Am 15.04.2016 um 11:02 schrieb Björn JACKE:> On 2016-04-15 at 10:09 +0200 L.P.H. van Belle sent off: >> It there anyway to override this setting? I do need 0440 here. ( or 0400 ) >> >> 0600 is not needed imo. > > can you say, why you need 440 here? I can't think of a valid use case for that. > If another service should use a SSL certificate on that server, you would give > that service another certificate then and not reuse the AD server SSL certwildcard certificates? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20160415/fe3dabfb/signature.sig>
On 2016-04-15 at 11:08 +0200 Reindl Harald sent off:> >can you say, why you need 440 here? I can't think of a valid use case for that. > >If another service should use a SSL certificate on that server, you would give > >that service another certificate then and not reuse the AD server SSL cert > > wildcard certificates?using the same private/public key pair on the DC and other servers might be convenient but is a very bad idea from a security point of view. But if you really want to do anything like that, knowingly that this is *bad*, you can just copy the cert to some other place in the filesystem, where you also need it. Björn -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20160418/4a73994f/signature.sig>
https://www.samba.org/samba/security/CVE-2013-4476.html says : "the private key for SSL/TLS encryption might be world readable". It seems the initial issue was the key was world readable, which is not the case in Louis. Why Samba forces that key to be writeable when the point is it must not be world readable? 2016-04-18 15:53 GMT+02:00 Björn JACKE <bjacke at sernet.de>:> On 2016-04-15 at 11:08 +0200 Reindl Harald sent off: > > >can you say, why you need 440 here? I can't think of a valid use case > for that. > > >If another service should use a SSL certificate on that server, you > would give > > >that service another certificate then and not reuse the AD server SSL > cert > > > > wildcard certificates? > > using the same private/public key pair on the DC and other servers might be > convenient but is a very bad idea from a security point of view. But if you > really want to do anything like that, knowingly that this is *bad*, you can > just copy the cert to some other place in the filesystem, where you also > need > it. > > Björn > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >