lingpanda101
2018-Apr-16 14:15 UTC
[Samba] tls verify peer with custom self-signed certificate
Hello, When using a custom self-signed certificate, what is the appropriate value for 'tls verify peer ='? The wiki sates to use 'tls cafile =' for a custom self-signed certificate in smb.conf. If no ca exist, does Samba immediately fail the check if using the default 'tls verify peer = as strict as possible'? I've looked through the man page (Samba 4.7.5) but don't see anything mentioning when using a self signed certificate. Thanks. -- -- James
Marco Gaiarin
2018-Apr-17 07:56 UTC
[Samba] tls verify peer with custom self-signed certificate
Mandi! lingpanda101 via samba In chel di` si favelave...> When using a custom self-signed certificate, what is the appropriate > value for 'tls verify peer ='?...AFAIk the same for every certificates; the CA's certificates have to be in ''central store'', or have to be explicitly set via 'tls cafile ='. Some distro have a framework to add certificates to the central store, eg debian ca-certificates/ssl-cert packages: https://manpages.debian.org/jessie/ca-certificates/update-ca-certificates.8.en.html -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
lingpanda101
2018-Apr-17 15:12 UTC
[Samba] tls verify peer with custom self-signed certificate
On 4/17/2018 3:56 AM, Marco Gaiarin via samba wrote:> Mandi! lingpanda101 via samba > In chel di` si favelave... > >> When using a custom self-signed certificate, what is the appropriate >> value for 'tls verify peer ='? > ...AFAIk the same for every certificates; the CA's certificates have to > be in ''central store'', or have to be explicitly set via 'tls cafile ='. > > Some distro have a framework to add certificates to the central store, > eg debian ca-certificates/ssl-cert packages: > > https://manpages.debian.org/jessie/ca-certificates/update-ca-certificates.8.en.html >Hello Marco, Thank you for your comment. I tried adding to my central store but I'm not getting the results I expect. Further research shows I may be going around my issue all wrong. I'm attempting to tighten my security settings on my DC's. Specifically the following commands. * ldap server require strong auth = no * tls verify peer = no_check I have external applications such as Apache, NGINX or IIS I authenticate with against my DC's. If I enable 'ldap server require strong auth = yes'. I break authentication. I thought I needed to configure ldaps to correct the issue. Reading through the list I see reference to not using ldaps but Kerberos -- -- James