[Samba] TLS ca/cert/key creation
gregs at sloop.net
Thu Jan 3 01:59:21 UTC 2019
RPvs> On Tue, 1 Jan 2019 10:35:17 -0800
RPvs> Gregory Sloop via samba <samba at lists.samba.org> wrote:
>> I'm working to put up a production FeeeNAS box tied to Samba/AD for
>> authentication for users connecting to the FreeNAS share(s). In
>> joining FreeNAS to the AD domain, one immediately runs into
>> "problems" with TLS/encryption.
RPvs> I do not know why, by default you will be using NTLM for authentication.
The user and group queries, as best I can tell, from the FreeNAS box are occurring via LDAP.
And the samba default, at least with the package provided with Ubunti 18.04 requires TLS for LDAP.
I haven't captured the wire yet, but here's how I guess it's happening. [FreeNAS is running Samba itself. ]
It joins the AD domain.
Authentication between the users and FreeNAS is kerberos.
Lookups of users and groups against the DCs is occurring via LDAP.
In any case, I *know* that if I set FreeNAS to not use TLS and also set
"ldap server require strong auth = no"
in the AD servers' smb.conf's - the FreeNAS box can join the domain, and query users/groups from the DC's.
So, I think we can pretty safely conclude that some LDAP communication is occurring and that it's not all via Kerberos, and thus we'll have to setup TLS.
>> Samba, in the defaults requires TLS.
RPvs> No it doesn't, you can easily connect to shares without it (after you
RPvs> have authenticated via NTLM)
Ok, perhaps I should have been more clear. LDAP communication requires TLS by default. [Certainly it does with my distro's version (Ubuntu 18.04) - but I think this is true of any recent version.]
>> I could disable TLS security in
>> Samba, but that's probably not a great idea. So, I'll need a key/cert
>> for the FreeNAS box to do TLS with the Samba AD... And so I'm getting
>> ready to create the CA/certs/keys I need.
RPvs> If you do use SSL/TLS you will be using ldap, but you can use ldap
RPvs> without SSL/TLS
So, running LDAP without TLS...
Sure you can do it. You can probably configure Samba to accept plan-text passwords, unencrypted, over the wire too.
I assume that LDAP requires TLS now, because not using TLS is a pretty severe security problem.
Am I missing something?
What kinds of LDAP data is getting sent between a Samba domain member and a Samba DC? I'd assume it's fairly problematic to pass that in the clear - but frankly I don't know.
I have a more urgent question, but I'll put that in it's own message, so it doesn't get lost in the clutter.
More information about the samba