hi people, i have problems with samba option "ldap ssl= start tls".
where samba looks public key server certificate?, because when i try with
this option, i cant connect to samba shares, and i think is because the
samba cant found the public key certificate to use.
Salu2

Wed, Sep 13, 2006 at 11:09:17AM -0300, aza zel wrote:
hi people, i have problems with samba option "ldap ssl= start tls".
?where samba looks public key server certificate?, because when i try with
this option, i cant connect to samba shares, and i think is because the
samba cant found the public key certificate to use.

imho see ldap.conf(5) for defaults functions of openldap.

/swp

PGP SIGNED MESSAGE
Hash: SHA1

09/13/2006 11:09 AM, aza zel escreveu:
hi people, i have problems with samba option "ldap ssl= start tls".
where samba looks public key server certificate?, because when i try with
this option, i cant connect to samba shares, and i think is because the
samba cant found the public key certificate to use.

The correct option is "start_tls", but it is the default
option, you don't need to setup this. And the key server is not
related with Samba, this option just tells samba to use SSL when
talking with the LDAP server.

Salu2

Kind regards,
- --
Felipe Augusto van de Wiel <felipe (AT) paranacidade (DOT) org.br>
Coordenadoria de Tecnologia da Io (CTI) - SEDU/PARANACIDADE
Phone: (+55 41 3350 3300)
PGP SIGNATURE
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

kVFWs2BNDZSBGp8He2Vs=
=lYz+
PGP SIGNATURE

Fri, Sep 15, 2006 at 11:34:04AM -0300, Felipe Augusto van de Wiel wrote:
PGP SIGNED MESSAGE
Hash: SHA1

The correct option is "start_tls", but it is the default
option, you don't need to setup this. And the key server is not
related with Samba, this option just tells samba to use SSL when
talking with the LDAP server.

I have winbind working nicely with AD here. It took a while to figure out
but now AD user accounts can ssh into my Linux boxen reliably, which is really all
I needed; just ssh access. But I want to make sure all the LDAP traffic is
secured via TLS/SSL.

my network if I run nmap on the Win2K AD server I see that port 636 is open.
So I generated a cert file on the Win2K server and converted it to a PEM
file (using openssl on Linux) and placed it in /etc/openldap/cacerts and made sure
it was world readable. My ldap.conf file looks like this:

#
BASE dc=cinteractive, dc=com
URI
debug 256
logdir /var/log/ldap.errors
host BATTU
base BINTERACTIVE.CM
ssl yes
TLS_CACERT /etc/openldap/cacerts/battu.pem
pam_password md5
#

The ldap log file I set up is empty. Nothing ever gets written to it.

Every time I su to root on the Linux servers I see:

TLS certificate verification: Error, unable to get local issuer certificate
TLS: can't connect.

I'm not looking to run slapd on this server. LDAP and winbind are used only
to allow users to login via ssh with their AD credentials.

PGP SIGNED MESSAGE
Hash: SHA1

09/15/2006 12:24 PM, Matt Herzog escreveu:
Fri, Sep 15, 2006 at 11:34:04AM -0300, Felipe Augusto van de Wiel wrote:
>>The correct option is "start_tls", but it is the default
>>option, you don't need to setup this. And the key server is not
>>related with Samba, this option just tells samba to use SSL when
>>talking with the LDAP server.

I have winbind working nicely with AD here. It took a while to
figure out but now AD user accounts can ssh into my Linux boxen
reliably, which is really all I needed; just ssh access. But I
want to make sure all the LDAP traffic is secured via TLS/SSL.

, but this is not Samba part of the job. :)

If Samba is not talking with your LDAP server, then this
parameter has no effect. You should do the TLS/SSL configurations
on your LDAP server. And you should use kerberos to have real
security in your smb network.

my network if I run nmap on the Win2K AD server I see that
port 636 is open. So I generated a cert file on the Win2K
server and converted it to a PEM file (using openssl on Linux)
and placed it in /etc/openldap/cacerts and made sure
it was world readable. My ldap.conf file looks like this:

If it is a PEM with private certificate, shouldn't be
world readable.

#
BASE dc=cinteractive, dc=com
URI
debug 256
logdir /var/log/ldap.errors
host BATTU
base BINTERACTIVE.CM
ssl yes
TLS_CACERT /etc/openldap/cacerts/battu.pem
pam_password md5
#

The ldap log file I set up is empty. Nothing ever gets written to it.

Increase the log level on slapd.conf.

Every time I su to root on the Linux servers I see:

TLS certificate verification: Error, unable to get local issuer certificate
TLS: can't connect.

I'm not looking to run slapd on this server. LDAP and winbind are used only
to allow users to login via ssh with their AD credentials.

, it is a configuration of libldap and other software
that will use resources to query LDAP server. But AIUI you are
not using Samba to query LDAP, you are using winbind to do that,
and then, your question is a little bit off-topic here. ;)

Kind regards,
- --
Felipe Augusto van de Wiel <felipe (AT) paranacidade (DOT) org.br>
Coordenadoria de Tecnologia da Io (CTI) - SEDU/PARANACIDADE
Phone: (+55 41 3350 3300)
PGP SIGNATURE
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

8UqEnltKCKcDWYGw4mgxnAQ=
=5y38
PGP SIGNATURE

Fri, Sep 15, 2006 at 04:32:13PM -0300, Felipe Augusto van de Wiel wrote:
PGP SIGNED MESSAGE
Hash: SHA1

I have winbind working nicely with AD here. It took a while to
figure out but now AD user accounts can ssh into my Linux boxen
reliably, which is really all I needed; just ssh access. But I
want to make sure all the LDAP traffic is secured via TLS/SSL.

, but this is not Samba part of the job. :)

If Samba is not talking with your LDAP server, then this
parameter has no effect. You should do the TLS/SSL configurations
on your LDAP server. And you should use kerberos to have real
security in your smb network.

There is no pure LDAP server. There is only the Win2K server that does
Microsoft's AD which (unless I am mistaken) is part LDAP, part Kerberos and part SMB.
The Kerberos part works fine. The ssh logins through AD work fine. The
problem is that I'm connected on port

[root@province ~]# net ads info
LDAP server: 198.78.123.2
LDAP server name: battu
Realm: BINTERACTIVE.CM
Bind Path: dc=BINTERACTIVE,dc=CM
LDAP port: 389
Server time: Fri, 15 Sep 2006 15:53:49 GMT
KDC server: 198.78.123.2
Server time offset: 97

If it is a PEM with private certificate, shouldn't be
world readable.

K, so what should the perms be? 0400?

, it is a configuration of libldap and other software
that will use resources to query LDAP server. But AIUI you are
not using Samba to query LDAP, you are using winbind to do that,
and then, your question is a little bit off-topic here. ;)

Yes. I suppose you are right. I need to subscribe to an LDAP list as well.

Hello again.

I'm hoping there is some way I can restrict ssh login through the AD to my
Linux servers. I only have one group of users on the domain that needs ssh access.

So far I see lots of ways to add or map or join Linux to Windows groups but
I would rather be able to say:

"no" to all AD users and groups

and

"yes" to all users in the specific AD group named "developers"

Is there some way to specify just one AD valid group for ssh access?

Thanks.
-- Matt

Yes,
As AD groups are mapped into your linux box and you can list this
group with getent passwd, you can define the AllowGroups into your
sshd_conf specifying your developers group.

9/15/06, Matt Herzog <msh (AT) blisses (DOT) orgwrote:
Hello again.

I'm hoping there is some way I can restrict ssh login through the AD to my
Linux servers. I only have one group of users on the domain that needs ssh access.

So far I see lots of ways to add or map or join Linux to Windows groups but
I would rather be able to say:

"no" to all AD users and groups

and

"yes" to all users in the specific AD group named "developers"

Is there some way to specify just one AD valid group for ssh access?

Thanks.

-- Matt

PGP SIGNED MESSAGE
Hash: SHA1

09/15/2006 05:09 PM, Matt Herzog escreveu:
Fri, Sep 15, 2006 at 04:32:13PM -0300, Felipe Augusto van de Wiel wrote:
I have winbind working nicely with AD here. It took a while to
figure out but now AD user accounts can ssh into my Linux boxen
reliably, which is really all I needed; just ssh access. But I
want to make sure all the LDAP traffic is secured via TLS/SSL.
>>
>>, but this is not Samba part of the job. :)
>>
>>If Samba is not talking with your LDAP server, then this
>>parameter has no effect. You should do the TLS/SSL configurations
>>on your LDAP server. And you should use kerberos to have real
>>security in your smb network.

There is no pure LDAP server. There is only the Win2K server that does
Microsoft's AD which (unless I am mistaken) is part LDAP, part Kerberos
and part SMB. The Kerberos part works fine. The ssh logins through AD
work fine. The problem is that I'm connected on port

Ahhhh got it. So, you are using AD as a LDAP Server.
Sorry, I can't help you further, I never did that setup. :-(
But 'ldap ssl' is the way to go. Perhaps you should change the
ldap port to force it use another port. Maybe you should check
you ldap.conf.

[]

>>If it is a PEM with private certificate, shouldn't be
>>world readable.

K, so what should the perms be? 0400?

0400 is the best. But maybe you need a group with
read access, so 0440 will do the trick. Just take care of
the user:group configuration.


>>, it is a configuration of libldap and other software
>>that will use resources to query LDAP server. But AIUI you are
>>not using Samba to query LDAP, you are using winbind to do that,
>>and then, your question is a little bit off-topic here. ;)

Yes. I suppose you are right. I need to subscribe to an LDAP
list as well.

:-)

Kind regards,
- --
Felipe Augusto van de Wiel <felipe (AT) paranacidade (DOT) org.br>
Coordenadoria de Tecnologia da Io (CTI) - SEDU/PARANACIDADE
Phone: (+55 41 3350 3300)
PGP SIGNATURE
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

sCsikInBy6HHcjYGDDzlSVA=
=d5SK
PGP SIGNATURE