[Samba] TLS questions

L.P.H. van Belle belle at bazuin.nl
Mon Sep 2 12:59:06 UTC 2019


> I quick read of the Freenas forum finds that they do use 'net 
> ads join' 
> with kerberos, so why do they need the certificates ? Do you 
> want to ask 
> them, or shall I ?
> 

Smb.conf :  ldap server require strong auth 
If you set :  allow_sasl_over_tls 
You needs certs for the TLS. 

If you want to use the samba AD-DC Certs. 
In a ONE DC setup, you most probley have a self generated certificate. 
Then you can use the root CA from samba (found in /var/lib/samba/private/tls ) 

But remember :  CVE-2016-2112 (samba) Behavior changes
================

  Tools like "samba-tool", "ldbsearch", "ldbedit" and more obey the
  default of "client ldap sasl wrapping = sign". Even with
  "client ldap sasl wrapping = plain" they will automatically upgrade
  to "sign" when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP
  server.

Therefor i say, setup SSL Certificates or use the Self Generated (and be MITM vulerable.)

There for i say, always set up you certificates, in the long run it will help you out. 
I use XCA : https://hohnstaedt.de/xca/ 


Greetz, 

Louis




More information about the samba mailing list