[Samba] TLS ca/cert/key creation

Rowland Penny rpenny at samba.org
Thu Jan 3 09:04:32 UTC 2019


On Wed, 2 Jan 2019 17:59:21 -0800
Gregory Sloop via samba <samba at lists.samba.org> wrote:

> 
> 
> RPvs> On Tue, 1 Jan 2019 10:35:17 -0800
> RPvs> Gregory Sloop via samba <samba at lists.samba.org> wrote:
> 
> >> I'm working to put up a production FeeeNAS box tied to Samba/AD for
> >> authentication for users connecting to the FreeNAS share(s). In
> >> joining FreeNAS to the AD domain, one immediately runs into
> >> "problems" with TLS/encryption.
> 
> RPvs> I do not know why, by default you will be using NTLM for
> RPvs> authentication.
> 
> The user and group queries, as best I can tell, from the FreeNAS box
> are occurring via LDAP. 

No they are not, well not unless freenas is doing something strange.
Try reading this:

https://docs.microsoft.com/en-us/windows/desktop/secauthn/microsoft-ntlm

>And the samba default, at least with the
> package provided with Ubunti 18.04 requires TLS for LDAP.

Yes, but LDAP != NTLM

> 
> I haven't captured the wire yet, but here's how I guess it's
> happening. [FreeNAS is running Samba itself. ] It joins the AD domain.
> 
> Authentication between the users and FreeNAS is kerberos.
> Lookups of users and groups against the DCs is occurring via LDAP.
> 
> In any case, I *know* that if I set FreeNAS to not use TLS and also
> set "ldap server require strong auth = no"
> in the AD servers' smb.conf's - the FreeNAS box can join the domain,
> and query users/groups from the DC's.
> 
> So, I think we can pretty safely conclude that some LDAP
> communication is occurring and that it's not all via Kerberos, and
> thus we'll have to setup TLS.

You only need TLS for LDAP, but kerberos is even more secure.

> 
> 
> >> Samba, in the defaults requires TLS. 
> 
> RPvs> No it doesn't, you can easily connect to shares without it
> RPvs> (after you have authenticated via NTLM)
> 
> Ok, perhaps I should have been more clear. LDAP communication
> requires TLS by default. [Certainly it does with my distro's version
> (Ubuntu 18.04) - but I think this is true of any recent version.]

LDAP defaults to port 389 i.e. it doesn't use a certificate

> 
> >> I could disable TLS security in
> >> Samba, but that's probably not a great idea. So, I'll need a
> >> key/cert for the FreeNAS box to do TLS with the Samba AD... And so
> >> I'm getting ready to create the CA/certs/keys I need.
> 
> RPvs> If you do use SSL/TLS you will be using ldap, but you can use
> RPvs> ldap without SSL/TLS

What, even against a webserver ?

> 
> So, running LDAP without TLS...
> Sure you can do it. You can probably configure Samba to accept
> plan-text passwords, unencrypted, over the wire too. I assume that
> LDAP requires TLS now, because not using TLS is a pretty severe
> security problem.

Cannot argue with that, but using TLS is not the default, you have to
configure the DC and clients to use it.

Rowland




More information about the samba mailing list