[Samba] TLS_REQCERT and Samba AD DC
abartlet at samba.org
Wed Aug 28 18:50:26 UTC 2019
On Wed, 2019-08-28 at 11:24 +0200, L.P.H. van Belle via samba wrote:
> Hai Andrew,
> > -----Oorspronkelijk bericht-----
> > Van: Andrew Bartlett [mailto:abartlet at samba.org]
> > Verzonden: woensdag 28 augustus 2019 10:19
> > Aan: L.P.H. van Belle; samba at lists.samba.org
> > Onderwerp: TLS_REQCERT and Samba AD DC
> > On Wed, 2019-08-28 at 10:08 +0200, L.P.H. van Belle via samba wrote:
> > > What is in /etc/ldap/ldap.conf
> > > Does it have : TLS_REQCERT allow ?
> > > If not add it.
> > I would just like to clarify that no aspect of the Samba AD DC uses
> > this config file or TLS_REQCERT. We have smb.conf options
> > that control
> > this behaviour. See 'tls verify peer'.
> > Also, TLS_REQCERT is dangerous:
> > TLS_REQCERT <level>
> > Specifies what checks to perform on server
> > certificates in a TLS
> > session, if any. The <level> can be specified
> > as one of the fol???
> > lowing keywords:
> > ..
> > allow The server certificate is requested. If
> > no certificate is
> > provided, the session proceeds
> > normally. If a bad cer???
> > tificate is provided, it will be ignored
> > and the session
> > proceeds normally.
> > It totally removes the mutual authentication properties of TLS. It
> > should not be used, instead a proper certificate should be
> > used and the
> > CA should be trusted.
> Thank you for clarifying this.
> Hmm. this is one I set based on samba's adviced install.
> Please note, from years a go.. !samba 4.1-4.2 or so.
> Later on in 4.5 i used it most probely to avoid bug:
To be clear, that specific, very narrow part of the codebase
(connecting to AD using SSL, not SASL) is both not used on the AD DC
itself, it is very much not recommended because of this and related
problems. I explain a bit more below.
> And yes, this is a bit of a risk.
> But if i ask who did configure a CA for there Samba AD-DC's, I expect only 20% to say yes.
Which is why we prefer to connect with Kerberos and get our session
integrity and mutual authentication from that source.
> I adviced this because, i did see that he did not configure tls in his config for the DC.
> So to avoid errors from a "client" perspective on the server and not "samba-ad-dc server" prespective.
> I say set it because it is a simple adjustment, from the client perspective on the server,
> you "might" want to try this if you have errors.
The problem is this:
We have, over the 27 years Samba has been around, developed a lot of
Settings, often quite wrong, mostly just mildly infuriating, passed
down from mailing list post to blog, to wiki, to users. We have been
trying really hard to disrupt that with good wiki pages and similar,
but it also means I need to occasionally jump in here and say PLEASE
> Now that 'tls verify peer', now this is one i totaly missed.
> Good you pointed this out.
> I've been able to back track this to changes 4.4.0-> 4.4.1 and i'll adjust my setups for it.
The winbindd use case, if forced to use ldaps:// or START-TLS for some
reason, could still require it if you don't have a CA, but the correct
fix is not to use TLS for LDAP. As I say above, because we can't
connect the inner Kerberos authentication to the outer TLS, it is much
less secure than using Kerberos alone. For this reason Samba as an AD
DC disallows it (see ldap require strong auth).
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba