[Samba] TLS ca/cert/key creation

[Rowland Penny]

On Tue, 1 Jan 2019 10:35:17 -0800
Gregory Sloop via samba <samba at lists.samba.org> wrote:

> I'm working to put up a production FeeeNAS box tied to Samba/AD for
> authentication for users connecting to the FreeNAS share(s). In
> joining FreeNAS to the AD domain, one immediately runs into
> "problems" with TLS/encryption.

I do not know why, by default you will be using NTLM for authentication.

> 
> Samba, in the defaults requires TLS. 

No it doesn't, you can easily connect to shares without it (after you
have authenticated via NTLM)

> I could disable TLS security in
> Samba, but that's probably not a great idea. So, I'll need a key/cert
> for the FreeNAS box to do TLS with the Samba AD... And so I'm getting
> ready to create the CA/certs/keys I need.

Yes, but only for things like ldap searches.

> 
> Lets not get lost in examining FreeNAS. I'm configuring FreeNAS using
> the regular control panel, and setting it up just as it would work
> against a "regular" Windows AD. And I know it works from a test-bed
> Samba setup - but not using TLS.

Whatever you are doing against windows, should work against a Samba DC.

> 
> ---
> As an aside - I assume that needing to use TLS means that FreeNAS is
> talking to Samba vis LDAP, and not Kerberos? 

Unless you are doing ldap searches, you will be using NTLM.
> Because, my limited
> understanding was that Kerberos is secure without wrapping in TLS,

Kerberos is even more secure than SSL.

> but LDAP isn't. So, if we were using Kerberos, there's be no need of
> TLS. But since we're using TLS, we must be using LDAP, and thus the
> need to secure the LDAP channel with CA/Cert/Key. 

If you do use SSL/TLS you will be using ldap, but you can use ldap
without SSL/TLS

> 
> But perhaps I don't grok that properly...
> 
> Someone is welcome to put me straight, if I've misunderstood
> something - but lets, also, not get too caught up in that side
> discussion. The real crux of my question follows. [A point to a wiki
> article or something might help me educate myself, if I'm
> confused.] :) ---
> 
> ** These questions and the answers are what I need most. **
> 
> So, I understand that Samba creates it's own CA/Cert/Key on first
> start up.

Yes

> 
> The Wiki appears to show how to generate your own self-signed cert.
> Several questions in relation to generating my own, outside the Samba
> server.
> 
> - I assume I can self sign certs, using my own CA. Correct? i.e. Not
> using the Samba generated CA/Cert(s)/Key(s). [But I'll have to
> copy/provide the CA.cert to the samba server [and any TLS clients for
> client/server certificate validation purposes.]

Yes

> 
> -The Wiki shows 2048 bit keys, and 1 year expiry. I assume this is
> simply the example, and 4096 bit keys and, say 10y expiry are
> accepted. Correct?

Yes

> 
> Are there any other limits I should be aware of? (Probably limited by
> the version of OpenSSL the version of Samba was compiled with on the
> target system? If that's the case, there's probably no hard-and-fast
> rule about what's acceptable...since it's version/distro/compliation
> dependant.) 
> 
> ---
> I generally hate using the OpenSSL tools to generate CA/certs/keys
> and use GNUTLS's tools to do it.

> Has anyone done this for Samba,

Probably, try an internet search. Samba is generally compiled against
gnutls.

> and
> if so, are there any gotcha's I should watch out for? 

I don't know ;-)

> 
> Any other general tips I should watch out for?
> 

You will undoubtedly be better off using kerberos instead of SSL

Rowland