Web lists-archives.com

Re: [Samba] TLS ca/cert/key creation




On Wed, 2 Jan 2019 17:59:21 -0800
Gregory Sloop via samba <samba@xxxxxxxxxxxxxxx> wrote:

> 
> 
> RPvs> On Tue, 1 Jan 2019 10:35:17 -0800
> RPvs> Gregory Sloop via samba <samba@xxxxxxxxxxxxxxx> wrote:
> 
> >> I'm working to put up a production FeeeNAS box tied to Samba/AD for
> >> authentication for users connecting to the FreeNAS share(s). In
> >> joining FreeNAS to the AD domain, one immediately runs into
> >> "problems" with TLS/encryption.
> 
> RPvs> I do not know why, by default you will be using NTLM for
> RPvs> authentication.
> 
> The user and group queries, as best I can tell, from the FreeNAS box
> are occurring via LDAP. 

No they are not, well not unless freenas is doing something strange.
Try reading this:

https://docs.microsoft.com/en-us/windows/desktop/secauthn/microsoft-ntlm

>And the samba default, at least with the
> package provided with Ubunti 18.04 requires TLS for LDAP.

Yes, but LDAP != NTLM

> 
> I haven't captured the wire yet, but here's how I guess it's
> happening. [FreeNAS is running Samba itself. ] It joins the AD domain.
> 
> Authentication between the users and FreeNAS is kerberos.
> Lookups of users and groups against the DCs is occurring via LDAP.
> 
> In any case, I *know* that if I set FreeNAS to not use TLS and also
> set "ldap server require strong auth = no"
> in the AD servers' smb.conf's - the FreeNAS box can join the domain,
> and query users/groups from the DC's.
> 
> So, I think we can pretty safely conclude that some LDAP
> communication is occurring and that it's not all via Kerberos, and
> thus we'll have to setup TLS.

You only need TLS for LDAP, but kerberos is even more secure.

> 
> 
> >> Samba, in the defaults requires TLS. 
> 
> RPvs> No it doesn't, you can easily connect to shares without it
> RPvs> (after you have authenticated via NTLM)
> 
> Ok, perhaps I should have been more clear. LDAP communication
> requires TLS by default. [Certainly it does with my distro's version
> (Ubuntu 18.04) - but I think this is true of any recent version.]

LDAP defaults to port 389 i.e. it doesn't use a certificate

> 
> >> I could disable TLS security in
> >> Samba, but that's probably not a great idea. So, I'll need a
> >> key/cert for the FreeNAS box to do TLS with the Samba AD... And so
> >> I'm getting ready to create the CA/certs/keys I need.
> 
> RPvs> If you do use SSL/TLS you will be using ldap, but you can use
> RPvs> ldap without SSL/TLS

What, even against a webserver ?

> 
> So, running LDAP without TLS...
> Sure you can do it. You can probably configure Samba to accept
> plan-text passwords, unencrypted, over the wire too. I assume that
> LDAP requires TLS now, because not using TLS is a pretty severe
> security problem.

Cannot argue with that, but using TLS is not the default, you have to
configure the DC and clients to use it.

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba