[Samba] Change ciphers on samba

L.P.H. van Belle belle at bazuin.nl
Tue Oct 1 15:45:58 UTC 2019


You looking for something like this i think? 

Enable TLS1.2 ( and if supported TLS1.3) and allowes AES128 and EAS256.
tls priority = SECURE256:+SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:-VERS-DTLS1.1

Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Robert Marcano via samba
> Verzonden: dinsdag 1 oktober 2019 17:28
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Change ciphers on samba
> 
> On 10/1/19 8:52 AM, Arkadiusz Karpi??ski via samba wrote:
> > 
> > On 01.10.2019 14:06, Rowland penny via samba wrote:
> >> On 01/10/2019 12:51, Arkadiusz Karpi??ski wrote:
> >>>
> >>> On 30.09.2019 20:03, Rowland penny via samba wrote:
> >>>> On 30/09/2019 18:06, akarpinski wrote:
> >>>>> Samba version is 4.10.7
> >>>>>
> >>>>> smb.conf:
> >>>>>
> >>>>> # Global parameters
> >>>>> [global]
> >>>>>   netbios name = dc-1
> >>>>>   realm = REALM
> >>>>>   server role = active directory domain controller
> >>>>>   server services = s3fs, rpc, nbt, wrepl, ldap, cldap, 
> kdc, drepl, 
> >>>>> winbindd, ntp_signd, kcc, dnsupdate
> >>>>>   workgroup = EFINITY
> >>>>>   dns forwarder = 192.168.X.X 192.168.X.X
> >>>>>   tls enabled = yes
> >>>>>   tls keyfile = /usr/local/samba/private/tls/server.key
> >>>>>   tls certfile = /usr/local/samba/private/tls/server.crt
> >>>>>   tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt
> >>>>
> >>>> I would take this up with whoever supplied your DC certificates, 
> >>>> they do not appear to be strong enough.
> >>>>
> >>>> Also, you appear to be using Bind9 as your dns server, 
> so you don't 
> >>>> need the 'dns forwarder' line, these should be in your 
> named.conf file.
> >>>>
> >>>> Rowland
> >>>>
> >>> I have SSO certificate and I can only set RSA or ECDSA 
> authentication 
> >>> in certificate, rest is depend by client/server configuration. So 
> >>> what You mean that certificates are not strong enough?
> >>
> >> You have this in your DC smb.conf:
> >>
> >>   tls keyfile = /usr/local/samba/private/tls/server.key
> >>   tls certfile = /usr/local/samba/private/tls/server.crt
> >>   tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt
> >>
> >> This means that you have supplied the certificates used by 
> AD and if 
> >> you are getting warnings about them, then you need to create 
> >> certificates that will pass your tests.
> >>
> > But certificate has nothing to do with ciphers, I would like to set 
> > strong ciphers between client and server but server must 
> force to send 
> > strong list of ciphers which will use to communicate with 
> client. On 
> > samba3 that was possible in smb.conf but it's missing on samba4 
> > configuration.
> 
> Look at "tls priority" Samba settings, it points to GnuTLS priority 
> strings, that has options to specify the ciphers.
> 
> https://gnutls.org/manual/html_node/Priority-Strings.html
> 
> >>>
> >>> Well at this moment I don't need 'dns forwarder' at all, 
> previously I 
> >>> used dc-1/2 as my main dns for AD client but now I switch 
> back to my 
> >>> main DNS server and there I set dns forwarder to domain 
> "ad.realm" to 
> >>> samba DNS. So I will delete this, thx.
> >>>
> >> I would go back to what you were doing before, your 
> clients should use 
> >> the DC as their nameserver.
> >>
> >> Rowland
> >>
> >>
> >>> Arek
> >>>
> >>>
> >>>>
> >>>>
> >>
> >>
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list