I'm working to put up a production FeeeNAS box tied to Samba/AD for authentication for users connecting to the FreeNAS share(s). In joining FreeNAS to the AD domain, one immediately runs into "problems" with TLS/encryption. Samba, in the defaults requires TLS. I could disable TLS security in Samba, but that's probably not a great idea. So, I'll need a key/cert for the FreeNAS box to do TLS with the Samba AD... And so I'm getting ready to create the CA/certs/keys I need. Lets not get lost in examining FreeNAS. I'm configuring FreeNAS using the regular control panel, and setting it up just as it would work against a "regular" Windows AD. And I know it works from a test-bed Samba setup - but not using TLS. --- As an aside - I assume that needing to use TLS means that FreeNAS is talking to Samba vis LDAP, and not Kerberos? Because, my limited understanding was that Kerberos is secure without wrapping in TLS, but LDAP isn't. So, if we were using Kerberos, there's be no need of TLS. But since we're using TLS, we must be using LDAP, and thus the need to secure the LDAP channel with CA/Cert/Key. But perhaps I don't grok that properly... Someone is welcome to put me straight, if I've misunderstood something - but lets, also, not get too caught up in that side discussion. The real crux of my question follows. [A point to a wiki article or something might help me educate myself, if I'm confused.] :) --- ** These questions and the answers are what I need most. ** So, I understand that Samba creates it's own CA/Cert/Key on first start up. The Wiki appears to show how to generate your own self-signed cert. Several questions in relation to generating my own, outside the Samba server. - I assume I can self sign certs, using my own CA. Correct? i.e. Not using the Samba generated CA/Cert(s)/Key(s). [But I'll have to copy/provide the CA.cert to the samba server [and any TLS clients for client/server certificate validation purposes.] -The Wiki shows 2048 bit keys, and 1 year expiry. I assume this is simply the example, and 4096 bit keys and, say 10y expiry are accepted. Correct? Are there any other limits I should be aware of? (Probably limited by the version of OpenSSL the version of Samba was compiled with on the target system? If that's the case, there's probably no hard-and-fast rule about what's acceptable...since it's version/distro/compliation dependant.) --- I generally hate using the OpenSSL tools to generate CA/certs/keys and use GNUTLS's tools to do it. Has anyone done this for Samba, and if so, are there any gotcha's I should watch out for? Any other general tips I should watch out for? TIA -Greg
On Tue, 1 Jan 2019 10:35:17 -0800 Gregory Sloop via samba <samba at lists.samba.org> wrote:> I'm working to put up a production FeeeNAS box tied to Samba/AD for > authentication for users connecting to the FreeNAS share(s). In > joining FreeNAS to the AD domain, one immediately runs into > "problems" with TLS/encryption.I do not know why, by default you will be using NTLM for authentication.> > Samba, in the defaults requires TLS.No it doesn't, you can easily connect to shares without it (after you have authenticated via NTLM)> I could disable TLS security in > Samba, but that's probably not a great idea. So, I'll need a key/cert > for the FreeNAS box to do TLS with the Samba AD... And so I'm getting > ready to create the CA/certs/keys I need.Yes, but only for things like ldap searches.> > Lets not get lost in examining FreeNAS. I'm configuring FreeNAS using > the regular control panel, and setting it up just as it would work > against a "regular" Windows AD. And I know it works from a test-bed > Samba setup - but not using TLS.Whatever you are doing against windows, should work against a Samba DC.> > --- > As an aside - I assume that needing to use TLS means that FreeNAS is > talking to Samba vis LDAP, and not Kerberos?Unless you are doing ldap searches, you will be using NTLM.> Because, my limited > understanding was that Kerberos is secure without wrapping in TLS,Kerberos is even more secure than SSL.> but LDAP isn't. So, if we were using Kerberos, there's be no need of > TLS. But since we're using TLS, we must be using LDAP, and thus the > need to secure the LDAP channel with CA/Cert/Key.If you do use SSL/TLS you will be using ldap, but you can use ldap without SSL/TLS> > But perhaps I don't grok that properly... > > Someone is welcome to put me straight, if I've misunderstood > something - but lets, also, not get too caught up in that side > discussion. The real crux of my question follows. [A point to a wiki > article or something might help me educate myself, if I'm > confused.] :) --- > > ** These questions and the answers are what I need most. ** > > So, I understand that Samba creates it's own CA/Cert/Key on first > start up.Yes> > The Wiki appears to show how to generate your own self-signed cert. > Several questions in relation to generating my own, outside the Samba > server. > > - I assume I can self sign certs, using my own CA. Correct? i.e. Not > using the Samba generated CA/Cert(s)/Key(s). [But I'll have to > copy/provide the CA.cert to the samba server [and any TLS clients for > client/server certificate validation purposes.]Yes> > -The Wiki shows 2048 bit keys, and 1 year expiry. I assume this is > simply the example, and 4096 bit keys and, say 10y expiry are > accepted. Correct?Yes> > Are there any other limits I should be aware of? (Probably limited by > the version of OpenSSL the version of Samba was compiled with on the > target system? If that's the case, there's probably no hard-and-fast > rule about what's acceptable...since it's version/distro/compliation > dependant.) > > --- > I generally hate using the OpenSSL tools to generate CA/certs/keys > and use GNUTLS's tools to do it.> Has anyone done this for Samba,Probably, try an internet search. Samba is generally compiled against gnutls.> and > if so, are there any gotcha's I should watch out for?I don't know ;-)> > Any other general tips I should watch out for? >You will undoubtedly be better off using kerberos instead of SSL Rowland
RPvs> On Tue, 1 Jan 2019 10:35:17 -0800 RPvs> Gregory Sloop via samba <samba at lists.samba.org> wrote:>> I'm working to put up a production FeeeNAS box tied to Samba/AD for >> authentication for users connecting to the FreeNAS share(s). In >> joining FreeNAS to the AD domain, one immediately runs into >> "problems" with TLS/encryption.RPvs> I do not know why, by default you will be using NTLM for authentication. The user and group queries, as best I can tell, from the FreeNAS box are occurring via LDAP. And the samba default, at least with the package provided with Ubunti 18.04 requires TLS for LDAP. I haven't captured the wire yet, but here's how I guess it's happening. [FreeNAS is running Samba itself. ] It joins the AD domain. Authentication between the users and FreeNAS is kerberos. Lookups of users and groups against the DCs is occurring via LDAP. In any case, I *know* that if I set FreeNAS to not use TLS and also set "ldap server require strong auth = no" in the AD servers' smb.conf's - the FreeNAS box can join the domain, and query users/groups from the DC's. So, I think we can pretty safely conclude that some LDAP communication is occurring and that it's not all via Kerberos, and thus we'll have to setup TLS.>> Samba, in the defaults requires TLS.RPvs> No it doesn't, you can easily connect to shares without it (after you RPvs> have authenticated via NTLM) Ok, perhaps I should have been more clear. LDAP communication requires TLS by default. [Certainly it does with my distro's version (Ubuntu 18.04) - but I think this is true of any recent version.]>> I could disable TLS security in >> Samba, but that's probably not a great idea. So, I'll need a key/cert >> for the FreeNAS box to do TLS with the Samba AD... And so I'm getting >> ready to create the CA/certs/keys I need.RPvs> If you do use SSL/TLS you will be using ldap, but you can use ldap RPvs> without SSL/TLS So, running LDAP without TLS... Sure you can do it. You can probably configure Samba to accept plan-text passwords, unencrypted, over the wire too. I assume that LDAP requires TLS now, because not using TLS is a pretty severe security problem. Am I missing something? What kinds of LDAP data is getting sent between a Samba domain member and a Samba DC? I'd assume it's fairly problematic to pass that in the clear - but frankly I don't know. I have a more urgent question, but I'll put that in it's own message, so it doesn't get lost in the clutter.
>> --- >> I generally hate using the OpenSSL tools to generate CA/certs/keys >> and use GNUTLS's tools to do it.>> Has anyone done this for Samba,RPvs> Probably, try an internet search. Samba is generally compiled against RPvs> gnutls.>> and >> if so, are there any gotcha's I should watch out for?RPvs> I don't know ;-) So, I've created the certs I need for the DCs and the domain member [FreeNAS]. However, I still get errors about needing stronger authentication. But there's nothing in the logs that might tip me to what's wrong. What do I need to do to turn on TLS logging in Samba. [And perhaps authentication logging as well.] TIA -Greg