On 04/19/2016 04:31 PM, Ian McMichael ([email protected]) wrote:
As promised, I am reporting back my findings with the Canonical Samba
4.3.8 package now in the Ubuntu 14.04 LTS repository.
I created a key for the domain controller with the following:
openssl genrsa -out /var/lib/samba/private/tls/dc.example.net.key 2048
chown root:root /var/lib/samba/private/tls/dc.example.net.key
chmod 600 /var/lib/samba/private/tls/dc.example.net.key
Not that it matters in practice, but 400 would be recommended. This file
should never change, and it'll give you one more warning when you are
already doing something you probably shouldn't be (until next year).
Then I created a certificate request with the common name equal to the
FQDN of the domain controller (in this example, dc.example.net):
openssl req -new -key /var/lib/samba/private/tls/dc.example.net.key
-out /var/lib/samba/private/tls/dc.example.net.csr
I then took the CSR over to https://www.startssl.com/ and got them to
issue a free certificate for the domain controller. I placed the
certificate plus the StartCom Class 1 Intermediate (to form a
certificate chain) in /var/lib/samba/private/tls/dc.example.net.pem.
I tried to put the intermediate as "tls cafile" and it kept throwing
errors. I was reasoning that the StartCom root was already in my
certificate chain. I don't know why, being I had created a SAN (UCC)
cert and had already done this for dovecot and apache with the same
certificate, but concatenating the cert and the intermediate was what I
missed. I read this thread...light bulb! Thank you very much! I was
about ready to pull my hair out. :-) BTW, the free StartCom CA now
offers 5 hosts per cert (SAN/UCC), pleasant surprise when I visited.
I then added the following lines to /etc/samba/smb.conf:
tls enabled = yes
tls keyfile = tls/dc.example.net.key
tls certfile = tls/dc.example.net.pem
tls cafile = /etc/ssl/certs/StartCom_Certification_Authority.pem
tls priority = SECURE128:-VERS-SSL3.0
Also, the "tls cafile" is probably unnecessary (leave in place, but
blank) as StartCom should already be in the global certificate chain for
most distros. One less thing to mess with when you renew it next year.
Then restarted the Samba DC:
service samba-ad-dc restart
I then edited the line in /etc/sogo/sogo.conf to read:
hostname = ldap://dc.example.net/????!StartTLS;
It is important to use the FQDN in this line and not an IP address.
<Snip>
Hope this helps someone else caught out by the sudden increase in LDAP
security around Samba...
It did, thank you for posting.
--DJ
--
[email protected]
https://inverse.ca/sogo/lists
