romain BOTTAN wrote:
thank you for your answer,
I will discuss with my team of active directory, kerberos and pkinit today.
I think you understood our problem in the main facts, we have windowsXP
clients (sp2, all fixes) and linux clients (debians, ubunto and others
debian like).
The main security problem is linked to the datas stored on the file
server and the crossing of an open network (worldwide intranet) to
connect our distant agencies.
I think we're going to put as you propose a ssl tunnel controlled by a
small openvpn server or ssltunel with a good control of certificates
validity. The advantage of this solution is that we have lots of clients
that implements certificates much better than 802.1X API in windows
implements it.
But the problem with this, as you said, samba will not deal with it, and
we're going to ask for our customers to remember another login/pass...
Andrew Bartlett a écrit :
On Tue, 2006-02-07 at 10:14 +0100, romain BOTTAN wrote:
Hello everybody,
I'll try to find out some info about Samba and a way to put x509
authenticate method but i don't find anything clear about it.
There are not many 'good' options to put x509 certificates into the
Samba authentication space, and if very much depends on the client and
domain environment.
Perhaps you are looking for an AD implementation, with PKINIT on
kerberos? This is the only real solution for windows clients.
If you control the clients (say they run Linux), you could push all CIFS
connections via a SSL tunnel, but Samba wouldn't 'know' about this, so
would not actually authenticate the users as such.
Perhaps you need to explain what you are trying to do a bit more.
Andrew Bartlett
what about some vpn tunnels between you local and remote networks?
(perhaps you already have this) if you're considering using samba over
the internet, it seems like site-to-site or vpn would serve you best in
terms of security. that's what i do with my remote offices.
--
My Website: http://messinet.com
My Online Gallery:
http://messinet.com/modules.php?name=Web_Links&l_op=visit&lid=3
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
