Hi everyone, I have a basic SAMBA setup with a main AD DC ad1 and a backup AD DC ad2, running on Samba 4.5.16-Debian on Raspbian. I would now like to enable LDAPS so my users can authenticate in other non Samba services using Active Directory. From reading the documentation here: https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC I understand that for the most basic LDAPS setup using the pre-existing self-signed certificate I need only add the following lines to my smb.conf to enable this: tls enabled = yes tls keyfile = tls/key.pem tls certfile = tls/cert.pem tls cafile = tls/ca.pem My questions related to this are: 1) Since I have a dual DC setup do I need to manually enable tls for LDAPS separately on the secondary DC, or will this be automatically detected from the primary and the settings copied over automatically? 2) How do I go about creating a dedicated user account that can be used with third-party services (in this case redmine) to access AD via LDAPS to retrieve user login credentials securely? For the avoidance of confusion here I understand the processes used to create a basic AD account. What I am specifically interested in is the particular combination of privileges or permissions i would need to set on a basic account to allow LDAPS access using this account. I believe I will need to create such an account to use with redmine since I have read that anonymous LDAPS access is not possible with AD. 3) What will happen in 700 days time when the self-certified certificate initially created by Samba on its first execution expires? Will everything just suddenly stop working suddenly and authentication in Redmine come grinding to a halt? How should I remedy this? Thanks Stephen Ellwood
On Fri, 5 Apr 2019 12:13:46 +0100 Stephen via samba <samba at lists.samba.org> wrote:> Hi everyone, I have a basic SAMBA setup with a main AD DC ad1 and a > backup AD DC ad2, running on Samba 4.5.16-Debian on Raspbian. > > I would now like to enable LDAPS so my users can authenticate in > other non Samba services using Active Directory.Have you considered kerberos, this is even more secure than ldaps. Rowland
If you dont want to juse the selfsigned certs. I can recommend: https://hohnstaedt.de/xca/ Setup you own CA root. Setup the certificates for the servers and deploy the Root Cert. Now its in you hand then things expire. Or https://lists.samba.org/archive/samba/2019-January/220463.html I've not tested that yet but its high on my list to test. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stephen via samba > Verzonden: vrijdag 5 april 2019 13:14 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Enabling LDAPS in Samba in a dual-DC setup > > Hi everyone, I have a basic SAMBA setup with a main AD DC ad1 and a > backup AD DC ad2, running on Samba 4.5.16-Debian on Raspbian. > > I would now like to enable LDAPS so my users can authenticate > in other > non Samba services using Active Directory. From reading the > documentation here: > https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LD > APS)_on_a_Samba_AD_DC > I understand that for the most basic LDAPS setup using the > pre-existing > self-signed certificate I need only add the following lines to my > smb.conf to enable this: > > tls enabled = yes > tls keyfile = tls/key.pem > tls certfile = tls/cert.pem > tls cafile = tls/ca.pem > > My questions related to this are: > > 1) Since I have a dual DC setup do I need to manually enable tls for > LDAPS separately on the secondary DC, or will this be automatically > detected from the primary and the settings copied over automatically? > > 2) How do I go about creating a dedicated user account that > can be used > with third-party services (in this case redmine) to access AD > via LDAPS > to retrieve user login credentials securely? For the avoidance of > confusion here I understand the processes used to create a basic AD > account. What I am specifically interested in is the particular > combination of privileges or permissions i would need to set > on a basic > account to allow LDAPS access using this account. I believe I > will need > to create such an account to use with redmine since I have read that > anonymous LDAPS access is not possible with AD. > > 3) What will happen in 700 days time when the self-certified > certificate > initially created by Samba on its first execution expires? Will > everything just suddenly stop working suddenly and authentication in > Redmine come grinding to a halt? How should I remedy this? > > Thanks > Stephen Ellwood > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
And i just noticed that dehydrated is available in stretch.
apt-cache policy dehydrated
dehydrated:
Installed: (none)
Candidate: 0.3.1-3+deb9u2
Version table:
0.3.1-3+deb9u2 500
500 http://ftp.nl.debian.org/debian stretch/main amd64 Packages
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> L.P.H. van Belle via samba
> Verzonden: vrijdag 5 april 2019 13:53
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Enabling LDAPS in Samba in a dual-DC setup
>
> If you dont want to juse the selfsigned certs.
>
> I can recommend:
> https://hohnstaedt.de/xca/
>
> Setup you own CA root.
> Setup the certificates for the servers and deploy the Root Cert.
>
> Now its in you hand then things expire.
>
> Or
> https://lists.samba.org/archive/samba/2019-January/220463.html
> I've not tested that yet but its high on my list to test.
>
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Stephen via samba
> > Verzonden: vrijdag 5 april 2019 13:14
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Enabling LDAPS in Samba in a dual-DC setup
> >
> > Hi everyone, I have a basic SAMBA setup with a main AD DC ad1 and a
> > backup AD DC ad2, running on Samba 4.5.16-Debian on Raspbian.
> >
> > I would now like to enable LDAPS so my users can authenticate
> > in other
> > non Samba services using Active Directory. From reading the
> > documentation here:
> > https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LD
> > APS)_on_a_Samba_AD_DC
> > I understand that for the most basic LDAPS setup using the
> > pre-existing
> > self-signed certificate I need only add the following lines to my
> > smb.conf to enable this:
> >
> > tls enabled = yes
> > tls keyfile = tls/key.pem
> > tls certfile = tls/cert.pem
> > tls cafile = tls/ca.pem
> >
> > My questions related to this are:
> >
> > 1) Since I have a dual DC setup do I need to manually
> enable tls for
> > LDAPS separately on the secondary DC, or will this be automatically
> > detected from the primary and the settings copied over
> automatically?
> >
> > 2) How do I go about creating a dedicated user account that
> > can be used
> > with third-party services (in this case redmine) to access AD
> > via LDAPS
> > to retrieve user login credentials securely? For the avoidance of
> > confusion here I understand the processes used to create a basic AD
> > account. What I am specifically interested in is the particular
> > combination of privileges or permissions i would need to set
> > on a basic
> > account to allow LDAPS access using this account. I believe I
> > will need
> > to create such an account to use with redmine since I have
> read that
> > anonymous LDAPS access is not possible with AD.
> >
> > 3) What will happen in 700 days time when the self-certified
> > certificate
> > initially created by Samba on its first execution expires? Will
> > everything just suddenly stop working suddenly and
> authentication in
> > Redmine come grinding to a halt? How should I remedy this?
> >
> > Thanks
> > Stephen Ellwood
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Hi Rowland. I hear you about the security issues around LDAP. Unfortunately Redmine is stuck with only LDAP and LDAPS support for now - see here. It is an evantual goal for the project to add Kerberos (for ten years now...). Only dubious looking third-party plugins with limited adoption are available at present to enable Kerberos within Redmine and I am loathe to rely upon such implementations. Thanks Stephen
Mandi! Stephen via samba In chel di` si favelave... AFAIK.> 1) Since I have a dual DC setup do I need to manually enable tls for LDAPS > separately on the secondary DC, or will this be automatically detected from > the primary and the settings copied over automatically?Settings are in smb.conf, and i doubt certs config can reside on LDAP because... a cert config would be necessary to access LDAP. Classical bootstrap problem. So, i suppose, for every DC.> 3) What will happen in 700 days time when the self-certified certificate > initially created by Samba on its first execution expires? Will everything > just suddenly stop working suddenly and authentication in Redmine come > grinding to a halt? How should I remedy this?I think all is governed by 'libldap', so probably you can simply put: TLS_REQCERT never in /etc/ldap/ldap.conf (in debian based distro) and simply skip cert verification.> 2) How do I go about creating a dedicated user account that can be used with > third-party services (in this case redmine) to access AD via LDAPS to > retrieve user login credentials securely? For the avoidance of confusion > here I understand the processes used to create a basic AD account. What I am > specifically interested in is the particular combination of privileges or > permissions i would need to set on a basic account to allow LDAPS access > using this account. I believe I will need to create such an account to use > with redmine since I have read that anonymous LDAPS access is not possible > with AD.Good point. I've looked also i for some hint, but lead to nothing. For now, i've created a specific OU for that users, create a group and remove 'Domain Users' group for that users; also, i've no rfc2307 data for that user. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> Good point. I've looked also i for some hint, but lead to nothing. > > For now, i've created a specific OU for that users, create a group and > remove 'Domain Users' group for that users; also, i've no rfc2307 data > for that user.Marco, I found the following post that describes how to delegate access to LDAP via ADUC for a new user. Not tried it yet - but it sounds promising. https://social.technet.microsoft.com/Forums/windowsserver/en-US/9c231b65-7b66-4331-baa1-7aa7a9a26050/accessing-ldap-on-active-directory
Apparently Analagous Threads
- Questions about time synchronisation in a multi-DC Samba environment
- Problems with Samba 4.5.16 - configuring a second failover AD DC and joining this to an existing domain SAMDOM
- Possible incorrect file permissions in documentation for setting up Samba with LDAP(S)?
- Problem achieving manual synchronisation of idmap.ldb and the associated User and Group ID mappings between two Samba 4 AD DCs
- Disabling password expiry for a AD service account for accessing LDAPS, and security best practices.