Web lists-archives.com

Re: [Samba] TLS ca/cert/key creation

RPvs> On Tue, 1 Jan 2019 10:35:17 -0800
RPvs> Gregory Sloop via samba <samba@xxxxxxxxxxxxxxx> wrote:

>> I'm working to put up a production FeeeNAS box tied to Samba/AD for
>> authentication for users connecting to the FreeNAS share(s). In
>> joining FreeNAS to the AD domain, one immediately runs into
>> "problems" with TLS/encryption.

RPvs> I do not know why, by default you will be using NTLM for authentication.

The user and group queries, as best I can tell, from the FreeNAS box are occurring via LDAP.
And the samba default, at least with the package provided with Ubunti 18.04 requires TLS for LDAP.

I haven't captured the wire yet, but here's how I guess it's happening. [FreeNAS is running Samba itself. ]
It joins the AD domain.

Authentication between the users and FreeNAS is kerberos.
Lookups of users and groups against the DCs is occurring via LDAP.

In any case, I *know* that if I set FreeNAS to not use TLS and also set
"ldap server require strong auth = no"
in the AD servers' smb.conf's - the FreeNAS box can join the domain, and query users/groups from the DC's.

So, I think we can pretty safely conclude that some LDAP communication is occurring and that it's not all via Kerberos, and thus we'll have to setup TLS.

>> Samba, in the defaults requires TLS. 

RPvs> No it doesn't, you can easily connect to shares without it (after you
RPvs> have authenticated via NTLM)

Ok, perhaps I should have been more clear. LDAP communication requires TLS by default. [Certainly it does with my distro's version (Ubuntu 18.04) - but I think this is true of any recent version.]

>> I could disable TLS security in
>> Samba, but that's probably not a great idea. So, I'll need a key/cert
>> for the FreeNAS box to do TLS with the Samba AD... And so I'm getting
>> ready to create the CA/certs/keys I need.

RPvs> If you do use SSL/TLS you will be using ldap, but you can use ldap
RPvs> without SSL/TLS

So, running LDAP without TLS...
Sure you can do it. You can probably configure Samba to accept plan-text passwords, unencrypted, over the wire too. 
I assume that LDAP requires TLS now, because not using TLS is a pretty severe security problem.

Am I missing something?

What kinds of LDAP data is getting sent between a Samba domain member and a Samba DC? I'd assume it's fairly problematic to pass that in the clear - but frankly I don't know.

I have a more urgent question, but I'll put that in it's own message, so it doesn't get lost in the clutter.
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba