I am currently NOT using SSL on my Samba domain. While reading "Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC" and thinking about implementing. I'm having trouble "getting my head" around what certificates go where. Simply put, I am not clear as to generating certificates on the clients and then copy which files to to the server or vice versa? What happens when certificates expire? Perhaps I could be directed to an article or other information that may help me understand? -- Thank you. Bob Wooden
On 01/09/2019 16:41, Robert Wooden via samba wrote:> I am currently NOT using SSL on my Samba domain. > > While reading "Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC" and > thinking about implementing. I'm having trouble "getting my head" around > what certificates go where. > > Simply put, I am not clear as to generating certificates on the clients and > then copy which files to to the server or vice versa? > > What happens when certificates expire? > > Perhaps I could be directed to an article or other information that may > help me understand?Why do you need to use SSL ? Kerberos is more secure, so what are you thinking of the certificates for ? Rowland
On 01/09/2019 17:22, Robert Wooden wrote:> I am attempting to join a FreeNAS member to the domain. It complained > about kerberos and also mentioned SSL so, I digging for answers. > > By your question, looks to me like kerberos is my main problem and > once solved the SSL issue will not matter. > > (That's where the FreeNAS documents and troubleshooting keep pushing > me . . . back to kerberos.)The problem is (if it is a problem) kerberos == authentication and SSL == encryption i.e. they are different things. Can you post the smb.conf from the freenas machine and the version of Samba it uses. Rowland
On 01/09/2019 17:29, Rowland penny via samba wrote:> On 01/09/2019 17:22, Robert Wooden wrote: >> I am attempting to join a FreeNAS member to the domain. It complained >> about kerberos and also mentioned SSL so, I digging for answers. >> >> By your question, looks to me like kerberos is my main problem and >> once solved the SSL issue will not matter. >> >> (That's where the FreeNAS documents and troubleshooting keep pushing >> me . . . back to kerberos.) > > The problem is (if it is a problem) kerberos == authentication and SSL > == encryption i.e. they are different things. > > Can you post the smb.conf from the freenas machine and the version of > Samba it uses. > > Rowland > > >Answering myself: It is Samba 4.9.9 and the smb.conf is full of unnecessary parameters. It isn't very intuitive to use and if you do not set up the certificates, you get: {'desc'}: 'Strong(er) authentication required', 'info': 'BindSimple: Transport encryption required.'} I haven't found realmd installed (this doesn't me it isn't, I just cannot find it), but sssd is, but isn't in use. Because realmd isn't installed, this must mean that 'net ads join' is being used to join to the AD domain, so why not use kerberos to do the join ? I quick read of the Freenas forum finds that they do use 'net ads join' with kerberos, so why do they need the certificates ? Do you want to ask them, or shall I ? Rowland
On 01/09/2019 21:37, Robert Wooden wrote:> No, thanks anyway, Rowland. > > There are some FreeNAS posted command line tests that need to work > (pushing me back to kerberos) that are part of their troubleshooting. > Once I get that right, if I need to, I'll be back here with questions.Where can I Find the tests ? I get the feeling that I could just alter smb4.conf to what I think it should be, kinit as Administrator and then run 'net ads join -k', but would the freenas web GUI be in sync ? Rowland
On 01/09/2019 21:46, Rowland penny via samba wrote:> On 01/09/2019 21:37, Robert Wooden wrote: >> No, thanks anyway, Rowland. >> >> There are some FreeNAS posted command line tests that need to work >> (pushing me back to kerberos) that are part of their troubleshooting. >> Once I get that right, if I need to, I'll be back here with questions. > > Where can I Find the tests ? > > I get the feeling that I could just alter smb4.conf to what I think it > should be, kinit as Administrator and then run 'net ads join -k', but > would the freenas web GUI be in sync ? > > Rowland > > >OK, I have figured this out and you do not need a certificate ;-) Log into the Freenas web gui as root. I used the winbind 'ad' backend, but you could probably use the 'rid' backend instead. Services -> SMB -> Configure Workgroup: SAMDOM Local Master: NO Domain Logons: NO Time server For Domain: NO UNIX Extension; YES Zeroconf share discovery: YES Hostnames Lookups: YES Allow Execute Always: YES Obey Pam Restrictions: YES Range Low: 3000 Range High: 7999 NOTE: the above range is for the default (*) domain Click 'SAVE' Directory Services -> Active Directory -> ADVANCED MODE Click 'EDIT IDMAP' and set the DOMAIN range before doing anything else Range Low: 10000 Range High: 999999 Schema mode: rfc2307 Click 'SAVE' Active Directory -> ADVANCED MODE Domain Name: samdom.example.com Domain Account Name: Administrator Domain Account Password: xxxxxxxxxx Encryption Mode: Off Certificate: NONE UNIX extensions: YES Use Default Domain: YES Allow DNS updates: YES # not sure about this, but set it anyway Disable Freenas updates: YES Site Name: Default-First-Site-Name Kerberos Realm: SAMDOM.EXAMPLE.COM Idmap backend: ad Winbind NSS info: rfc2307 Enable Click 'SAVE' and you should join the domain Rowland
> I quick read of the Freenas forum finds that they do use 'net > ads join' > with kerberos, so why do they need the certificates ? Do you > want to ask > them, or shall I ? >Smb.conf : ldap server require strong auth If you set : allow_sasl_over_tls You needs certs for the TLS. If you want to use the samba AD-DC Certs. In a ONE DC setup, you most probley have a self generated certificate. Then you can use the root CA from samba (found in /var/lib/samba/private/tls ) But remember : CVE-2016-2112 (samba) Behavior changes =============== Tools like "samba-tool", "ldbsearch", "ldbedit" and more obey the default of "client ldap sasl wrapping = sign". Even with "client ldap sasl wrapping = plain" they will automatically upgrade to "sign" when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP server. Therefor i say, setup SSL Certificates or use the Self Generated (and be MITM vulerable.) There for i say, always set up you certificates, in the long run it will help you out. I use XCA : https://hohnstaedt.de/xca/ Greetz, Louis