thr3ads.net - samba - [Samba] Samba on VPS in internet? [Nov 2016]

If this information is useful, please help other people find it:
Share via:

Jo L

2016-Nov-18 17:00 UTC

[Samba] Samba on VPS in internet?

Hello all,
as I am still struggling with my replicating Samba setup (haven´t yet tried
Andrew´s last suggestion - thanks for your support anyway), I am wondering
whether I can put a DC on a virtual private server I run anyway. I think the
obvious approach would be to run a VPN and configure Samba to listen on the tun
interface, but unfortunately my routers don´t run standard VPN protocols. Thus I
am wondering what is the risk to expose a Samba DC directly to the internet? Are
all connections of a Samba DC encrypted and authenticated? I expect the
exception of DNS queries/answers served by bind, but are there others? In fact I
would expect encryption and authentication also for corporate networks not
exposed to the internet.

root at dc1:/home/joachim# netstat -a -p -Ainet --numeric-ports| grep samba
tcp        0      0 0.0.0.0:135             0.0.0.0:*               LISTEN     
1170/samba
tcp        0      0 0.0.0.0:464             0.0.0.0:*               LISTEN     
1175/samba
tcp        0      0 0.0.0.0:88              0.0.0.0:*               LISTEN     
1175/samba
tcp        0      0 0.0.0.0:636             0.0.0.0:*               LISTEN     
1173/samba
tcp        0      0 0.0.0.0:1024            0.0.0.0:*               LISTEN     
1170/samba
tcp        0      0 0.0.0.0:3268            0.0.0.0:*               LISTEN     
1173/samba
tcp        0      0 0.0.0.0:3269            0.0.0.0:*               LISTEN     
1173/samba
tcp        0      0 0.0.0.0:389             0.0.0.0:*               LISTEN     
1173/samba
tcp        0      0 192.168.177.21:1024     192.168.15.22:56668     VERBUNDEN  
1170/samba
udp        0      0 192.168.177.21:389      0.0.0.0:*                          
1174/samba
udp        0      0 0.0.0.0:389             0.0.0.0:*                          
1174/samba
udp        0      0 192.168.177.21:464      0.0.0.0:*                          
1175/samba
udp        0      0 0.0.0.0:464             0.0.0.0:*                          
1175/samba
udp        0      0 192.168.177.21:88       0.0.0.0:*                          
1175/samba
udp        0      0 0.0.0.0:88              0.0.0.0:*                          
1175/samba
udp        0      0 192.168.177.21:137      0.0.0.0:*                          
1171/samba
udp        0      0 192.168.177.255:137     0.0.0.0:*                          
1171/samba
udp        0      0 0.0.0.0:137             0.0.0.0:*                          
1171/samba
udp        0      0 192.168.177.21:138      0.0.0.0:*                          
1171/samba
udp        0      0 192.168.177.255:138     0.0.0.0:*                          
1171/samba
udp        0      0 0.0.0.0:138             0.0.0.0:*                          
1171/samba

389 is standard LDAP, i.e. not encrypted, 636 ist the port using TLS. How can I
close port 389 in order that no client can unintentionally communicate unsecure?
Are there other pairs?
Anyone done this?

Thanks & Best regards, Joachim

Marc Muehlfeld

2016-Nov-18 19:09 UTC

head link

[Samba] Samba on VPS in internet?

Hi Jo,

Am 18.11.2016 um 18:00 schrieb Jo L via samba:> 389 is standard LDAP, i.e. not encrypted
That is not correct. If you client supports STARTTLS, you can of course
use encrypted connections over 389/tcp.


Regards,
Marc

Jo L

2016-Nov-18 19:13 UTC

head link

[Samba] Samba on VPS in internet?

Didn´t know that LDAP also uses STARTTLS in addition to a dedicated TLS port,
but then it needs a configuration option to enforce STARTTLS. Don´t know whether
typical clients including Windows prefer 389 with STARTTLS or 636.
Thanks, Joachim
>    -----Ursprüngliche Nachricht-----
>    Von: Marc Muehlfeld [mailto:mmuehlfeld at samba.org]
>    Gesendet: Freitag, 18. November 2016 20:09
>    An: Jo L <j.o.l at live.com>; samba at lists.samba.org
>    Betreff: Re: [Samba] Samba on VPS in internet?
>    
>    Hi Jo,
>    
>    Am 18.11.2016 um 18:00 schrieb Jo L via samba:
>    > 389 is standard LDAP, i.e. not encrypted
>    
>    That is not correct. If you client supports STARTTLS, you can of course
use
>    encrypted connections over 389/tcp.
>    
>    
>    Regards,
>    Marc

Reindl Harald

2016-Nov-18 19:18 UTC

head link

[Samba] Samba on VPS in internet?

Am 18.11.2016 um 20:09 schrieb Marc Muehlfeld via samba:> Am 18.11.2016 um 18:00 schrieb Jo L via samba:
>> 389 is standard LDAP, i.e. not encrypted
>
> That is not correct. If you client supports STARTTLS, you can of course
> use encrypted connections over 389/tcp
but you should never expose a fileserver to the internet without VPN, 
encryption alone especially with "if your client" won't change
that

and with a proper VPN als braodcast works

samba - Nov 2016 - Samba on VPS in internet?

[Samba] Samba on VPS in internet?

[Samba] Samba on VPS in internet?

[Samba] Samba on VPS in internet?

[Samba] Samba on VPS in internet?