Re: [Samba] Samba Share - security considerations
- Date: Fri, 4 May 2018 10:07:06 -0700
- From: Kris Lou via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Samba Share - security considerations
>From a recent thread:
On Tue, 2018-05-01 at 16:44 +0200, Lapin Blanc via samba wrote:
> * Hi, I don't know if this is the right place for this kind of questions,
> * I'm sorry if that's not the case.*>
> * I have a work to present for school for which I need to understand the*>
> * authentication processes in*>
> * samba 4 latest versions (ie >= 4.7). More precisely, about the protocols*
> * involved (ldap, ldaps,*>
> * kerberos, others ?), encryption types, etc.*>
> * Googling for documentation, I found a lot of informations, but many of
> * are outdated, especially*>
> * concerning the general architecture of samba (now integrating most of
> * services needed).*>
> * I found Andrew Bartlett thesis there and read it eagerly :*>
> * https://www.samba.org/samba/news/articles/abartlet_thesis.pdf
> * What I would like to find is something approaching, but kind of
> updated...*>* Any pointer would be welcome...*
> I'm preparing this for a customer:
> It might help you with what you need. Feedback most certainly welcome!
> Andrew Bartlett
On Fri, May 4, 2018 at 8:55 AM, Rowland Penny via samba <
> On Fri, 4 May 2018 12:12:55 -0300
> Edouard Guigné via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > Dear Samba Users,
> > I configured a samba share on a linux centos 7 server as server
> > member of an Active Directory Domain.
> > I used posix extended unix attributes in AD for permissions on the
> > Samba share.
> > Winbind and SSSD are also installed for the mapping of unix attibutes.
> Why, you only need one of them and depending what comes after files (or
> compat) on the 'passwd' line in /etc/nsswitch.conf, that is the one
> that will be used
> > My question is more about security.
> > The linux server is using kerberos to dial with AD server (SSSD + Krb
> > pam etc.).
> > I supposed that communication between Samba linux server and AD
> > server is secure.
> > What about the communication between a Windows client and the Samba
> > Server ? The Windows clients are part of AD domain. When a user logs
> > in a Windows client, how does the authentication works against the
> > Samba linux server ? Does a Windows client send login/passwd to the
> > Samba Server to mount the share ?
> > If yes, is the communication between Windows client and server
> > encrypted and secure ? Quid of Kerberos ?
> If you are using 'winbind', then, yes, it will be secure, no idea about
> SSSD, it has nothing to do with Samba, you could try asking on the
> sssd-mailing list
> > Can we force the choice of cyphers somewhere ?
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the