RPvs> On Tue, 1 Jan 2019 10:35:17 -0800 RPvs> Gregory Sloop via samba <samba at lists.samba.org> wrote:>> I'm working to put up a production FeeeNAS box tied to Samba/AD for >> authentication for users connecting to the FreeNAS share(s). In >> joining FreeNAS to the AD domain, one immediately runs into >> "problems" with TLS/encryption.RPvs> I do not know why, by default you will be using NTLM for authentication. The user and group queries, as best I can tell, from the FreeNAS box are occurring via LDAP. And the samba default, at least with the package provided with Ubunti 18.04 requires TLS for LDAP. I haven't captured the wire yet, but here's how I guess it's happening. [FreeNAS is running Samba itself. ] It joins the AD domain. Authentication between the users and FreeNAS is kerberos. Lookups of users and groups against the DCs is occurring via LDAP. In any case, I *know* that if I set FreeNAS to not use TLS and also set "ldap server require strong auth = no" in the AD servers' smb.conf's - the FreeNAS box can join the domain, and query users/groups from the DC's. So, I think we can pretty safely conclude that some LDAP communication is occurring and that it's not all via Kerberos, and thus we'll have to setup TLS.>> Samba, in the defaults requires TLS.RPvs> No it doesn't, you can easily connect to shares without it (after you RPvs> have authenticated via NTLM) Ok, perhaps I should have been more clear. LDAP communication requires TLS by default. [Certainly it does with my distro's version (Ubuntu 18.04) - but I think this is true of any recent version.]>> I could disable TLS security in >> Samba, but that's probably not a great idea. So, I'll need a key/cert >> for the FreeNAS box to do TLS with the Samba AD... And so I'm getting >> ready to create the CA/certs/keys I need.RPvs> If you do use SSL/TLS you will be using ldap, but you can use ldap RPvs> without SSL/TLS So, running LDAP without TLS... Sure you can do it. You can probably configure Samba to accept plan-text passwords, unencrypted, over the wire too. I assume that LDAP requires TLS now, because not using TLS is a pretty severe security problem. Am I missing something? What kinds of LDAP data is getting sent between a Samba domain member and a Samba DC? I'd assume it's fairly problematic to pass that in the clear - but frankly I don't know. I have a more urgent question, but I'll put that in it's own message, so it doesn't get lost in the clutter.
On Wed, 2 Jan 2019 17:59:21 -0800 Gregory Sloop via samba <samba at lists.samba.org> wrote:> > > RPvs> On Tue, 1 Jan 2019 10:35:17 -0800 > RPvs> Gregory Sloop via samba <samba at lists.samba.org> wrote: > > >> I'm working to put up a production FeeeNAS box tied to Samba/AD for > >> authentication for users connecting to the FreeNAS share(s). In > >> joining FreeNAS to the AD domain, one immediately runs into > >> "problems" with TLS/encryption. > > RPvs> I do not know why, by default you will be using NTLM for > RPvs> authentication. > > The user and group queries, as best I can tell, from the FreeNAS box > are occurring via LDAP.No they are not, well not unless freenas is doing something strange. Try reading this: https://docs.microsoft.com/en-us/windows/desktop/secauthn/microsoft-ntlm>And the samba default, at least with the > package provided with Ubunti 18.04 requires TLS for LDAP.Yes, but LDAP != NTLM> > I haven't captured the wire yet, but here's how I guess it's > happening. [FreeNAS is running Samba itself. ] It joins the AD domain. > > Authentication between the users and FreeNAS is kerberos. > Lookups of users and groups against the DCs is occurring via LDAP. > > In any case, I *know* that if I set FreeNAS to not use TLS and also > set "ldap server require strong auth = no" > in the AD servers' smb.conf's - the FreeNAS box can join the domain, > and query users/groups from the DC's. > > So, I think we can pretty safely conclude that some LDAP > communication is occurring and that it's not all via Kerberos, and > thus we'll have to setup TLS.You only need TLS for LDAP, but kerberos is even more secure.> > > >> Samba, in the defaults requires TLS. > > RPvs> No it doesn't, you can easily connect to shares without it > RPvs> (after you have authenticated via NTLM) > > Ok, perhaps I should have been more clear. LDAP communication > requires TLS by default. [Certainly it does with my distro's version > (Ubuntu 18.04) - but I think this is true of any recent version.]LDAP defaults to port 389 i.e. it doesn't use a certificate> > >> I could disable TLS security in > >> Samba, but that's probably not a great idea. So, I'll need a > >> key/cert for the FreeNAS box to do TLS with the Samba AD... And so > >> I'm getting ready to create the CA/certs/keys I need. > > RPvs> If you do use SSL/TLS you will be using ldap, but you can use > RPvs> ldap without SSL/TLSWhat, even against a webserver ?> > So, running LDAP without TLS... > Sure you can do it. You can probably configure Samba to accept > plan-text passwords, unencrypted, over the wire too. I assume that > LDAP requires TLS now, because not using TLS is a pretty severe > security problem.Cannot argue with that, but using TLS is not the default, you have to configure the DC and clients to use it. Rowland
On Thu, 3 Jan 2019 07:13:19 -0800 Gregory Sloop <gregs at sloop.net> wrote:> > >> The user and group queries, as best I can tell, from the FreeNAS > >> box are occurring via LDAP. > > RPvs> No they are not, well not unless freenas is doing something > RPvs> strange. > > We can argue about the details, but that's not helpful. > > As noted in a separate message; > -- > So, I've created the certs I need for the DCs and the domain member > [FreeNAS]. However, I still get errors about needing stronger > authentication. > > But there's nothing in the logs that might tip me to what's wrong. > > What do I need to do to turn on TLS logging in Samba. > [And perhaps authentication logging as well.] > > --- > I've set logging, as follows; > log level = 3 winbind:5 kerberos:5 > > I don't see any debug/logging channel that handles TLS. And I don't > see any messages about TLS in the logs. > > I believe I need to examine TLS since when I set "ldap server require > strong auth = allow_sasl_over_tls" or "ldap server require strong > auth = yes" user and group queries fail. > > But trying to get the keys/certs/ca right, while being completely > blind about what's going on, is impossible. > > So, I need to know where I can get the details about TLS negotiation. > [My experience with troubleshooting TLS isn't good, even with > messages, but without, you just twiddle knobs and flip switches, just > *hoping that something* you do makes it, "boom, work.] > > TIA > -Greg > >What I was trying to point out is, Samba does not use LDAP for authentication, if FreeNAS is using LDAP, then you need to ask them about it. Find out just where LDAP is being used and how it interacts with Samba (if indeed it does) and then we may be able to help you. Rowland
Really Rowland? As quoted:>> I believe I need to examine TLS since when I set "ldap server require >> strong auth = allow_sasl_over_tls" or "ldap server require strong >> auth = yes" user and group queries fail.This is OBVIOUSLY using LDAP and TLS. If this was via NTLM/Kerberos, the above setting wouldn't make the slightest difference. But all that aside - the key question is: [Again, lets quit arguing if this is TLS/LDAP or Kerberos.] *** How do I get visability into the TLS negotiation so I can figure out what's wrong with my ca/certs/keys. -Greg