[Samba] Change ciphers on samba

[Rowland penny]

On 01/10/2019 12:51, Arkadiusz Karpiński wrote:
>
> On 30.09.2019 20:03, Rowland penny via samba wrote:
>> On 30/09/2019 18:06, akarpinski wrote:
>>> Samba version is 4.10.7
>>>
>>> smb.conf:
>>>
>>> # Global parameters
>>> [global]
>>>   netbios name = dc-1
>>>   realm = REALM
>>>   server role = active directory domain controller
>>>   server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
>>> winbindd, ntp_signd, kcc, dnsupdate
>>>   workgroup = EFINITY
>>>   dns forwarder = 192.168.X.X 192.168.X.X
>>>   tls enabled = yes
>>>   tls keyfile = /usr/local/samba/private/tls/server.key
>>>   tls certfile = /usr/local/samba/private/tls/server.crt
>>>   tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt
>>
>> I would take this up with whoever supplied your DC certificates, they 
>> do not appear to be strong enough.
>>
>> Also, you appear to be using Bind9 as your dns server, so you don't 
>> need the 'dns forwarder' line, these should be in your named.conf file.
>>
>> Rowland
>>
> I have SSO certificate and I can only set RSA or ECDSA authentication 
> in certificate, rest is depend by client/server configuration. So what 
> You mean that certificates are not strong enough?

You have this in your DC smb.conf:

   tls keyfile = /usr/local/samba/private/tls/server.key
   tls certfile = /usr/local/samba/private/tls/server.crt
   tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt

This means that you have supplied the certificates used by AD and if you 
are getting warnings about them, then you need to create certificates 
that will pass your tests.

>
> Well at this moment I don't need 'dns forwarder' at all, previously I 
> used dc-1/2 as my main dns for AD client but now I switch back to my 
> main DNS server and there I set dns forwarder to domain "ad.realm" to 
> samba DNS. So I will delete this, thx.
>
I would go back to what you were doing before, your clients should use 
the DC as their nameserver.

Rowland


> Arek
>
>
>>
>>