[Samba] Change ciphers on samba

Arkadiusz Karpiński akarpinski at efinity.com
Tue Oct 1 12:52:56 UTC 2019 

On 01.10.2019 14:06, Rowland penny via samba wrote:
> On 01/10/2019 12:51, Arkadiusz Karpiński wrote:
>>
>> On 30.09.2019 20:03, Rowland penny via samba wrote:
>>> On 30/09/2019 18:06, akarpinski wrote:
>>>> Samba version is 4.10.7
>>>>
>>>> smb.conf:
>>>>
>>>> # Global parameters
>>>> [global]
>>>>   netbios name = dc-1
>>>>   realm = REALM
>>>>   server role = active directory domain controller
>>>>   server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
>>>> winbindd, ntp_signd, kcc, dnsupdate
>>>>   workgroup = EFINITY
>>>>   dns forwarder = 192.168.X.X 192.168.X.X
>>>>   tls enabled = yes
>>>>   tls keyfile = /usr/local/samba/private/tls/server.key
>>>>   tls certfile = /usr/local/samba/private/tls/server.crt
>>>>   tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt
>>>
>>> I would take this up with whoever supplied your DC certificates, 
>>> they do not appear to be strong enough.
>>>
>>> Also, you appear to be using Bind9 as your dns server, so you don't 
>>> need the 'dns forwarder' line, these should be in your named.conf file.
>>>
>>> Rowland
>>>
>> I have SSO certificate and I can only set RSA or ECDSA authentication 
>> in certificate, rest is depend by client/server configuration. So 
>> what You mean that certificates are not strong enough?
>
> You have this in your DC smb.conf:
>
>   tls keyfile = /usr/local/samba/private/tls/server.key
>   tls certfile = /usr/local/samba/private/tls/server.crt
>   tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt
>
> This means that you have supplied the certificates used by AD and if 
> you are getting warnings about them, then you need to create 
> certificates that will pass your tests.
>
But certificate has nothing to do with ciphers, I would like to set 
strong ciphers between client and server but server must force to send 
strong list of ciphers which will use to communicate with client. On 
samba3 that was possible in smb.conf but it's missing on samba4 
configuration.
>>
>> Well at this moment I don't need 'dns forwarder' at all, previously I 
>> used dc-1/2 as my main dns for AD client but now I switch back to my 
>> main DNS server and there I set dns forwarder to domain "ad.realm" to 
>> samba DNS. So I will delete this, thx.
>>
> I would go back to what you were doing before, your clients should use 
> the DC as their nameserver.
>
> Rowland
>
>
>> Arek
>>
>>
>>>
>>>
>
>
-- 
Arkadiusz Karpiński

Efinity Sp. z o.o.
02-672 Warszawa, ul. Domaniewska 42
t: +48 22 380 13 88 m: +48 793 783 343
f: +48 22 380 16 76

Spółka wpisana do rejestru przedsiębiorców prowadzonego przez Sąd Rejonowy dla m.st. Warszawy Wydział XIII Gospodarczy Krajowego Rejestru Sądowego pod numerem KRS 0000073606,
NIP 521-31-76-978,
Wysokość kapitału zakładowego: 51 500,00 PLN

Treść tej wiadomości jest poufna i prawnie chroniona. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem tej wiadomości, jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne.

Jeżeli wiadomość ta jest adresowana do Klientów Efinity, jakakolwiek opinia lub porada w niej zawarta podlega odpowiednim warunkom umowy o świadczeniu usług na rzecz Klienta przez Efinity.

More information about the samba mailing list