[Samba] Change ciphers on samba
akarpinski
akarpinski at efinity.com
Tue Oct 1 19:13:32 UTC 2019
Perfect!
Robert, Louis Thank You.
BTW.
DTLS1.1 doesn't exist so with small fix should be:
tls priority = SECURE256:+SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0
Arek
On 01.10.2019 17:45, L.P.H. van Belle via samba wrote:
> You looking for something like this i think?
>
> Enable TLS1.2 ( and if supported TLS1.3) and allowes AES128 and EAS256.
> tls priority = SECURE256:+SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:-VERS-DTLS1.1
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Robert Marcano via samba
>> Verzonden: dinsdag 1 oktober 2019 17:28
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Change ciphers on samba
>>
>> On 10/1/19 8:52 AM, Arkadiusz Karpi??ski via samba wrote:
>>> On 01.10.2019 14:06, Rowland penny via samba wrote:
>>>> On 01/10/2019 12:51, Arkadiusz Karpi??ski wrote:
>>>>> On 30.09.2019 20:03, Rowland penny via samba wrote:
>>>>>> On 30/09/2019 18:06, akarpinski wrote:
>>>>>>> Samba version is 4.10.7
>>>>>>>
>>>>>>> smb.conf:
>>>>>>>
>>>>>>> # Global parameters
>>>>>>> [global]
>>>>>>> netbios name = dc-1
>>>>>>> realm = REALM
>>>>>>> server role = active directory domain controller
>>>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
>> kdc, drepl,
>>>>>>> winbindd, ntp_signd, kcc, dnsupdate
>>>>>>> workgroup = EFINITY
>>>>>>> dns forwarder = 192.168.X.X 192.168.X.X
>>>>>>> tls enabled = yes
>>>>>>> tls keyfile = /usr/local/samba/private/tls/server.key
>>>>>>> tls certfile = /usr/local/samba/private/tls/server.crt
>>>>>>> tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt
>>>>>> I would take this up with whoever supplied your DC certificates,
>>>>>> they do not appear to be strong enough.
>>>>>>
>>>>>> Also, you appear to be using Bind9 as your dns server,
>> so you don't
>>>>>> need the 'dns forwarder' line, these should be in your
>> named.conf file.
>>>>>> Rowland
>>>>>>
>>>>> I have SSO certificate and I can only set RSA or ECDSA
>> authentication
>>>>> in certificate, rest is depend by client/server configuration. So
>>>>> what You mean that certificates are not strong enough?
>>>> You have this in your DC smb.conf:
>>>>
>>>> tls keyfile = /usr/local/samba/private/tls/server.key
>>>> tls certfile = /usr/local/samba/private/tls/server.crt
>>>> tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt
>>>>
>>>> This means that you have supplied the certificates used by
>> AD and if
>>>> you are getting warnings about them, then you need to create
>>>> certificates that will pass your tests.
>>>>
>>> But certificate has nothing to do with ciphers, I would like to set
>>> strong ciphers between client and server but server must
>> force to send
>>> strong list of ciphers which will use to communicate with
>> client. On
>>> samba3 that was possible in smb.conf but it's missing on samba4
>>> configuration.
>> Look at "tls priority" Samba settings, it points to GnuTLS priority
>> strings, that has options to specify the ciphers.
>>
>> https://gnutls.org/manual/html_node/Priority-Strings.html
>>
>>>>> Well at this moment I don't need 'dns forwarder' at all,
>> previously I
>>>>> used dc-1/2 as my main dns for AD client but now I switch
>> back to my
>>>>> main DNS server and there I set dns forwarder to domain
>> "ad.realm" to
>>>>> samba DNS. So I will delete this, thx.
>>>>>
>>>> I would go back to what you were doing before, your
>> clients should use
>>>> the DC as their nameserver.
>>>>
>>>> Rowland
>>>>
>>>>
>>>>> Arek
>>>>>
>>>>>
>>>>>>
>>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>
More information about the samba
mailing list