Re: [Samba] samba + start tls
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/15/2006 05:09 PM, Matt Herzog escreveu: On Fri, Sep 15, 2006 at 04:32:13PM -0300, Felipe Augusto van de Wiel wrote: I have winbind working nicely with AD here. It took a while to figure out but now AD user accounts can ssh into my Linux boxen reliably, which is really all I needed; just ssh access. But I want to make sure all the LDAP traffic is secured via TLS/SSL. Ok, but this is not Samba part of the job. :) If Samba is not talking with your LDAP server, then this parameter has no effect. You should do the TLS/SSL configurations on your LDAP server. And you should use kerberos to have real security in your smb network. There is no pure LDAP server. There is only the Win2K server that does Microsoft's AD which (unless I am mistaken) is part LDAP, part Kerberos and part SMB. The Kerberos part works fine. The ssh logins through AD work fine. The problem is that I'm connected on port A... got it. So, you are using AD as a LDAP Server. Sorry, I can't help you further, I never did that setup. :-( But 'ldap ssl' is the way to go. Perhaps you should change the ldap port to force it use another port. Maybe you should check you ldap.conf. [...] If it is a PEM with private certificate, shouldn't be world readable. OK, so what should the perms be? 0400? 0400 is the best. But maybe you need a group with read access, so 0440 will do the trick. Just take care of the user:group configuration. Ok, it is a configuration of libldap and other software that will use resources to query LDAP server. But AIUI you are not using Samba to query LDAP, you are using winbind to do that, and then, your question is a little bit off-topic here. ;) Yes. I suppose you are right. I need to subscribe to an LDAP list as well. :-) Kind regards, - -- Felipe Augusto van de Wiel [EMAIL PROTECTED] Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFFDp64Cj65ZxU4gPQRAl2eAJ9wVKeM60jNVzog2ldNV3uENVH0egCgivA5 sCsikInBy6HHcjYGDDzlSVA= =d5SK -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + start tls
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/13/2006 11:09 AM, aza zel escreveu: hi people, i have problems with samba option ldap ssl= start tls. ¿where samba looks public key server certificate?, because when i try with this option, i cant connect to samba shares, and i think is because the samba cant found the public key certificate to use. The correct option is start_tls, but it is the default option, you don't need to setup this. And the key server is not related with Samba, this option just tells samba to use SSL when talking with the LDAP server. Salu2 Kind regards, - -- Felipe Augusto van de Wiel [EMAIL PROTECTED] Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFFCrncCj65ZxU4gPQRAn1vAJ9R7y+pz4DT2tr4fr8cyHMXbfJ5UQCbBOgI kVFWs2BNDOc6ZSBGp8He2Vs= =lYz+ -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + start tls
On Fri, Sep 15, 2006 at 11:34:04AM -0300, Felipe Augusto van de Wiel wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The correct option is start_tls, but it is the default option, you don't need to setup this. And the key server is not related with Samba, this option just tells samba to use SSL when talking with the LDAP server. I have winbind working nicely with AD here. It took a while to figure out but now AD user accounts can ssh into my Linux boxen reliably, which is really all I needed; just ssh access. But I want to make sure all the LDAP traffic is secured via TLS/SSL. On my network if I run nmap on the Win2K AD server I see that port 636 is open. So I generated a cert file on the Win2K server and converted it to a PEM file (using openssl on Linux) and placed it in /etc/openldap/cacerts and made sure it was world readable. My ldap.conf file looks like this: #--- BASEdc=cinteractive, dc=com URI ldaps://attu.binteractive.com:636 debug 256 logdir /var/log/ldap.errors host BATTU base BINTERACTIVE.COM ssl yes TLS_CACERT /etc/openldap/cacerts/battu.pem pam_password md5 # The ldap log file I set up is empty. Nothing ever gets written to it. Every time I su to root on the Linux servers I see: TLS certificate verification: Error, unable to get local issuer certificate TLS: can't connect. I'm not looking to run slapd on this server. LDAP and winbind are used only to allow users to login via ssh with their AD credentials. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + start tls
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/15/2006 12:24 PM, Matt Herzog escreveu: On Fri, Sep 15, 2006 at 11:34:04AM -0300, Felipe Augusto van de Wiel wrote: The correct option is start_tls, but it is the default option, you don't need to setup this. And the key server is not related with Samba, this option just tells samba to use SSL when talking with the LDAP server. I have winbind working nicely with AD here. It took a while to figure out but now AD user accounts can ssh into my Linux boxen reliably, which is really all I needed; just ssh access. But I want to make sure all the LDAP traffic is secured via TLS/SSL. Ok, but this is not Samba part of the job. :) If Samba is not talking with your LDAP server, then this parameter has no effect. You should do the TLS/SSL configurations on your LDAP server. And you should use kerberos to have real security in your smb network. On my network if I run nmap on the Win2K AD server I see that port 636 is open. So I generated a cert file on the Win2K server and converted it to a PEM file (using openssl on Linux) and placed it in /etc/openldap/cacerts and made sure it was world readable. My ldap.conf file looks like this: If it is a PEM with private certificate, shouldn't be world readable. #--- BASEdc=cinteractive, dc=com URI ldaps://attu.binteractive.com:636 debug 256 logdir /var/log/ldap.errors host BATTU base BINTERACTIVE.COM ssl yes TLS_CACERT /etc/openldap/cacerts/battu.pem pam_password md5 # The ldap log file I set up is empty. Nothing ever gets written to it. Increase the log level on slapd.conf. Every time I su to root on the Linux servers I see: TLS certificate verification: Error, unable to get local issuer certificate TLS: can't connect. I'm not looking to run slapd on this server. LDAP and winbind are used only to allow users to login via ssh with their AD credentials. Ok, it is a configuration of libldap and other software that will use resources to query LDAP server. But AIUI you are not using Samba to query LDAP, you are using winbind to do that, and then, your question is a little bit off-topic here. ;) Kind regards, - -- Felipe Augusto van de Wiel [EMAIL PROTECTED] Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFFCv+9Cj65ZxU4gPQRAoKCAKCqXb+x1B3XI929b5gVoAmZW0c/CgCgxsQw 8UqEnltKCKcDWYGw4mgxnAQ= =5y38 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + start tls
On Fri, Sep 15, 2006 at 04:32:13PM -0300, Felipe Augusto van de Wiel wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have winbind working nicely with AD here. It took a while to figure out but now AD user accounts can ssh into my Linux boxen reliably, which is really all I needed; just ssh access. But I want to make sure all the LDAP traffic is secured via TLS/SSL. Ok, but this is not Samba part of the job. :) If Samba is not talking with your LDAP server, then this parameter has no effect. You should do the TLS/SSL configurations on your LDAP server. And you should use kerberos to have real security in your smb network. There is no pure LDAP server. There is only the Win2K server that does Microsoft's AD which (unless I am mistaken) is part LDAP, part Kerberos and part SMB. The Kerberos part works fine. The ssh logins through AD work fine. The problem is that I'm connected on port [EMAIL PROTECTED] ~]# net ads info LDAP server: 198.78.123.2 LDAP server name: battu Realm: BINTERACTIVE.COM Bind Path: dc=BINTERACTIVE,dc=COM LDAP port: 389 Server time: Fri, 15 Sep 2006 15:53:49 GMT KDC server: 198.78.123.2 Server time offset: 97 If it is a PEM with private certificate, shouldn't be world readable. OK, so what should the perms be? 0400? Ok, it is a configuration of libldap and other software that will use resources to query LDAP server. But AIUI you are not using Samba to query LDAP, you are using winbind to do that, and then, your question is a little bit off-topic here. ;) Yes. I suppose you are right. I need to subscribe to an LDAP list as well. -- Announcing your plans is a good way to hear the gods' laughter. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba + start tls
On Wed, Sep 13, 2006 at 11:09:17AM -0300, aza zel wrote: hi people, i have problems with samba option ldap ssl= start tls. ?where samba looks public key server certificate?, because when i try with this option, i cant connect to samba shares, and i think is because the samba cant found the public key certificate to use. imho see ldap.conf(5) for defaults functions of openldap. /swp -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba + start tls
hi people, i have problems with samba option ldap ssl= start tls. ¿where samba looks public key server certificate?, because when i try with this option, i cant connect to samba shares, and i think is because the samba cant found the public key certificate to use. Salu2 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
