[Samba] TLS ca/cert/key creation

Gregory Sloop gregs at sloop.net
Thu Jan 3 01:59:21 UTC 2019

RPvs> On Tue, 1 Jan 2019 10:35:17 -0800
RPvs> Gregory Sloop via samba <samba at lists.samba.org> wrote:

>> I'm working to put up a production FeeeNAS box tied to Samba/AD for
>> authentication for users connecting to the FreeNAS share(s). In
>> joining FreeNAS to the AD domain, one immediately runs into
>> "problems" with TLS/encryption.

RPvs> I do not know why, by default you will be using NTLM for authentication.

The user and group queries, as best I can tell, from the FreeNAS box are occurring via LDAP.
And the samba default, at least with the package provided with Ubunti 18.04 requires TLS for LDAP.

I haven't captured the wire yet, but here's how I guess it's happening. [FreeNAS is running Samba itself. ]
It joins the AD domain.

Authentication between the users and FreeNAS is kerberos.
Lookups of users and groups against the DCs is occurring via LDAP.

In any case, I *know* that if I set FreeNAS to not use TLS and also set
"ldap server require strong auth = no"
in the AD servers' smb.conf's - the FreeNAS box can join the domain, and query users/groups from the DC's.

So, I think we can pretty safely conclude that some LDAP communication is occurring and that it's not all via Kerberos, and thus we'll have to setup TLS.

>> Samba, in the defaults requires TLS. 

RPvs> No it doesn't, you can easily connect to shares without it (after you
RPvs> have authenticated via NTLM)

Ok, perhaps I should have been more clear. LDAP communication requires TLS by default. [Certainly it does with my distro's version (Ubuntu 18.04) - but I think this is true of any recent version.]

>> I could disable TLS security in
>> Samba, but that's probably not a great idea. So, I'll need a key/cert
>> for the FreeNAS box to do TLS with the Samba AD... And so I'm getting
>> ready to create the CA/certs/keys I need.

RPvs> If you do use SSL/TLS you will be using ldap, but you can use ldap
RPvs> without SSL/TLS

So, running LDAP without TLS...
Sure you can do it. You can probably configure Samba to accept plan-text passwords, unencrypted, over the wire too. 
I assume that LDAP requires TLS now, because not using TLS is a pretty severe security problem.

Am I missing something?

What kinds of LDAP data is getting sent between a Samba domain member and a Samba DC? I'd assume it's fairly problematic to pass that in the clear - but frankly I don't know.

I have a more urgent question, but I'll put that in it's own message, so it doesn't get lost in the clutter.

More information about the samba mailing list