Web lists-archives.com

Re: [Samba] Samba Share - security considerations




>From a recent thread:
https://lists.samba.org/archive/samba/2018-May/215273.html

On Tue, 2018-05-01 at 16:44 +0200, Lapin Blanc via samba wrote:
> >
> * Hi, I don't know if this is the right place for this kind of questions,
> and*>
> * I'm sorry if that's not the case.*>
> * I have a work to present for school for which I need to understand the*>
> * authentication processes in*>
> * samba 4 latest versions (ie >= 4.7). More precisely, about the protocols*
> >
> * involved (ldap, ldaps,*>
> * kerberos, others ?), encryption types, etc.*>
> * Googling for documentation, I found a lot of informations, but many of
> them*>
> * are outdated, especially*>
> * concerning the general architecture of samba (now integrating most of
> the*>
> * services needed).*>
> * I found Andrew Bartlett thesis there and read it eagerly :*>
> * https://www.samba.org/samba/news/articles/abartlet_thesis.pdf
> <https://www.samba.org/samba/news/articles/abartlet_thesis.pdf>*>
> * What I would like to find is something approaching, but kind of
> updated...*>* Any pointer would be welcome...*
> I'm preparing this for a customer:
> https://gitlab.com/catalyst-samba/samba-docs/wikis/home
> It might help you with what you need. Feedback most certainly welcome!
> Andrew Bartlett




Kris Lou
klou@xxxxxxxxxxxxxxxx

On Fri, May 4, 2018 at 8:55 AM, Rowland Penny via samba <
samba@xxxxxxxxxxxxxxx> wrote:

> On Fri, 4 May 2018 12:12:55 -0300
> Edouard Guigné via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
> > Dear Samba Users,
> >
> > I configured a samba share on a linux centos 7 server as server
> > member of an Active Directory Domain.
> >
> > I used posix extended unix attributes in AD for permissions on the
> > Samba share.
> > Winbind and SSSD are also installed for the mapping of unix attibutes.
>
> Why, you only need one of them and depending what comes after files (or
> compat) on the 'passwd' line in /etc/nsswitch.conf, that is the one
> that will be used
>
> >
> > My question is more about security.
> > The linux server is using kerberos to dial with AD server (SSSD + Krb
> > pam etc.).
> > I supposed that communication between Samba linux server and AD
> > server is secure.
> >
> > What about the communication between a Windows client and the Samba
> > Server ? The Windows clients are part of AD domain. When a user logs
> > in a Windows client, how does the authentication works against the
> > Samba linux server ? Does a Windows client send login/passwd to the
> > Samba Server to mount the share ?
> > If yes, is the communication between Windows client and server
> > encrypted and secure ? Quid of Kerberos ?
>
> If you are using 'winbind', then, yes, it will be secure, no idea about
> SSSD, it has nothing to do with Samba, you could try asking on the
> sssd-mailing list
>
> > Can we force the choice of cyphers somewhere ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba