Hello, I do vulnerability test on my infrastructure, and I get report about weak ciphers on samba services, is it possible to set stronger ciphers for samba? On old samba3 that was possible to set "ssl ciphers" in smb.conf, but now I don't see any documentation how to change it. Is it possible, if so, how? -- Arkadiusz Karpi?ski Efinity Sp. z o.o. 02-672 Warszawa, ul. Domaniewska 42 t: +48 22 380 13 88 m: +48 793 783 343 f: +48 22 380 16 76 Sp??ka wpisana do rejestru przedsi?biorc?w prowadzonego przez S?d Rejonowy dla m.st. Warszawy Wydzia? XIII Gospodarczy Krajowego Rejestru S?dowego pod numerem KRS 0000073606, NIP 521-31-76-978, Wysoko?? kapita?u zak?adowego: 51 500,00 PLN Tre?? tej wiadomo?ci jest poufna i prawnie chroniona. Odbiorc? mo?e by? jedynie jej adresat z wy??czeniem dost?pu os?b trzecich. Je?eli nie jeste? adresatem tej wiadomo?ci, jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne dzia?anie o podobnym charakterze jest prawnie zabronione i mo?e by? karalne. Je?eli wiadomo?? ta jest adresowana do Klient?w Efinity, jakakolwiek opinia lub porada w niej zawarta podlega odpowiednim warunkom umowy o ?wiadczeniu us?ug na rzecz Klienta przez Efinity.
On 30/09/2019 14:43, Arkadiusz Karpi?ski via samba wrote:> Hello, > > I do vulnerability test on my infrastructure, and I get report about > weak ciphers on samba services, is it possible to set stronger ciphers > for samba? > > On old samba3 that was possible to set "ssl ciphers" in smb.conf, but > now I don't see any documentation how to change it. > Is it possible, if so, how? >It might help if you gave us more info, such as how you are using Samba, the easiest way would be to post your smb.conf Rowland
On 30/09/2019 18:06, akarpinski wrote:> Samba version is 4.10.7 > > smb.conf: > > # Global parameters > [global] > ? netbios name = dc-1 > ? realm = REALM > ? server role = active directory domain controller > ? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > ? workgroup = EFINITY > ? dns forwarder = 192.168.X.X 192.168.X.X > ? tls enabled = yes > ? tls keyfile = /usr/local/samba/private/tls/server.key > ? tls certfile = /usr/local/samba/private/tls/server.crt > ? tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crtI would take this up with whoever supplied your DC certificates, they do not appear to be strong enough. Also, you appear to be using Bind9 as your dns server, so you don't need the 'dns forwarder' line, these should be in your named.conf file. Rowland
On 01/10/2019 12:51, Arkadiusz Karpi?ski wrote:> > On 30.09.2019 20:03, Rowland penny via samba wrote: >> On 30/09/2019 18:06, akarpinski wrote: >>> Samba version is 4.10.7 >>> >>> smb.conf: >>> >>> # Global parameters >>> [global] >>> ? netbios name = dc-1 >>> ? realm = REALM >>> ? server role = active directory domain controller >>> ? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, >>> winbindd, ntp_signd, kcc, dnsupdate >>> ? workgroup = EFINITY >>> ? dns forwarder = 192.168.X.X 192.168.X.X >>> ? tls enabled = yes >>> ? tls keyfile = /usr/local/samba/private/tls/server.key >>> ? tls certfile = /usr/local/samba/private/tls/server.crt >>> ? tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt >> >> I would take this up with whoever supplied your DC certificates, they >> do not appear to be strong enough. >> >> Also, you appear to be using Bind9 as your dns server, so you don't >> need the 'dns forwarder' line, these should be in your named.conf file. >> >> Rowland >> > I have SSO certificate and I can only set RSA or ECDSA authentication > in certificate, rest is depend by client/server configuration. So what > You mean that certificates are not strong enough?You have this in your DC smb.conf: ? tls keyfile = /usr/local/samba/private/tls/server.key ? tls certfile = /usr/local/samba/private/tls/server.crt ? tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt This means that you have supplied the certificates used by AD and if you are getting warnings about them, then you need to create certificates that will pass your tests.> > Well at this moment I don't need 'dns forwarder' at all, previously I > used dc-1/2 as my main dns for AD client but now I switch back to my > main DNS server and there I set dns forwarder to domain "ad.realm" to > samba DNS. So I will delete this, thx. >I would go back to what you were doing before, your clients should use the DC as their nameserver. Rowland> Arek > > >> >>
On 01.10.2019 14:06, Rowland penny via samba wrote:> On 01/10/2019 12:51, Arkadiusz Karpi?ski wrote: >> >> On 30.09.2019 20:03, Rowland penny via samba wrote: >>> On 30/09/2019 18:06, akarpinski wrote: >>>> Samba version is 4.10.7 >>>> >>>> smb.conf: >>>> >>>> # Global parameters >>>> [global] >>>> ? netbios name = dc-1 >>>> ? realm = REALM >>>> ? server role = active directory domain controller >>>> ? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, >>>> winbindd, ntp_signd, kcc, dnsupdate >>>> ? workgroup = EFINITY >>>> ? dns forwarder = 192.168.X.X 192.168.X.X >>>> ? tls enabled = yes >>>> ? tls keyfile = /usr/local/samba/private/tls/server.key >>>> ? tls certfile = /usr/local/samba/private/tls/server.crt >>>> ? tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt >>> >>> I would take this up with whoever supplied your DC certificates, >>> they do not appear to be strong enough. >>> >>> Also, you appear to be using Bind9 as your dns server, so you don't >>> need the 'dns forwarder' line, these should be in your named.conf file. >>> >>> Rowland >>> >> I have SSO certificate and I can only set RSA or ECDSA authentication >> in certificate, rest is depend by client/server configuration. So >> what You mean that certificates are not strong enough? > > You have this in your DC smb.conf: > > ? tls keyfile = /usr/local/samba/private/tls/server.key > ? tls certfile = /usr/local/samba/private/tls/server.crt > ? tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt > > This means that you have supplied the certificates used by AD and if > you are getting warnings about them, then you need to create > certificates that will pass your tests. >But certificate has nothing to do with ciphers, I would like to set strong ciphers between client and server but server must force to send strong list of ciphers which will use to communicate with client. On samba3 that was possible in smb.conf but it's missing on samba4 configuration.>> >> Well at this moment I don't need 'dns forwarder' at all, previously I >> used dc-1/2 as my main dns for AD client but now I switch back to my >> main DNS server and there I set dns forwarder to domain "ad.realm" to >> samba DNS. So I will delete this, thx. >> > I would go back to what you were doing before, your clients should use > the DC as their nameserver. > > Rowland > > >> Arek >> >> >>> >>> > >-- Arkadiusz Karpi?ski Efinity Sp. z o.o. 02-672 Warszawa, ul. Domaniewska 42 t: +48 22 380 13 88 m: +48 793 783 343 f: +48 22 380 16 76 Sp??ka wpisana do rejestru przedsi?biorc?w prowadzonego przez S?d Rejonowy dla m.st. Warszawy Wydzia? XIII Gospodarczy Krajowego Rejestru S?dowego pod numerem KRS 0000073606, NIP 521-31-76-978, Wysoko?? kapita?u zak?adowego: 51 500,00 PLN Tre?? tej wiadomo?ci jest poufna i prawnie chroniona. Odbiorc? mo?e by? jedynie jej adresat z wy??czeniem dost?pu os?b trzecich. Je?eli nie jeste? adresatem tej wiadomo?ci, jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne dzia?anie o podobnym charakterze jest prawnie zabronione i mo?e by? karalne. Je?eli wiadomo?? ta jest adresowana do Klient?w Efinity, jakakolwiek opinia lub porada w niej zawarta podlega odpowiednim warunkom umowy o ?wiadczeniu us?ug na rzecz Klienta przez Efinity.