>what about some vpn tunnels between you local and remote networks?
(perhaps you already have this) if you're considering using samba >over
the internet, it seems like site-to-site or vpn would serve you best in
terms of security. that's what i do with my remote offices.
It's what we have for now, a vpn that allow distant users to have a
subnetwork address and access an http server with teamwork onto.
For know the File server is located on an wired insulated lan (we uses a
switch Rj45) to be sure nobody can come into.
now we want distant users log into the file server, with a security as
secure as switching manually on this physical subnet, thats were ssl
encryption play with certificates rsa keys. It's a prove a security for
us.
Anthony Messina a écrit :
romain BOTTAN wrote:
thank you for your answer,
I will discuss with my team of active directory, kerberos and pkinit
today.
I think you understood our problem in the main facts, we have
windowsXP clients (sp2, all fixes) and linux clients (debians, ubunto
and others debian like).
The main security problem is linked to the datas stored on the file
server and the crossing of an open network (worldwide intranet) to
connect our distant agencies.
I think we're going to put as you propose a ssl tunnel controlled by
a small openvpn server or ssltunel with a good control of
certificates validity. The advantage of this solution is that we have
lots of clients that implements certificates much better than 802.1X
API in windows implements it.
But the problem with this, as you said, samba will not deal with it,
and we're going to ask for our customers to remember another
login/pass...
Andrew Bartlett a écrit :
On Tue, 2006-02-07 at 10:14 +0100, romain BOTTAN wrote:
Hello everybody,
I'll try to find out some info about Samba and a way to put x509
authenticate method but i don't find anything clear about it.
There are not many 'good' options to put x509 certificates into the
Samba authentication space, and if very much depends on the client and
domain environment.
Perhaps you are looking for an AD implementation, with PKINIT on
kerberos? This is the only real solution for windows clients.
If you control the clients (say they run Linux), you could push all
CIFS
connections via a SSL tunnel, but Samba wouldn't 'know' about this, so
would not actually authenticate the users as such.
Perhaps you need to explain what you are trying to do a bit more.
Andrew Bartlett
what about some vpn tunnels between you local and remote networks?
(perhaps you already have this) if you're considering using samba
over the internet, it seems like site-to-site or vpn would serve you
best in terms of security. that's what i do with my remote offices.
-
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
