provided,  the  session  proceeds 
> normally. If a bad cer???
>                      tificate is provided, it will be ignored 
> and the  session
>                      proceeds normally.
> 
> It totally removes the mutual authentication properties of TLS.  It
> should not be used, instead a proper certificate should be 
> used and the
> CA should be trusted.

Thank you for clarifying this. 

Hmm. this is one I set based on samba's adviced install. 
Please note, from years a go.. !samba 4.1-4.2 or so. 
Later on in 4.5 i used it most probely to avoid bug: 
https://bugzilla.samba.org/show_bug.cgi?id=13124 

And yes, this is a bit of a risk. 
But if i ask who did configure a CA for there Samba AD-DC's, I expect only 20% to say yes. 

I adviced this because, i did see that he did not configure tls in his config for the DC. 
So to avoid errors from a "client" perspective on the server and not "samba-ad-dc server" prespective.

I say set it because it is a simple adjustment, from the client perspective on the server,
you "might" want to try this if you have errors. 

Now that 'tls verify peer',  now this is one i totaly missed. 
Good you pointed this out. 
I've been able to back track this to changes 4.4.0-> 4.4.1 and i'll adjust my setups for it. 

Thanks so far, 


Greetz, 

Louis




More information about the samba mailing list