[Samba] TLS_REQCERT and Samba AD DC

[Andrew Bartlett]

On Wed, 2019-08-28 at 11:24 +0200, L.P.H. van Belle via samba wrote:
> Hai Andrew,
> 
> > -----Oorspronkelijk bericht-----
> > Van: Andrew Bartlett [mailto:abartlet at samba.org] 
> > Verzonden: woensdag 28 augustus 2019 10:19
> > Aan: L.P.H. van Belle; samba at lists.samba.org
> > Onderwerp: TLS_REQCERT and Samba AD DC
> > 
> > On Wed, 2019-08-28 at 10:08 +0200, L.P.H. van Belle via samba wrote:
> > > What is in /etc/ldap/ldap.conf
> > > Does it have : TLS_REQCERT allow ? 
> > > If not add it. 
> > 
> > I would just like to clarify that no aspect of the Samba AD DC uses
> > this config file or TLS_REQCERT.  We have smb.conf options 
> > that control
> > this behaviour.  See 'tls verify peer'.
> > 
> > Also, TLS_REQCERT is dangerous:
> > 
> >     TLS_REQCERT <level>
> >               Specifies what checks to perform on server 
> > certificates in a TLS
> >               session, if any. The <level> can be specified 
> > as one of the fol???
> >               lowing keywords:
> > 
> > ..
> > 
> >               allow  The server certificate is requested. If 
> > no certificate is
> >                      provided,  the  session  proceeds 
> > normally. If a bad cer???
> >                      tificate is provided, it will be ignored 
> > and the  session
> >                      proceeds normally.
> > 
> > It totally removes the mutual authentication properties of TLS.  It
> > should not be used, instead a proper certificate should be 
> > used and the
> > CA should be trusted.
> 
> Thank you for clarifying this. 
> 
> Hmm. this is one I set based on samba's adviced install. 
> Please note, from years a go.. !samba 4.1-4.2 or so. 
> Later on in 4.5 i used it most probely to avoid bug: 
> https://bugzilla.samba.org/show_bug.cgi?id=13124 

To be clear, that specific, very narrow part of the codebase
(connecting to AD using SSL, not SASL) is both not used on the AD DC
itself, it is very much not recommended because of this and related
problems.  I explain a bit more below. 

> And yes, this is a bit of a risk. 
> But if i ask who did configure a CA for there Samba AD-DC's, I expect only 20% to say yes. 

Which is why we prefer to connect with Kerberos and get our session
integrity and mutual authentication from that source. 

> I adviced this because, i did see that he did not configure tls in his config for the DC. 
> So to avoid errors from a "client" perspective on the server and not "samba-ad-dc server" prespective.
> 
> I say set it because it is a simple adjustment, from the client perspective on the server,
> you "might" want to try this if you have errors. 

The problem is this:  

We have, over the 27 years Samba has been around, developed a lot of
'lore'.  

Settings, often quite wrong, mostly just mildly infuriating, passed
down from mailing list post to blog, to wiki, to users.  We have been
trying really hard to disrupt that with good wiki pages and similar,
but it also means I need to occasionally jump in here and say PLEASE
NO.

> Now that 'tls verify peer',  now this is one i totaly missed. 
> Good you pointed this out. 
> I've been able to back track this to changes 4.4.0-> 4.4.1 and i'll adjust my setups for it. 

The winbindd use case, if forced to use ldaps:// or START-TLS for some
reason, could still require it if you don't have a CA, but the correct
fix is not to use TLS for LDAP.  As I say above, because we can't
connect the inner Kerberos authentication to the outer TLS, it is much
less secure than using Kerberos alone.  For this reason Samba as an AD
DC disallows it (see ldap require strong auth).

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba