[Samba] Change ciphers on samba
Robert Marcano
robert at marcanoonline.com
Tue Oct 1 15:28:17 UTC 2019
On 10/1/19 8:52 AM, Arkadiusz Karpiński via samba wrote:
>
> On 01.10.2019 14:06, Rowland penny via samba wrote:
>> On 01/10/2019 12:51, Arkadiusz Karpiński wrote:
>>>
>>> On 30.09.2019 20:03, Rowland penny via samba wrote:
>>>> On 30/09/2019 18:06, akarpinski wrote:
>>>>> Samba version is 4.10.7
>>>>>
>>>>> smb.conf:
>>>>>
>>>>> # Global parameters
>>>>> [global]
>>>>> netbios name = dc-1
>>>>> realm = REALM
>>>>> server role = active directory domain controller
>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
>>>>> winbindd, ntp_signd, kcc, dnsupdate
>>>>> workgroup = EFINITY
>>>>> dns forwarder = 192.168.X.X 192.168.X.X
>>>>> tls enabled = yes
>>>>> tls keyfile = /usr/local/samba/private/tls/server.key
>>>>> tls certfile = /usr/local/samba/private/tls/server.crt
>>>>> tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt
>>>>
>>>> I would take this up with whoever supplied your DC certificates,
>>>> they do not appear to be strong enough.
>>>>
>>>> Also, you appear to be using Bind9 as your dns server, so you don't
>>>> need the 'dns forwarder' line, these should be in your named.conf file.
>>>>
>>>> Rowland
>>>>
>>> I have SSO certificate and I can only set RSA or ECDSA authentication
>>> in certificate, rest is depend by client/server configuration. So
>>> what You mean that certificates are not strong enough?
>>
>> You have this in your DC smb.conf:
>>
>> tls keyfile = /usr/local/samba/private/tls/server.key
>> tls certfile = /usr/local/samba/private/tls/server.crt
>> tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt
>>
>> This means that you have supplied the certificates used by AD and if
>> you are getting warnings about them, then you need to create
>> certificates that will pass your tests.
>>
> But certificate has nothing to do with ciphers, I would like to set
> strong ciphers between client and server but server must force to send
> strong list of ciphers which will use to communicate with client. On
> samba3 that was possible in smb.conf but it's missing on samba4
> configuration.
Look at "tls priority" Samba settings, it points to GnuTLS priority
strings, that has options to specify the ciphers.
https://gnutls.org/manual/html_node/Priority-Strings.html
>>>
>>> Well at this moment I don't need 'dns forwarder' at all, previously I
>>> used dc-1/2 as my main dns for AD client but now I switch back to my
>>> main DNS server and there I set dns forwarder to domain "ad.realm" to
>>> samba DNS. So I will delete this, thx.
>>>
>> I would go back to what you were doing before, your clients should use
>> the DC as their nameserver.
>>
>> Rowland
>>
>>
>>> Arek
>>>
>>>
>>>>
>>>>
>>
>>
More information about the samba
mailing list