[Samba] Change ciphers on samba
L.P.H. van Belle
belle at bazuin.nl
Tue Oct 1 15:45:58 UTC 2019
You looking for something like this i think?
Enable TLS1.2 ( and if supported TLS1.3) and allowes AES128 and EAS256.
tls priority = SECURE256:+SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:-VERS-DTLS1.1
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Robert Marcano via samba
> Verzonden: dinsdag 1 oktober 2019 17:28
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Change ciphers on samba
>
> On 10/1/19 8:52 AM, Arkadiusz Karpi??ski via samba wrote:
> >
> > On 01.10.2019 14:06, Rowland penny via samba wrote:
> >> On 01/10/2019 12:51, Arkadiusz Karpi??ski wrote:
> >>>
> >>> On 30.09.2019 20:03, Rowland penny via samba wrote:
> >>>> On 30/09/2019 18:06, akarpinski wrote:
> >>>>> Samba version is 4.10.7
> >>>>>
> >>>>> smb.conf:
> >>>>>
> >>>>> # Global parameters
> >>>>> [global]
> >>>>> netbios name = dc-1
> >>>>> realm = REALM
> >>>>> server role = active directory domain controller
> >>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
> kdc, drepl,
> >>>>> winbindd, ntp_signd, kcc, dnsupdate
> >>>>> workgroup = EFINITY
> >>>>> dns forwarder = 192.168.X.X 192.168.X.X
> >>>>> tls enabled = yes
> >>>>> tls keyfile = /usr/local/samba/private/tls/server.key
> >>>>> tls certfile = /usr/local/samba/private/tls/server.crt
> >>>>> tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt
> >>>>
> >>>> I would take this up with whoever supplied your DC certificates,
> >>>> they do not appear to be strong enough.
> >>>>
> >>>> Also, you appear to be using Bind9 as your dns server,
> so you don't
> >>>> need the 'dns forwarder' line, these should be in your
> named.conf file.
> >>>>
> >>>> Rowland
> >>>>
> >>> I have SSO certificate and I can only set RSA or ECDSA
> authentication
> >>> in certificate, rest is depend by client/server configuration. So
> >>> what You mean that certificates are not strong enough?
> >>
> >> You have this in your DC smb.conf:
> >>
> >> tls keyfile = /usr/local/samba/private/tls/server.key
> >> tls certfile = /usr/local/samba/private/tls/server.crt
> >> tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt
> >>
> >> This means that you have supplied the certificates used by
> AD and if
> >> you are getting warnings about them, then you need to create
> >> certificates that will pass your tests.
> >>
> > But certificate has nothing to do with ciphers, I would like to set
> > strong ciphers between client and server but server must
> force to send
> > strong list of ciphers which will use to communicate with
> client. On
> > samba3 that was possible in smb.conf but it's missing on samba4
> > configuration.
>
> Look at "tls priority" Samba settings, it points to GnuTLS priority
> strings, that has options to specify the ciphers.
>
> https://gnutls.org/manual/html_node/Priority-Strings.html
>
> >>>
> >>> Well at this moment I don't need 'dns forwarder' at all,
> previously I
> >>> used dc-1/2 as my main dns for AD client but now I switch
> back to my
> >>> main DNS server and there I set dns forwarder to domain
> "ad.realm" to
> >>> samba DNS. So I will delete this, thx.
> >>>
> >> I would go back to what you were doing before, your
> clients should use
> >> the DC as their nameserver.
> >>
> >> Rowland
> >>
> >>
> >>> Arek
> >>>
> >>>
> >>>>
> >>>>
> >>
> >>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list