On 01.10.2019 14:06, Rowland penny via samba wrote:> On 01/10/2019 12:51, Arkadiusz Karpi?ski wrote: >> >> On 30.09.2019 20:03, Rowland penny via samba wrote: >>> On 30/09/2019 18:06, akarpinski wrote: >>>> Samba version is 4.10.7 >>>> >>>> smb.conf: >>>> >>>> # Global parameters >>>> [global] >>>> ? netbios name = dc-1 >>>> ? realm = REALM >>>> ? server role = active directory domain controller >>>> ? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, >>>> winbindd, ntp_signd, kcc, dnsupdate >>>> ? workgroup = EFINITY >>>> ? dns forwarder = 192.168.X.X 192.168.X.X >>>> ? tls enabled = yes >>>> ? tls keyfile = /usr/local/samba/private/tls/server.key >>>> ? tls certfile = /usr/local/samba/private/tls/server.crt >>>> ? tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt >>> >>> I would take this up with whoever supplied your DC certificates, >>> they do not appear to be strong enough. >>> >>> Also, you appear to be using Bind9 as your dns server, so you don't >>> need the 'dns forwarder' line, these should be in your named.conf file. >>> >>> Rowland >>> >> I have SSO certificate and I can only set RSA or ECDSA authentication >> in certificate, rest is depend by client/server configuration. So >> what You mean that certificates are not strong enough? > > You have this in your DC smb.conf: > > ? tls keyfile = /usr/local/samba/private/tls/server.key > ? tls certfile = /usr/local/samba/private/tls/server.crt > ? tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt > > This means that you have supplied the certificates used by AD and if > you are getting warnings about them, then you need to create > certificates that will pass your tests. >But certificate has nothing to do with ciphers, I would like to set strong ciphers between client and server but server must force to send strong list of ciphers which will use to communicate with client. On samba3 that was possible in smb.conf but it's missing on samba4 configuration.>> >> Well at this moment I don't need 'dns forwarder' at all, previously I >> used dc-1/2 as my main dns for AD client but now I switch back to my >> main DNS server and there I set dns forwarder to domain "ad.realm" to >> samba DNS. So I will delete this, thx. >> > I would go back to what you were doing before, your clients should use > the DC as their nameserver. > > Rowland > > >> Arek >> >> >>> >>> > >-- Arkadiusz Karpi?ski Efinity Sp. z o.o. 02-672 Warszawa, ul. Domaniewska 42 t: +48 22 380 13 88 m: +48 793 783 343 f: +48 22 380 16 76 Sp??ka wpisana do rejestru przedsi?biorc?w prowadzonego przez S?d Rejonowy dla m.st. Warszawy Wydzia? XIII Gospodarczy Krajowego Rejestru S?dowego pod numerem KRS 0000073606, NIP 521-31-76-978, Wysoko?? kapita?u zak?adowego: 51 500,00 PLN Tre?? tej wiadomo?ci jest poufna i prawnie chroniona. Odbiorc? mo?e by? jedynie jej adresat z wy??czeniem dost?pu os?b trzecich. Je?eli nie jeste? adresatem tej wiadomo?ci, jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne dzia?anie o podobnym charakterze jest prawnie zabronione i mo?e by? karalne. Je?eli wiadomo?? ta jest adresowana do Klient?w Efinity, jakakolwiek opinia lub porada w niej zawarta podlega odpowiednim warunkom umowy o ?wiadczeniu us?ug na rzecz Klienta przez Efinity.
On 01/10/2019 13:52, Arkadiusz Karpi?ski via samba wrote:> > On 01.10.2019 14:06, Rowland penny via samba wrote: >> On 01/10/2019 12:51, Arkadiusz Karpi?ski wrote: >>> >>> On 30.09.2019 20:03, Rowland penny via samba wrote: >>>> On 30/09/2019 18:06, akarpinski wrote: >>>>> Samba version is 4.10.7 >>>>> >>>>> smb.conf: >>>>> >>>>> # Global parameters >>>>> [global] >>>>> ? netbios name = dc-1 >>>>> ? realm = REALM >>>>> ? server role = active directory domain controller >>>>> ? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate >>>>> ? workgroup = EFINITY >>>>> ? dns forwarder = 192.168.X.X 192.168.X.X >>>>> ? tls enabled = yes >>>>> ? tls keyfile = /usr/local/samba/private/tls/server.key >>>>> ? tls certfile = /usr/local/samba/private/tls/server.crt >>>>> ? tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt >>>> >>>> I would take this up with whoever supplied your DC certificates, >>>> they do not appear to be strong enough. >>>> >>>> Also, you appear to be using Bind9 as your dns server, so you don't >>>> need the 'dns forwarder' line, these should be in your named.conf >>>> file. >>>> >>>> Rowland >>>> >>> I have SSO certificate and I can only set RSA or ECDSA >>> authentication in certificate, rest is depend by client/server >>> configuration. So what You mean that certificates are not strong >>> enough? >> >> You have this in your DC smb.conf: >> >> ? tls keyfile = /usr/local/samba/private/tls/server.key >> ? tls certfile = /usr/local/samba/private/tls/server.crt >> ? tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt >> >> This means that you have supplied the certificates used by AD and if >> you are getting warnings about them, then you need to create >> certificates that will pass your tests. >> > But certificate has nothing to do with ciphers, I would like to set > strong ciphers between client and server but server must force to send > strong list of ciphers which will use to communicate with client. On > samba3 that was possible in smb.conf but it's missing on samba4 > configuration.Samba3 != Samba4 running as a DC. If you want stronger ciphers between your clients and the DC, then the certificate that you are supplying to your clients from the DC must be as strong as you require. Rowland
On 10/1/19 8:52 AM, Arkadiusz Karpi?ski via samba wrote:> > On 01.10.2019 14:06, Rowland penny via samba wrote: >> On 01/10/2019 12:51, Arkadiusz Karpi?ski wrote: >>> >>> On 30.09.2019 20:03, Rowland penny via samba wrote: >>>> On 30/09/2019 18:06, akarpinski wrote: >>>>> Samba version is 4.10.7 >>>>> >>>>> smb.conf: >>>>> >>>>> # Global parameters >>>>> [global] >>>>> ? netbios name = dc-1 >>>>> ? realm = REALM >>>>> ? server role = active directory domain controller >>>>> ? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, >>>>> winbindd, ntp_signd, kcc, dnsupdate >>>>> ? workgroup = EFINITY >>>>> ? dns forwarder = 192.168.X.X 192.168.X.X >>>>> ? tls enabled = yes >>>>> ? tls keyfile = /usr/local/samba/private/tls/server.key >>>>> ? tls certfile = /usr/local/samba/private/tls/server.crt >>>>> ? tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt >>>> >>>> I would take this up with whoever supplied your DC certificates, >>>> they do not appear to be strong enough. >>>> >>>> Also, you appear to be using Bind9 as your dns server, so you don't >>>> need the 'dns forwarder' line, these should be in your named.conf file. >>>> >>>> Rowland >>>> >>> I have SSO certificate and I can only set RSA or ECDSA authentication >>> in certificate, rest is depend by client/server configuration. So >>> what You mean that certificates are not strong enough? >> >> You have this in your DC smb.conf: >> >> ? tls keyfile = /usr/local/samba/private/tls/server.key >> ? tls certfile = /usr/local/samba/private/tls/server.crt >> ? tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt >> >> This means that you have supplied the certificates used by AD and if >> you are getting warnings about them, then you need to create >> certificates that will pass your tests. >> > But certificate has nothing to do with ciphers, I would like to set > strong ciphers between client and server but server must force to send > strong list of ciphers which will use to communicate with client. On > samba3 that was possible in smb.conf but it's missing on samba4 > configuration.Look at "tls priority" Samba settings, it points to GnuTLS priority strings, that has options to specify the ciphers. https://gnutls.org/manual/html_node/Priority-Strings.html>>> >>> Well at this moment I don't need 'dns forwarder' at all, previously I >>> used dc-1/2 as my main dns for AD client but now I switch back to my >>> main DNS server and there I set dns forwarder to domain "ad.realm" to >>> samba DNS. So I will delete this, thx. >>> >> I would go back to what you were doing before, your clients should use >> the DC as their nameserver. >> >> Rowland >> >> >>> Arek >>> >>> >>>> >>>> >> >>
You looking for something like this i think? Enable TLS1.2 ( and if supported TLS1.3) and allowes AES128 and EAS256. tls priority = SECURE256:+SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:-VERS-DTLS1.1 Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Robert Marcano via samba > Verzonden: dinsdag 1 oktober 2019 17:28 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Change ciphers on samba > > On 10/1/19 8:52 AM, Arkadiusz Karpi??ski via samba wrote: > > > > On 01.10.2019 14:06, Rowland penny via samba wrote: > >> On 01/10/2019 12:51, Arkadiusz Karpi??ski wrote: > >>> > >>> On 30.09.2019 20:03, Rowland penny via samba wrote: > >>>> On 30/09/2019 18:06, akarpinski wrote: > >>>>> Samba version is 4.10.7 > >>>>> > >>>>> smb.conf: > >>>>> > >>>>> # Global parameters > >>>>> [global] > >>>>> ? netbios name = dc-1 > >>>>> ? realm = REALM > >>>>> ? server role = active directory domain controller > >>>>> ? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > kdc, drepl, > >>>>> winbindd, ntp_signd, kcc, dnsupdate > >>>>> ? workgroup = EFINITY > >>>>> ? dns forwarder = 192.168.X.X 192.168.X.X > >>>>> ? tls enabled = yes > >>>>> ? tls keyfile = /usr/local/samba/private/tls/server.key > >>>>> ? tls certfile = /usr/local/samba/private/tls/server.crt > >>>>> ? tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt > >>>> > >>>> I would take this up with whoever supplied your DC certificates, > >>>> they do not appear to be strong enough. > >>>> > >>>> Also, you appear to be using Bind9 as your dns server, > so you don't > >>>> need the 'dns forwarder' line, these should be in your > named.conf file. > >>>> > >>>> Rowland > >>>> > >>> I have SSO certificate and I can only set RSA or ECDSA > authentication > >>> in certificate, rest is depend by client/server configuration. So > >>> what You mean that certificates are not strong enough? > >> > >> You have this in your DC smb.conf: > >> > >> ? tls keyfile = /usr/local/samba/private/tls/server.key > >> ? tls certfile = /usr/local/samba/private/tls/server.crt > >> ? tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt > >> > >> This means that you have supplied the certificates used by > AD and if > >> you are getting warnings about them, then you need to create > >> certificates that will pass your tests. > >> > > But certificate has nothing to do with ciphers, I would like to set > > strong ciphers between client and server but server must > force to send > > strong list of ciphers which will use to communicate with > client. On > > samba3 that was possible in smb.conf but it's missing on samba4 > > configuration. > > Look at "tls priority" Samba settings, it points to GnuTLS priority > strings, that has options to specify the ciphers. > > https://gnutls.org/manual/html_node/Priority-Strings.html > > >>> > >>> Well at this moment I don't need 'dns forwarder' at all, > previously I > >>> used dc-1/2 as my main dns for AD client but now I switch > back to my > >>> main DNS server and there I set dns forwarder to domain > "ad.realm" to > >>> samba DNS. So I will delete this, thx. > >>> > >> I would go back to what you were doing before, your > clients should use > >> the DC as their nameserver. > >> > >> Rowland > >> > >> > >>> Arek > >>> > >>> > >>>> > >>>> > >> > >> > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Perfect! Robert, Louis Thank You. BTW. DTLS1.1 doesn't exist so with small fix should be: tls priority = SECURE256:+SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0 Arek On 01.10.2019 17:45, L.P.H. van Belle via samba wrote:> You looking for something like this i think? > > Enable TLS1.2 ( and if supported TLS1.3) and allowes AES128 and EAS256. > tls priority = SECURE256:+SECURE128:-VERS-SSL3.0:-VERS-TLS1.0:-VERS-TLS1.1:-VERS-DTLS1.0:-VERS-DTLS1.1 > > Greetz, > > Louis > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Robert Marcano via samba >> Verzonden: dinsdag 1 oktober 2019 17:28 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Change ciphers on samba >> >> On 10/1/19 8:52 AM, Arkadiusz Karpi??ski via samba wrote: >>> On 01.10.2019 14:06, Rowland penny via samba wrote: >>>> On 01/10/2019 12:51, Arkadiusz Karpi??ski wrote: >>>>> On 30.09.2019 20:03, Rowland penny via samba wrote: >>>>>> On 30/09/2019 18:06, akarpinski wrote: >>>>>>> Samba version is 4.10.7 >>>>>>> >>>>>>> smb.conf: >>>>>>> >>>>>>> # Global parameters >>>>>>> [global] >>>>>>> ? netbios name = dc-1 >>>>>>> ? realm = REALM >>>>>>> ? server role = active directory domain controller >>>>>>> ? server services = s3fs, rpc, nbt, wrepl, ldap, cldap, >> kdc, drepl, >>>>>>> winbindd, ntp_signd, kcc, dnsupdate >>>>>>> ? workgroup = EFINITY >>>>>>> ? dns forwarder = 192.168.X.X 192.168.X.X >>>>>>> ? tls enabled = yes >>>>>>> ? tls keyfile = /usr/local/samba/private/tls/server.key >>>>>>> ? tls certfile = /usr/local/samba/private/tls/server.crt >>>>>>> ? tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt >>>>>> I would take this up with whoever supplied your DC certificates, >>>>>> they do not appear to be strong enough. >>>>>> >>>>>> Also, you appear to be using Bind9 as your dns server, >> so you don't >>>>>> need the 'dns forwarder' line, these should be in your >> named.conf file. >>>>>> Rowland >>>>>> >>>>> I have SSO certificate and I can only set RSA or ECDSA >> authentication >>>>> in certificate, rest is depend by client/server configuration. So >>>>> what You mean that certificates are not strong enough? >>>> You have this in your DC smb.conf: >>>> >>>> ? tls keyfile = /usr/local/samba/private/tls/server.key >>>> ? tls certfile = /usr/local/samba/private/tls/server.crt >>>> ? tls cafile = /etc/pki/ca-trust/source/anchors/efinity-CA.crt >>>> >>>> This means that you have supplied the certificates used by >> AD and if >>>> you are getting warnings about them, then you need to create >>>> certificates that will pass your tests. >>>> >>> But certificate has nothing to do with ciphers, I would like to set >>> strong ciphers between client and server but server must >> force to send >>> strong list of ciphers which will use to communicate with >> client. On >>> samba3 that was possible in smb.conf but it's missing on samba4 >>> configuration. >> Look at "tls priority" Samba settings, it points to GnuTLS priority >> strings, that has options to specify the ciphers. >> >> https://gnutls.org/manual/html_node/Priority-Strings.html >> >>>>> Well at this moment I don't need 'dns forwarder' at all, >> previously I >>>>> used dc-1/2 as my main dns for AD client but now I switch >> back to my >>>>> main DNS server and there I set dns forwarder to domain >> "ad.realm" to >>>>> samba DNS. So I will delete this, thx. >>>>> >>>> I would go back to what you were doing before, your >> clients should use >>>> the DC as their nameserver. >>>> >>>> Rowland >>>> >>>> >>>>> Arek >>>>> >>>>> >>>>>> >>>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >> >