[Samba] TLS ca/cert/key creation
rpenny at samba.org
Thu Jan 3 09:04:32 UTC 2019
On Wed, 2 Jan 2019 17:59:21 -0800
Gregory Sloop via samba <samba at lists.samba.org> wrote:
> RPvs> On Tue, 1 Jan 2019 10:35:17 -0800
> RPvs> Gregory Sloop via samba <samba at lists.samba.org> wrote:
> >> I'm working to put up a production FeeeNAS box tied to Samba/AD for
> >> authentication for users connecting to the FreeNAS share(s). In
> >> joining FreeNAS to the AD domain, one immediately runs into
> >> "problems" with TLS/encryption.
> RPvs> I do not know why, by default you will be using NTLM for
> RPvs> authentication.
> The user and group queries, as best I can tell, from the FreeNAS box
> are occurring via LDAP.
No they are not, well not unless freenas is doing something strange.
Try reading this:
>And the samba default, at least with the
> package provided with Ubunti 18.04 requires TLS for LDAP.
Yes, but LDAP != NTLM
> I haven't captured the wire yet, but here's how I guess it's
> happening. [FreeNAS is running Samba itself. ] It joins the AD domain.
> Authentication between the users and FreeNAS is kerberos.
> Lookups of users and groups against the DCs is occurring via LDAP.
> In any case, I *know* that if I set FreeNAS to not use TLS and also
> set "ldap server require strong auth = no"
> in the AD servers' smb.conf's - the FreeNAS box can join the domain,
> and query users/groups from the DC's.
> So, I think we can pretty safely conclude that some LDAP
> communication is occurring and that it's not all via Kerberos, and
> thus we'll have to setup TLS.
You only need TLS for LDAP, but kerberos is even more secure.
> >> Samba, in the defaults requires TLS.
> RPvs> No it doesn't, you can easily connect to shares without it
> RPvs> (after you have authenticated via NTLM)
> Ok, perhaps I should have been more clear. LDAP communication
> requires TLS by default. [Certainly it does with my distro's version
> (Ubuntu 18.04) - but I think this is true of any recent version.]
LDAP defaults to port 389 i.e. it doesn't use a certificate
> >> I could disable TLS security in
> >> Samba, but that's probably not a great idea. So, I'll need a
> >> key/cert for the FreeNAS box to do TLS with the Samba AD... And so
> >> I'm getting ready to create the CA/certs/keys I need.
> RPvs> If you do use SSL/TLS you will be using ldap, but you can use
> RPvs> ldap without SSL/TLS
What, even against a webserver ?
> So, running LDAP without TLS...
> Sure you can do it. You can probably configure Samba to accept
> plan-text passwords, unencrypted, over the wire too. I assume that
> LDAP requires TLS now, because not using TLS is a pretty severe
> security problem.
Cannot argue with that, but using TLS is not the default, you have to
configure the DC and clients to use it.
More information about the samba