Hi,
Thank you for your feedback, Andrew. Since Samba is not the only application
making use of the TLS_CIPHER_SUITE negotiation rules in ldap.conf, I would like
to ensure that all of them still use the highest encryption possible. Currently
I had to remove "TLS_CIPHER_SUITE" as a workarrou d in order to let
Samba work wirh LDAP in TLS mode. Does anyone have a suggestion how I can apply
TLS_CIPHER_SUITE in such a way that Samba LDAP connection doesn't break?
I think this is a major configuration issue and should be mentioned in the
official Samba Wiki. Samba <-> LDAP Isn't working unless the varialbe
"TLS_CIPHER_SUITE" is deactivated or set propper. What do you think?
Best regards
Leander Schäfer
>> Am 14.03.2016 um 11:03 schrieb Andrew Bartlett <abartlet at
samba.org>:
>>
>> On Mon, 2016-03-14 at 01:55 +0100, Leander Schäfer wrote:
>> What would be a working TLS_CIPHER_SUITE in ldap.conf for Samba 4.
>> I'm
>> asking, cause I had to remove
>>
>> TLS_CIPHER_SUITE TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:!MD5:!3DES:@STRENGTH
>>
>> from my ldap.conf for samba to work. This wasn't documented
anywhere.
>> I
>> think this should be mentoined in the wiki as well as in the man
>> smb.conf under tls.
>
> Aside from banning SSLv3, we just use whatever GnuTLS give us on your
> platform, by default. Modern Samba versions even let you control that
> with an smb.conf option.
>
> I hope this helps,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
>
>
>