Configuring LDAP over SSL (LDAPS) on a Samba AD DC
Introduction
Active Directory uses the LDAP (Lightweight Directory Access Protocol) for read and write access. By default LDAP connections are unencrypted. To secure LDAP traffic, you can use SSL/TLS. This document will describe how to enable LDAP over SSL (LDAPS) by installing a certificate in Samba.
General information
- Supported Samba versions (4.11.0 and later) require GnuTLS so LDAP is available by default
- The private key must be accessible without a passphrase, i.e. it must not be encrypted!
- The files that samba uses have to be in PEM format (Base64-encoded DER). The content is enclosed between e. g.
-----BEGIN CERTIFICATE-----
and-----END CERTIFICATE-----
.
- When intermediate certificates are used they should be appended to the cert.pem file after the server certificate
Important smb.conf parameters for LDAPS
LDAPS is controlled by various smb.conf parameters, which all start with tls
. See the manpage for details.
The tls*
parameters are set in the [global]
section of your smb.conf. After any changes, you will have to restart Samba.
Restricting TLS ciphers
The tls priority
smb.conf option allows setting a GnuTLS Cipher priority string and so allows disabling of deprecated ciphers.
GnuTLS controls what ciphers are enabled default but SSLv3
is additionally disabled.
Example
This example assumes the library already disables SSLv3, and additionally disables TLS 1.0 and 1.1.
tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1
SASL over TLS: A bad idea
Samba doesn't implement LDAP Channel binding as required by the 2020 LDAP channel binding and LDAP signing requirements for Windows. Instead, in 2016 with CVE-2016-2112 we recognised the with no cryptographic connection between the NTLM response or Kerberos token and the TLS layer, that a relay attack was possible.
Samba has chosen to simply deny such sessions by default.
For compatibility, the option ldap server require strong auth
was introduced, with allow_sasl_over_tls
(or no
to permit this insecure configuration). Do not set these options.
The secure alternative is NTLM or Kerberos encryption of the LDAP layer using SASL encryption, as this is cryptographically tied the authentication, a MITM relay cannot change the messages.
Using the Samba autogenerated self-signed certificate (default)
On its first startup, Samba creates a private key, a self signed certificate and a CA certificate:
- /usr/local/samba/private/tls/ca.pem
- /usr/local/samba/private/tls/cert.pem
- /usr/local/samba/private/tls/key.pem
The certificates are valid for 700 days after creation (the lifetime used when auto-creating the certificates is hardcoded in source4/lib/tls/tlscert.c
).
By default TLS is enabled (tls enabled = yes
), the above files are used and correspond to the following smb.conf parameters:
tls enabled = yes tls keyfile = tls/key.pem tls certfile = tls/cert.pem tls cafile = tls/ca.pem
Using a custom self-signed certificate
- Change into the directory you want to store the key and certificate
# cd /usr/local/samba/private/tls/
- Create a private key (2048 bit) and a self-signed certificate, valid for 1 year. You'll be asked a couple of questions. It is very important that you enter the FQDN of the DC you are generating the certificate for, when prompted for the
Common Name
$(hostname -f).
# openssl req -newkey rsa:2048 -keyout myKey.pem -nodes -x509 -days 365 -out myCert.pem Generating a 2048 bit RSA private key ......+++ ..................+++ writing new private key to 'myKey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:DE State or Province Name (full name) []:My State Locality Name (eg, city) [Default City]:My City Organization Name (eg, company) [Default Company Ltd]:My Company Organizational Unit Name (eg, section) []:My Department Common Name (eg, your name or your server's hostname) []:DC1.samdom.example.com Email Address []:demo@example.com
- Restrict rights on the private key
# chmod 600 myKey.pem
- Add the following to your smb.conf
tls enabled = yes tls keyfile = tls/myKey.pem tls certfile = tls/myCert.pem tls cafile =
- Restart Samba.
Using a trusted certificate
- Change into the directory you want to store the key and certificate
# cd /usr/local/samba/private/tls/
- Create a 2048 server key
# openssl genrsa -out myKey.pem 2048
- Generate a certificate request (CSR). You'll be asked a couple of questions. It is very important that you enter the FQDN of the DC you are generating the certificate for, when prompted for the
Common Name
$(hostname -f).
# openssl req -new -key myKey.pem -out myCSR.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:DE State or Province Name (full name) []:My State Locality Name (eg, city) [Default City]:My City Organization Name (eg, company) [Default Company Ltd]:My Company Organizational Unit Name (eg, section) []:My Department Common Name (eg, your name or your server's hostname) []:DC1.samdom.example.com Email Address []:demo@example.com
- Use your CSR to obtain a trusted certificate from a CA. Please check the vendors page for details on the process.
- If you received your trusted certificate, store it in the directory with the server key (name it e. g. myCert.pem).
- If your CA requires intermediate certificates also store it in same directory as the other files (e. g. myIntermediate.pem).
- Add the following parameters to your smb.conf
tls enabled = yes tls keyfile = tls/myKey.pem tls certfile = tls/myCert.pem tls cafile = tls/myIntermediate .pem # if not required, set empty
- Restart Samba.
View certificate details
# openssl x509 -in /usr/local/samba/private/tls/myCert.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: d7:16:0c:a9:2e:ce:6f:a6 Signature Algorithm: sha1WithRSAEncryption Issuer: C=DE, ST=My State, L=My City, O=My Company, OU=My Section, CN=DC1.samdom.example.com/emailAddress=demo@example.com Validity Not Before: Jun 22 06:44:35 2013 GMT Not After : Jun 22 06:44:35 2014 GMT Subject: C=DE, ST=My State, L=My City, O=My Company, OU=My Section, CN=DC1.samdom.example.com/emailAddress=demo@example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: .....{removed to keep this example output shorter}..... Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: D3:CC:57:AD:2E:03:AC:EE:F9:1F:88:C7:96:A3:79:23:1E:1A:7E:45 X509v3 Authority Key Identifier: keyid:D3:CC:57:AD:2E:03:AC:EE:F9:1F:88:C7:96:A3:79:23:1E:1A:7E:45 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption .....{removed to keep this example output shorter}.....
Verifying the certificate
Local
# openssl verify /usr/local/samba/private/tls/myCert.pem myCert.pem: C = DE, ST = My State, L = My City, O = My Company, OU = My Section, CN = DC1.samdom.example.com, emailAddress = demo@example.com error 18 at 0 depth lookup:self signed certificate OK
If you are using a CA file in your smb.conf, use the following command instead:
# openssl verify /usr/local/samba/private/tls/myCert.pem -CAfile /path/to/ca-file.pem
Remote via TCP
# openssl s_client -showcerts -connect dc1.samdom.example.com:636 CONNECTED(00000003) depth=0 C = DE, ST = My State, L = My City, O = My Company, OU = My Section, CN = DC1.samdom.example.com, emailAddress = demo@example.com verify error:num=18:self signed certificate verify return:1 depth=0 C = DE, ST = My State, L = My City, O = My Company, OU = My Section, CN = DC1.samdom.example.com, emailAddress = demo@example.com verify return:1 --- Certificate chain 0 s:/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com i:/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com -----BEGIN CERTIFICATE----- .....{removed to keep this example output shorter}..... -----END CERTIFICATE----- --- Server certificate subject=/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com issuer=/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com --- No client certificate CA names sent --- SSL handshake has read 1870 bytes and written 322 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 7B522F38E50A807426CBB438841A40360B8A32C2A6FA74B1705D2978E7100E9A Session-ID-ctx: Master-Key: D65E7EC785151B6DDA2CAB40320A16DADB5A24019B23C533738B43EA36DBC4E766BE16C292E35976BB6CD09B1C537D21 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1371887189 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) ---
You can quit s_client by pressing [Ctrl]+[C].
If you are using a CA file in your smb.conf, use the following command instead:
# openssl s_client -showcerts -connect localhost:636 -CAfile /path/to/ca-file.pem