Web lists-archives.com

[Samba] Possible incorrect file permissions in documentation for setting up Samba with LDAP(S)?




Hi All,

This Samba release changelog (https://wiki.samba.org/index.php/Updating_Samba#Incorrect_TLS_File_Permissions) specifically mentions a security issue and that that the multiple *.pem files needed for LDAP via TLS all need "special permissions" - and mentions to delete old files without the required permissions to force file renewal.

Yet in the official Samba documentation for setting up LDAPS here (https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC) it says only to set these special permissions on ONE of the generated certificate *.pem files - the private key file. Is this definitely correct? Should we not set root owner on the additional cert.pem and ca.pem too?

I ask because I wanted to flag this. It seems like a contradiction and I am concerned this might lead to insecure by default setups...

Thanks
Stephen Ellwood



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba