Stephen
2019-Apr-09 10:54 UTC
[Samba] Possible incorrect file permissions in documentation for setting up Samba with LDAP(S)?
Hi All, This Samba release changelog (https://wiki.samba.org/index.php/Updating_Samba#Incorrect_TLS_File_Permissions) specifically mentions a security issue and that that the multiple *.pem files needed for LDAP via TLS all need "special permissions" - and mentions to delete old files without the required permissions to force file renewal. Yet in the official Samba documentation for setting up LDAPS here (https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC) it says only to set these special permissions on ONE of the generated certificate *.pem files - the private key file. Is this definitely correct? Should we not set root owner on the additional cert.pem and ca.pem too? I ask because I wanted to flag this. It seems like a contradiction and I am concerned this might lead to insecure by default setups... Thanks Stephen Ellwood
L.P.H. van Belle
2019-Apr-09 12:14 UTC
[Samba] Possible incorrect file permissions in documentation for setting up Samba with LDAP(S)?
Hai,
Please note, this is how I setup, which is not related to the samba wiki.
This is what i currently see on my DC, these where created in 2015 and im NOT
using these.
/var/lib/samba/private/tls# ls -al
total 20
drwx------ 2 root root 4096 Apr 28 2015 .
drwxr-xr-x 7 root root 4096 Apr 9 13:06 ..
-rw-r--r-- 1 root root 997 Apr 28 2015 ca.pem
-rw-r--r-- 1 root root 997 Apr 28 2015 cert.pem
-rw------- 1 root root 887 Apr 28 2015 key.pem
In above setup i would change this to:
-rw-r--r-- 1 root root 997 Apr 28 2015 ca.pem
-rw-r--r-- 1 root root 997 Apr 28 2015 cert.pem
-r--r----- 1 root root 887 Apr 28 2015 key.pem ( or 640 or 400 ).
Now, since im not useing above, this is assumes you run your own CA root
and you are not using automaticly generated certs.
Which is in a AD-DC, in my personal opinion, not good, yes it works fine, if you
use only 1 DC.
With mutliple DC's, you should really think of seting up your own CA.
So here you go, a "possible" setup for your sslcert if you use your
own CA.
A handy tool https://hohnstaedt.de/xca/ , which i personly use.
Difficult, naah.. See : https://hohnstaedt.de/xca/index.php/documentation/
Or create the CA yourself with openssl. Or tinyCa , etc lots of options here.
My current layout.
ls -al /etc/ssl/
total 84
drwxr-xr-x 9 root root 4096 Mar 14 16:15 .
drwxr-xr-x 112 root root 12288 Apr 9 09:46 ..
drwxr-xr-x 2 root root 28672 Mar 14 16:13 certs
drwxr-x--- 2 root root 4096 Mar 14 14:32 csr
-rw-r--r-- 1 root root 10771 Jun 5 2017 openssl.cnf
drwx--x--- 2 root ssl-cert 4096 Mar 14 16:17 private << Note the 710
chmod here.!
The files in "private" are the key files, these have 640
The services like samba,user root or let say apache, user www-data, squid proxy,
user proxy,
which are using the keyfiles are member of ssl-cert group.
Now adding this in samba.
tls enabled = yes
tls keyfile = /etc/ssl/private/DC1.key.pem
tls certfile = /etc/ssl/certs/DC1.cert.pem
tls cafile = /etc/ssl/certs/ca-certificates.crt
# or define only the CAFILE needed for the DC cert and not the bundle
ca-certificates.crt.
# for the bundle file, see :
Adding LDAP (client support) ldap.conf
BASE dc=your,dc=domain,dc=tld
URI ldaps://dc1.your.domain.tld ldaps://dc2.your.domain.tld
# note, i have a separeted OU for my service-accounts. ( OU=Srv-Acc )
# su-service stands for 'ServiceUser'-'the_service_its_used_for'
so its easy to identify.
BIND_DN = CN=su-ldap,OU=Srv-Acc,CN=your,DC=domain,DC=tld
BIND_PW = yourpass
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT allow
And now you can deploy your root CA.
Open the Group Policy Management Console.
1 Select a GPO to edit, or create a new GPO to deploy the certificate.
2 Navigate to Computer Configuration -> Policies -> Windows Settings ->
Security Settings -> Public Key Policies -> Trusted Root Certification
Authorities
3 Right-click on Trusted Root Certification Authorities and select Import.
4 Click Next.
5 Select the root certificate and click Next.
6 Verify that the certificate is being placed into the Trusted Root
Certification Authorities certificate store and click Next.
7 Review the settings and click Finish.
Now for all of above, you can change/adjust the path's, your use an extra
group to protect your key files.
I hope this helped a bit.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Stephen via samba
> Verzonden: dinsdag 9 april 2019 12:54
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Possible incorrect file permissions in
> documentation for setting up Samba with LDAP(S)?
>
> Hi All,
>
> This Samba release changelog
> (https://wiki.samba.org/index.php/Updating_Samba#Incorrect_TLS
> _File_Permissions)
> specifically mentions a security issue and that that the
> multiple *.pem
> files needed for LDAP via TLS all need "special permissions" -
and
> mentions to delete old files without the required permissions
> to force
> file renewal.
>
> Yet in the official Samba documentation for setting up LDAPS here
> (https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(L
> DAPS)_on_a_Samba_AD_DC)
> it says only to set these special permissions on ONE of the generated
> certificate *.pem files - the private key file. Is this definitely
> correct? Should we not set root owner on the additional cert.pem and
> ca.pem too?
>
> I ask because I wanted to flag this. It seems like a
> contradiction and I
> am concerned this might lead to insecure by default setups...
>
> Thanks
> Stephen Ellwood
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
Stephen
2019-Apr-09 13:03 UTC
[Samba] Possible incorrect file permissions in documentation for setting up Samba with LDAP(S)?
Louis, it obviously took you some time to write that and its extremely helpful. Thanks Again Stephen Ellwood On 09/04/2019 13:14, L.P.H. van Belle via samba wrote:> Hai, > > Please note, this is how I setup, which is not related to the samba wiki. > > This is what i currently see on my DC, these where created in 2015 and im NOT using these. > /var/lib/samba/private/tls# ls -al > total 20 > drwx------ 2 root root 4096 Apr 28 2015 . > drwxr-xr-x 7 root root 4096 Apr 9 13:06 .. > -rw-r--r-- 1 root root 997 Apr 28 2015 ca.pem > -rw-r--r-- 1 root root 997 Apr 28 2015 cert.pem > -rw------- 1 root root 887 Apr 28 2015 key.pem > In above setup i would change this to: > -rw-r--r-- 1 root root 997 Apr 28 2015 ca.pem > -rw-r--r-- 1 root root 997 Apr 28 2015 cert.pem > -r--r----- 1 root root 887 Apr 28 2015 key.pem ( or 640 or 400 ). > > > Now, since im not useing above, this is assumes you run your own CA root > and you are not using automaticly generated certs. > > Which is in a AD-DC, in my personal opinion, not good, yes it works fine, if you use only 1 DC. > With mutliple DC's, you should really think of seting up your own CA. > > So here you go, a "possible" setup for your sslcert if you use your own CA. > > A handy tool https://hohnstaedt.de/xca/ , which i personly use. > Difficult, naah.. See : https://hohnstaedt.de/xca/index.php/documentation/ > Or create the CA yourself with openssl. Or tinyCa , etc lots of options here. > > > My current layout. > > ls -al /etc/ssl/ > total 84 > drwxr-xr-x 9 root root 4096 Mar 14 16:15 . > drwxr-xr-x 112 root root 12288 Apr 9 09:46 .. > drwxr-xr-x 2 root root 28672 Mar 14 16:13 certs > drwxr-x--- 2 root root 4096 Mar 14 14:32 csr > -rw-r--r-- 1 root root 10771 Jun 5 2017 openssl.cnf > drwx--x--- 2 root ssl-cert 4096 Mar 14 16:17 private << Note the 710 chmod here.! > > The files in "private" are the key files, these have 640 > The services like samba,user root or let say apache, user www-data, squid proxy, user proxy, > which are using the keyfiles are member of ssl-cert group. > > Now adding this in samba. > > tls enabled = yes > tls keyfile = /etc/ssl/private/DC1.key.pem > tls certfile = /etc/ssl/certs/DC1.cert.pem > tls cafile = /etc/ssl/certs/ca-certificates.crt > # or define only the CAFILE needed for the DC cert and not the bundle ca-certificates.crt. > # for the bundle file, see : > > Adding LDAP (client support) ldap.conf > > > BASE dc=your,dc=domain,dc=tld > URI ldaps://dc1.your.domain.tld ldaps://dc2.your.domain.tld > > # note, i have a separeted OU for my service-accounts. ( OU=Srv-Acc ) > # su-service stands for 'ServiceUser'-'the_service_its_used_for' so its easy to identify. > BIND_DN = CN=su-ldap,OU=Srv-Acc,CN=your,DC=domain,DC=tld > BIND_PW = yourpass > > TLS_CACERT /etc/ssl/certs/ca-certificates.crt > TLS_REQCERT allow > > And now you can deploy your root CA. > Open the Group Policy Management Console. > 1 Select a GPO to edit, or create a new GPO to deploy the certificate. > 2 Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Public Key Policies -> Trusted Root Certification Authorities > 3 Right-click on Trusted Root Certification Authorities and select Import. > 4 Click Next. > 5 Select the root certificate and click Next. > 6 Verify that the certificate is being placed into the Trusted Root Certification Authorities certificate store and click Next. > 7 Review the settings and click Finish. > > Now for all of above, you can change/adjust the path's, your use an extra group to protect your key files. > > I hope this helped a bit. > > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Stephen via samba >> Verzonden: dinsdag 9 april 2019 12:54 >> Aan: samba at lists.samba.org >> Onderwerp: [Samba] Possible incorrect file permissions in >> documentation for setting up Samba with LDAP(S)? >> >> Hi All, >> >> This Samba release changelog >> (https://wiki.samba.org/index.php/Updating_Samba#Incorrect_TLS >> _File_Permissions) >> specifically mentions a security issue and that that the >> multiple *.pem >> files needed for LDAP via TLS all need "special permissions" - and >> mentions to delete old files without the required permissions >> to force >> file renewal. >> >> Yet in the official Samba documentation for setting up LDAPS here >> (https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(L >> DAPS)_on_a_Samba_AD_DC) >> it says only to set these special permissions on ONE of the generated >> certificate *.pem files - the private key file. Is this definitely >> correct? Should we not set root owner on the additional cert.pem and >> ca.pem too? >> >> I ask because I wanted to flag this. It seems like a >> contradiction and I >> am concerned this might lead to insecure by default setups... >> >> Thanks >> Stephen Ellwood >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >