-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/15/2006 05:09 PM, Matt Herzog escreveu: > On Fri, Sep 15, 2006 at 04:32:13PM -0300, Felipe Augusto van de Wiel wrote: >>>I have winbind working nicely with AD here. It took a while to >>>figure out but now AD user accounts can ssh into my Linux boxen >>>reliably, which is really all I needed; just ssh access. But I >>>want to make sure all the LDAP traffic is secured via TLS/SSL. >> >> Ok, but this is not Samba part of the job. :) >> >> If Samba is not talking with your LDAP server, then this >>parameter has no effect. You should do the TLS/SSL configurations >>on your LDAP server. And you should use kerberos to have real >>security in your smb network. > > There is no pure LDAP server. There is only the Win2K server that does > Microsoft's AD which (unless I am mistaken) is part LDAP, part Kerberos > and part SMB. The Kerberos part works fine. The ssh logins through AD > work fine. The problem is that I'm connected on port
Ahhhh... got it. So, you are using AD as a LDAP Server. Sorry, I can't help you further, I never did that setup. :-( But 'ldap ssl' is the way to go. Perhaps you should change the ldap port to force it use another port. Maybe you should check you ldap.conf. [...] >> If it is a PEM with private certificate, shouldn't be >>world readable. > > OK, so what should the perms be? 0400? 0400 is the best. But maybe you need a group with read access, so 0440 will do the trick. Just take care of the user:group configuration. >> Ok, it is a configuration of libldap and other software >>that will use resources to query LDAP server. But AIUI you are >>not using Samba to query LDAP, you are using winbind to do that, >>and then, your question is a little bit off-topic here. ;) > > Yes. I suppose you are right. I need to subscribe to an LDAP > list as well. :-) Kind regards, - -- Felipe Augusto van de Wiel <[EMAIL PROTECTED]> Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFFDp64Cj65ZxU4gPQRAl2eAJ9wVKeM60jNVzog2ldNV3uENVH0egCgivA5 sCsikInBy6HHcjYGDDzlSVA= =d5SK -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba