[Samba] Change ciphers on samba

akarpinski akarpinski at efinity.com
Tue Oct 1 19:13:32 UTC 2019 

Perfect!

Robert, Louis Thank You.

BTW.

DTLS1.1 doesn't exist so with small fix should be:

tls priority = SECURE256:+SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0

Arek

On 01.10.2019 17:45, L.P.H. van Belle via samba wrote:
> You looking for something like this i think?
>
> Enable TLS1.2 ( and if supported TLS1.3) and allowes AES128 and EAS256.
> tls priority = SECURE256:+SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:-VERS-DTLS1.1
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> Robert Marcano via samba
>> Verzonden: dinsdag 1 oktober 2019 17:28
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Change ciphers on samba
>>
>> On 10/1/19 8:52 AM, Arkadiusz Karpi??ski via samba wrote:
>>> On 01.10.2019 14:06, Rowland penny via samba wrote:
>>>> On 01/10/2019 12:51, Arkadiusz Karpi??ski wrote:
>>>>> On 30.09.2019 20:03, Rowland penny via samba wrote:
>>>>>> On 30/09/2019 18:06, akarpinski wrote:
>>>>>>> Samba version is 4.10.7
>>>>>>>
>>>>>>> smb.conf:
>>>>>>>
>>>>>>> # Global parameters
>>>>>>> [global]
>>>>>>>    netbios name = dc-1
>>>>>>>    realm = REALM
>>>>>>>    server role = active directory domain controller
>>>>>>>    server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
>> kdc, drepl,
>>>>>>> winbindd, ntp_signd, kcc, dnsupdate
>>>>>>>    workgroup = EFINITY
>>>>>>>    dns forwarder = 192.168.X.X 192.168.X.X
>>>>>>>    tls enabled = yes
>>>>>>>    tls keyfile = /usr/local/samba/private/tls/server.key
>>>>>>>    tls certfile = /usr/local/samba/private/tls/server.crt
>>>>>>>    tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt
>>>>>> I would take this up with whoever supplied your DC certificates,
>>>>>> they do not appear to be strong enough.
>>>>>>
>>>>>> Also, you appear to be using Bind9 as your dns server,
>> so you don't
>>>>>> need the 'dns forwarder' line, these should be in your
>> named.conf file.
>>>>>> Rowland
>>>>>>
>>>>> I have SSO certificate and I can only set RSA or ECDSA
>> authentication
>>>>> in certificate, rest is depend by client/server configuration. So
>>>>> what You mean that certificates are not strong enough?
>>>> You have this in your DC smb.conf:
>>>>
>>>>    tls keyfile = /usr/local/samba/private/tls/server.key
>>>>    tls certfile = /usr/local/samba/private/tls/server.crt
>>>>    tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt
>>>>
>>>> This means that you have supplied the certificates used by
>> AD and if
>>>> you are getting warnings about them, then you need to create
>>>> certificates that will pass your tests.
>>>>
>>> But certificate has nothing to do with ciphers, I would like to set
>>> strong ciphers between client and server but server must
>> force to send
>>> strong list of ciphers which will use to communicate with
>> client. On
>>> samba3 that was possible in smb.conf but it's missing on samba4
>>> configuration.
>> Look at "tls priority" Samba settings, it points to GnuTLS priority
>> strings, that has options to specify the ciphers.
>>
>> https://gnutls.org/manual/html_node/Priority-Strings.html
>>
>>>>> Well at this moment I don't need 'dns forwarder' at all,
>> previously I
>>>>> used dc-1/2 as my main dns for AD client but now I switch
>> back to my
>>>>> main DNS server and there I set dns forwarder to domain
>> "ad.realm" to
>>>>> samba DNS. So I will delete this, thx.
>>>>>
>>>> I would go back to what you were doing before, your
>> clients should use
>>>> the DC as their nameserver.
>>>>
>>>> Rowland
>>>>
>>>>
>>>>> Arek
>>>>>
>>>>>
>>>>>>
>>>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>

More information about the samba mailing list