Web lists-archives.com

Re: [Samba] Possible incorrect file permissions in documentation for setting up Samba with LDAP(S)?




Louis, it obviously took you some time to write that and its extremely helpful.

Thanks Again

Stephen Ellwood

On 09/04/2019 13:14, L.P.H. van Belle via samba wrote:
Hai,

Please note, this is how I setup, which is not related to the samba wiki.

This is what i currently see on my DC, these where created in 2015 and im NOT using these.
/var/lib/samba/private/tls# ls -al
total 20
drwx------ 2 root root 4096 Apr 28  2015 .
drwxr-xr-x 7 root root 4096 Apr  9 13:06 ..
-rw-r--r-- 1 root root  997 Apr 28  2015 ca.pem
-rw-r--r-- 1 root root  997 Apr 28  2015 cert.pem
-rw------- 1 root root  887 Apr 28  2015 key.pem
In above setup i would change this to:
-rw-r--r-- 1 root root  997 Apr 28  2015 ca.pem
-rw-r--r-- 1 root root  997 Apr 28  2015 cert.pem
-r--r----- 1 root root  887 Apr 28  2015 key.pem	( or 640 or 400 ).


Now, since im not useing above, this is assumes you run your own CA root
and you are not using automaticly generated certs.

Which is in a AD-DC, in my personal opinion, not good, yes it works fine, if you use only 1 DC.
With mutliple DC's, you should really think of seting up your own CA.

So here you go, a "possible" setup for your sslcert if you use your own CA.

A handy tool https://hohnstaedt.de/xca/ , which i personly use.
Difficult, naah.. See : https://hohnstaedt.de/xca/index.php/documentation/
Or create the CA yourself with openssl. Or tinyCa , etc lots of options here.


My current layout.

ls -al /etc/ssl/
total 84
drwxr-xr-x   9 root root      4096 Mar 14 16:15 .
drwxr-xr-x 112 root root     12288 Apr  9 09:46 ..
drwxr-xr-x   2 root root     28672 Mar 14 16:13 certs
drwxr-x---   2 root root      4096 Mar 14 14:32 csr
-rw-r--r--   1 root root     10771 Jun  5  2017 openssl.cnf
drwx--x---   2 root ssl-cert  4096 Mar 14 16:17 private		<< Note the 710 chmod here.!

The files in "private" are the key files, these have 640
The services like samba,user root or let say apache, user www-data, squid proxy, user proxy,
which are using the keyfiles are member of ssl-cert group.

Now adding this in samba.

         tls enabled = yes
         tls keyfile = /etc/ssl/private/DC1.key.pem
         tls certfile = /etc/ssl/certs/DC1.cert.pem
         tls cafile = /etc/ssl/certs/ca-certificates.crt
	  # or define only the CAFILE needed for the DC cert and not the bundle ca-certificates.crt.
	  # for the bundle file, see :

Adding LDAP (client support) ldap.conf


BASE    dc=your,dc=domain,dc=tld
URI     ldaps://dc1.your.domain.tld ldaps://dc2.your.domain.tld

# note, i have a separeted OU for my service-accounts. ( OU=Srv-Acc )
# su-service stands for 'ServiceUser'-'the_service_its_used_for' so its easy to identify.
BIND_DN = CN=su-ldap,OU=Srv-Acc,CN=your,DC=domain,DC=tld
BIND_PW = yourpass

TLS_CACERT      /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT allow

And now you can deploy your root CA.
Open the Group Policy Management Console.
1 Select a GPO to edit, or create a new GPO to deploy the certificate.
2 Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities
3 Right-click on Trusted Root Certification Authorities and select Import.
4 Click Next.
5 Select the root certificate and click Next.
6 Verify that the certificate is being placed into the Trusted Root Certification Authorities certificate store and click Next.
7 Review the settings and click Finish.

Now for all of above, you can change/adjust the path's, your use an extra group to protect your key files.

I hope this helped a bit.


Greetz,

Louis



-----Oorspronkelijk bericht-----
Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens
Stephen via samba
Verzonden: dinsdag 9 april 2019 12:54
Aan: samba@xxxxxxxxxxxxxxx
Onderwerp: [Samba] Possible incorrect file permissions in
documentation for setting up Samba with LDAP(S)?

Hi All,

This Samba release changelog
(https://wiki.samba.org/index.php/Updating_Samba#Incorrect_TLS
_File_Permissions)
specifically mentions a security issue and that that the
multiple *.pem
files needed for LDAP via TLS all need "special permissions" - and
mentions to delete old files without the required permissions
to force
file renewal.

Yet in the official Samba documentation for setting up LDAPS here
(https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(L
DAPS)_on_a_Samba_AD_DC)
it says only to set these special permissions on ONE of the generated
certificate *.pem files - the private key file. Is this definitely
correct? Should we not set root owner on the additional cert.pem and
ca.pem too?

I ask because I wanted to flag this. It seems like a
contradiction and I
am concerned this might lead to insecure by default setups...

Thanks
Stephen Ellwood



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba