Hi everyone, I have a basic SAMBA setup with a main AD DC ad1 and a backup AD DC ad2, running on Samba 4.5.16-Debian on Raspbian. I would now like to enable LDAPS so my users can authenticate in other non Samba services using Active Directory. From reading the documentation here: https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC I understand that for the most basic LDAPS setup using the pre-existing self-signed certificate I need only add the following lines to my smb.conf to enable this: tls enabled = yes tls keyfile = tls/key.pem tls certfile = tls/cert.pem tls cafile = tls/ca.pem My questions related to this are: 1) Since I have a dual DC setup do I need to manually enable tls for LDAPS separately on the secondary DC, or will this be automatically detected from the primary and the settings copied over automatically? 2) How do I go about creating a dedicated user account that can be used with third-party services (in this case redmine) to access AD via LDAPS to retrieve user login credentials securely? For the avoidance of confusion here I understand the processes used to create a basic AD account. What I am specifically interested in is the particular combination of privileges or permissions i would need to set on a basic account to allow LDAPS access using this account. I believe I will need to create such an account to use with redmine since I have read that anonymous LDAPS access is not possible with AD. 3) What will happen in 700 days time when the self-certified certificate initially created by Samba on its first execution expires? Will everything just suddenly stop working suddenly and authentication in Redmine come grinding to a halt? How should I remedy this? Thanks Stephen Ellwood
On Fri, 5 Apr 2019 12:13:46 +0100 Stephen via samba <samba at lists.samba.org> wrote:> Hi everyone, I have a basic SAMBA setup with a main AD DC ad1 and a > backup AD DC ad2, running on Samba 4.5.16-Debian on Raspbian. > > I would now like to enable LDAPS so my users can authenticate in > other non Samba services using Active Directory.Have you considered kerberos, this is even more secure than ldaps. Rowland
If you dont want to juse the selfsigned certs. I can recommend: https://hohnstaedt.de/xca/ Setup you own CA root. Setup the certificates for the servers and deploy the Root Cert. Now its in you hand then things expire. Or https://lists.samba.org/archive/samba/2019-January/220463.html I've not tested that yet but its high on my list to test. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Stephen via samba > Verzonden: vrijdag 5 april 2019 13:14 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Enabling LDAPS in Samba in a dual-DC setup > > Hi everyone, I have a basic SAMBA setup with a main AD DC ad1 and a > backup AD DC ad2, running on Samba 4.5.16-Debian on Raspbian. > > I would now like to enable LDAPS so my users can authenticate > in other > non Samba services using Active Directory. From reading the > documentation here: > https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LD > APS)_on_a_Samba_AD_DC > I understand that for the most basic LDAPS setup using the > pre-existing > self-signed certificate I need only add the following lines to my > smb.conf to enable this: > > tls enabled = yes > tls keyfile = tls/key.pem > tls certfile = tls/cert.pem > tls cafile = tls/ca.pem > > My questions related to this are: > > 1) Since I have a dual DC setup do I need to manually enable tls for > LDAPS separately on the secondary DC, or will this be automatically > detected from the primary and the settings copied over automatically? > > 2) How do I go about creating a dedicated user account that > can be used > with third-party services (in this case redmine) to access AD > via LDAPS > to retrieve user login credentials securely? For the avoidance of > confusion here I understand the processes used to create a basic AD > account. What I am specifically interested in is the particular > combination of privileges or permissions i would need to set > on a basic > account to allow LDAPS access using this account. I believe I > will need > to create such an account to use with redmine since I have read that > anonymous LDAPS access is not possible with AD. > > 3) What will happen in 700 days time when the self-certified > certificate > initially created by Samba on its first execution expires? Will > everything just suddenly stop working suddenly and authentication in > Redmine come grinding to a halt? How should I remedy this? > > Thanks > Stephen Ellwood > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
And i just noticed that dehydrated is available in stretch. apt-cache policy dehydrated dehydrated: Installed: (none) Candidate: 0.3.1-3+deb9u2 Version table: 0.3.1-3+deb9u2 500 500 http://ftp.nl.debian.org/debian stretch/main amd64 Packages> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > L.P.H. van Belle via samba > Verzonden: vrijdag 5 april 2019 13:53 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Enabling LDAPS in Samba in a dual-DC setup > > If you dont want to juse the selfsigned certs. > > I can recommend: > https://hohnstaedt.de/xca/ > > Setup you own CA root. > Setup the certificates for the servers and deploy the Root Cert. > > Now its in you hand then things expire. > > Or > https://lists.samba.org/archive/samba/2019-January/220463.html > I've not tested that yet but its high on my list to test. > > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Stephen via samba > > Verzonden: vrijdag 5 april 2019 13:14 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] Enabling LDAPS in Samba in a dual-DC setup > > > > Hi everyone, I have a basic SAMBA setup with a main AD DC ad1 and a > > backup AD DC ad2, running on Samba 4.5.16-Debian on Raspbian. > > > > I would now like to enable LDAPS so my users can authenticate > > in other > > non Samba services using Active Directory. From reading the > > documentation here: > > https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LD > > APS)_on_a_Samba_AD_DC > > I understand that for the most basic LDAPS setup using the > > pre-existing > > self-signed certificate I need only add the following lines to my > > smb.conf to enable this: > > > > tls enabled = yes > > tls keyfile = tls/key.pem > > tls certfile = tls/cert.pem > > tls cafile = tls/ca.pem > > > > My questions related to this are: > > > > 1) Since I have a dual DC setup do I need to manually > enable tls for > > LDAPS separately on the secondary DC, or will this be automatically > > detected from the primary and the settings copied over > automatically? > > > > 2) How do I go about creating a dedicated user account that > > can be used > > with third-party services (in this case redmine) to access AD > > via LDAPS > > to retrieve user login credentials securely? For the avoidance of > > confusion here I understand the processes used to create a basic AD > > account. What I am specifically interested in is the particular > > combination of privileges or permissions i would need to set > > on a basic > > account to allow LDAPS access using this account. I believe I > > will need > > to create such an account to use with redmine since I have > read that > > anonymous LDAPS access is not possible with AD. > > > > 3) What will happen in 700 days time when the self-certified > > certificate > > initially created by Samba on its first execution expires? Will > > everything just suddenly stop working suddenly and > authentication in > > Redmine come grinding to a halt? How should I remedy this? > > > > Thanks > > Stephen Ellwood > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hi Rowland. I hear you about the security issues around LDAP. Unfortunately Redmine is stuck with only LDAP and LDAPS support for now - see here. It is an evantual goal for the project to add Kerberos (for ten years now...). Only dubious looking third-party plugins with limited adoption are available at present to enable Kerberos within Redmine and I am loathe to rely upon such implementations. Thanks Stephen
Mandi! Stephen via samba In chel di` si favelave... AFAIK.> 1) Since I have a dual DC setup do I need to manually enable tls for LDAPS > separately on the secondary DC, or will this be automatically detected from > the primary and the settings copied over automatically?Settings are in smb.conf, and i doubt certs config can reside on LDAP because... a cert config would be necessary to access LDAP. Classical bootstrap problem. So, i suppose, for every DC.> 3) What will happen in 700 days time when the self-certified certificate > initially created by Samba on its first execution expires? Will everything > just suddenly stop working suddenly and authentication in Redmine come > grinding to a halt? How should I remedy this?I think all is governed by 'libldap', so probably you can simply put: TLS_REQCERT never in /etc/ldap/ldap.conf (in debian based distro) and simply skip cert verification.> 2) How do I go about creating a dedicated user account that can be used with > third-party services (in this case redmine) to access AD via LDAPS to > retrieve user login credentials securely? For the avoidance of confusion > here I understand the processes used to create a basic AD account. What I am > specifically interested in is the particular combination of privileges or > permissions i would need to set on a basic account to allow LDAPS access > using this account. I believe I will need to create such an account to use > with redmine since I have read that anonymous LDAPS access is not possible > with AD.Good point. I've looked also i for some hint, but lead to nothing. For now, i've created a specific OU for that users, create a group and remove 'Domain Users' group for that users; also, i've no rfc2307 data for that user. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> Good point. I've looked also i for some hint, but lead to nothing. > > For now, i've created a specific OU for that users, create a group and > remove 'Domain Users' group for that users; also, i've no rfc2307 data > for that user.Marco, I found the following post that describes how to delegate access to LDAP via ADUC for a new user. Not tried it yet - but it sounds promising. https://social.technet.microsoft.com/Forums/windowsserver/en-US/9c231b65-7b66-4331-baa1-7aa7a9a26050/accessing-ldap-on-active-directory