-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/15/2006 05:09 PM, Matt Herzog escreveu:
> On Fri, Sep 15, 2006 at 04:32:13PM -0300, Felipe Augusto van de Wiel wrote:
>>>I have winbind working nicely with AD here. It took a while to
>>>figure out but now AD user accounts can ssh into my Linux boxen
>>>reliably, which is really all I needed; just ssh access. But I
>>>want to make sure all the LDAP traffic is secured via TLS/SSL.
>>
>> Ok, but this is not Samba part of the job. :)
>>
>> If Samba is not talking with your LDAP server, then this
>>parameter has no effect. You should do the TLS/SSL configurations
>>on your LDAP server. And you should use kerberos to have real
>>security in your smb network.
>
> There is no pure LDAP server. There is only the Win2K server that does
> Microsoft's AD which (unless I am mistaken) is part LDAP, part Kerberos
> and part SMB. The Kerberos part works fine. The ssh logins through AD
> work fine. The problem is that I'm connected on port
Ahhhh... got it. So, you are using AD as a LDAP Server.
Sorry, I can't help you further, I never did that setup. :-(
But 'ldap ssl' is the way to go. Perhaps you should change the
ldap port to force it use another port. Maybe you should check
you ldap.conf.
[...]
>> If it is a PEM with private certificate, shouldn't be
>>world readable.
>
> OK, so what should the perms be? 0400?
0400 is the best. But maybe you need a group with
read access, so 0440 will do the trick. Just take care of
the user:group configuration.
>> Ok, it is a configuration of libldap and other software
>>that will use resources to query LDAP server. But AIUI you are
>>not using Samba to query LDAP, you are using winbind to do that,
>>and then, your question is a little bit off-topic here. ;)
>
> Yes. I suppose you are right. I need to subscribe to an LDAP
> list as well.
:-)
Kind regards,
- --
Felipe Augusto van de Wiel <[EMAIL PROTECTED]>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org
iD8DBQFFDp64Cj65ZxU4gPQRAl2eAJ9wVKeM60jNVzog2ldNV3uENVH0egCgivA5
sCsikInBy6HHcjYGDDzlSVA=
=d5SK
-----END PGP SIGNATURE-----
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
