[Samba] TLS questions
L.P.H. van Belle
belle at bazuin.nl
Mon Sep 2 12:59:06 UTC 2019
> I quick read of the Freenas forum finds that they do use 'net
> ads join'
> with kerberos, so why do they need the certificates ? Do you
> want to ask
> them, or shall I ?
Smb.conf : ldap server require strong auth
If you set : allow_sasl_over_tls
You needs certs for the TLS.
If you want to use the samba AD-DC Certs.
In a ONE DC setup, you most probley have a self generated certificate.
Then you can use the root CA from samba (found in /var/lib/samba/private/tls )
But remember : CVE-2016-2112 (samba) Behavior changes
Tools like "samba-tool", "ldbsearch", "ldbedit" and more obey the
default of "client ldap sasl wrapping = sign". Even with
"client ldap sasl wrapping = plain" they will automatically upgrade
to "sign" when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP
Therefor i say, setup SSL Certificates or use the Self Generated (and be MITM vulerable.)
There for i say, always set up you certificates, in the long run it will help you out.
I use XCA : https://hohnstaedt.de/xca/
More information about the samba