[Samba] Change ciphers on samba

Rowland penny rpenny at samba.org
Tue Oct 1 13:29:44 UTC 2019 

On 01/10/2019 13:52, Arkadiusz Karpiński via samba wrote:
>
> On 01.10.2019 14:06, Rowland penny via samba wrote:
>> On 01/10/2019 12:51, Arkadiusz Karpiński wrote:
>>>
>>> On 30.09.2019 20:03, Rowland penny via samba wrote:
>>>> On 30/09/2019 18:06, akarpinski wrote:
>>>>> Samba version is 4.10.7
>>>>>
>>>>> smb.conf:
>>>>>
>>>>> # Global parameters
>>>>> [global]
>>>>>   netbios name = dc-1
>>>>>   realm = REALM
>>>>>   server role = active directory domain controller
>>>>>   server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>>>   workgroup = EFINITY
>>>>>   dns forwarder = 192.168.X.X 192.168.X.X
>>>>>   tls enabled = yes
>>>>>   tls keyfile = /usr/local/samba/private/tls/server.key
>>>>>   tls certfile = /usr/local/samba/private/tls/server.crt
>>>>>   tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt
>>>>
>>>> I would take this up with whoever supplied your DC certificates, 
>>>> they do not appear to be strong enough.
>>>>
>>>> Also, you appear to be using Bind9 as your dns server, so you don't 
>>>> need the 'dns forwarder' line, these should be in your named.conf 
>>>> file.
>>>>
>>>> Rowland
>>>>
>>> I have SSO certificate and I can only set RSA or ECDSA 
>>> authentication in certificate, rest is depend by client/server 
>>> configuration. So what You mean that certificates are not strong 
>>> enough?
>>
>> You have this in your DC smb.conf:
>>
>>   tls keyfile = /usr/local/samba/private/tls/server.key
>>   tls certfile = /usr/local/samba/private/tls/server.crt
>>   tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt
>>
>> This means that you have supplied the certificates used by AD and if 
>> you are getting warnings about them, then you need to create 
>> certificates that will pass your tests.
>>
> But certificate has nothing to do with ciphers, I would like to set 
> strong ciphers between client and server but server must force to send 
> strong list of ciphers which will use to communicate with client. On 
> samba3 that was possible in smb.conf but it's missing on samba4 
> configuration.

Samba3 != Samba4 running as a DC.

If you want stronger ciphers between your clients and the DC, then the 
certificate that you are supplying to your clients from the DC must be 
as strong as you require.

Rowland

More information about the samba mailing list