Configuring LDAP over SSL (LDAPS) on a Samba AD DC

From SambaWiki

Introduction

Active Directory uses the LDAP (Lightweight Directory Access Protocol) for read and write access. By default LDAP connections are unencrypted. To secure LDAP traffic, you can use SSL/TLS. This document will describe how to enable LDAP over SSL (LDAPS) by installing a certificate in Samba.



General information

  • Supported Samba versions (4.11.0 and later) require GnuTLS so LDAP is available by default
  • The private key must be accessible without a passphrase, i.e. it must not be encrypted!
  • The files that samba uses have to be in PEM format (Base64-encoded DER). The content is enclosed between e. g. -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
  • When intermediate certificates are used they should be appended to the cert.pem file after the server certificate

Important smb.conf parameters for LDAPS

LDAPS is controlled by various smb.conf parameters, which all start with tls. See the manpage for details.

The tls* parameters are set in the [global] section of your smb.conf. After any changes, you will have to restart Samba.

Restricting TLS ciphers

The tls priority smb.conf option allows setting a GnuTLS Cipher priority string and so allows disabling of deprecated ciphers.

GnuTLS controls what ciphers are enabled default but SSLv3 is additionally disabled.

Example

This example assumes the library already disables SSLv3, and additionally disables TLS 1.0 and 1.1.

tls priority = NORMAL:-VERS-TLS1.0:-VERS-TLS1.1

SASL over TLS: A bad idea

Samba doesn't implement LDAP Channel binding as required by the 2020 LDAP channel binding and LDAP signing requirements for Windows. Instead, in 2016 with CVE-2016-2112 we recognised the with no cryptographic connection between the NTLM response or Kerberos token and the TLS layer, that a relay attack was possible.

Samba has chosen to simply deny such sessions by default.

For compatibility, the option ldap server require strong auth was introduced, with allow_sasl_over_tls (or no to permit this insecure configuration). Do not set these options.

The secure alternative is NTLM or Kerberos encryption of the LDAP layer using SASL encryption, as this is cryptographically tied the authentication, a MITM relay cannot change the messages.

Using the Samba autogenerated self-signed certificate (default)

On its first startup, Samba creates a private key, a self signed certificate and a CA certificate:

  • /usr/local/samba/private/tls/ca.pem
  • /usr/local/samba/private/tls/cert.pem
  • /usr/local/samba/private/tls/key.pem

The certificates are valid for 700 days after creation (the lifetime used when auto-creating the certificates is hardcoded in source4/lib/tls/tlscert.c).

By default TLS is enabled (tls enabled = yes), the above files are used and correspond to the following smb.conf parameters:

tls enabled  = yes
tls keyfile  = tls/key.pem
tls certfile = tls/cert.pem
tls cafile   = tls/ca.pem




Using a custom self-signed certificate

  • Change into the directory you want to store the key and certificate
# cd /usr/local/samba/private/tls/
  • Create a private key (2048 bit) and a self-signed certificate, valid for 1 year. You'll be asked a couple of questions. It is very important that you enter the FQDN of the DC you are generating the certificate for, when prompted for the Common Name $(hostname -f).
# openssl req -newkey rsa:2048 -keyout myKey.pem -nodes -x509 -days 365 -out myCert.pem

Generating a 2048 bit RSA private key
......+++
..................+++
writing new private key to 'myKey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DE
State or Province Name (full name) []:My State
Locality Name (eg, city) [Default City]:My City
Organization Name (eg, company) [Default Company Ltd]:My Company
Organizational Unit Name (eg, section) []:My Department
Common Name (eg, your name or your server's hostname) []:DC1.samdom.example.com
Email Address []:demo@example.com
  • Restrict rights on the private key
# chmod 600 myKey.pem
  • Add the following to your smb.conf
tls enabled  = yes
tls keyfile  = tls/myKey.pem
tls certfile = tls/myCert.pem
tls cafile   = 
  • Restart Samba.



Using a trusted certificate

  • Change into the directory you want to store the key and certificate
# cd /usr/local/samba/private/tls/
  • Create a 2048 server key
# openssl genrsa -out myKey.pem 2048
  • Generate a certificate request (CSR). You'll be asked a couple of questions. It is very important that you enter the FQDN of the DC you are generating the certificate for, when prompted for the Common Name $(hostname -f).
# openssl req -new -key myKey.pem -out myCSR.pem

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DE
State or Province Name (full name) []:My State
Locality Name (eg, city) [Default City]:My City
Organization Name (eg, company) [Default Company Ltd]:My Company
Organizational Unit Name (eg, section) []:My Department
Common Name (eg, your name or your server's hostname) []:DC1.samdom.example.com
Email Address []:demo@example.com
  • Use your CSR to obtain a trusted certificate from a CA. Please check the vendors page for details on the process.
  • If you received your trusted certificate, store it in the directory with the server key (name it e. g. myCert.pem).
  • If your CA requires intermediate certificates also store it in same directory as the other files (e. g. myIntermediate.pem).
  • Add the following parameters to your smb.conf
tls enabled  = yes
tls keyfile  = tls/myKey.pem
tls certfile = tls/myCert.pem
tls cafile   = tls/myIntermediate .pem  # if not required, set empty
  • Restart Samba.




View certificate details

# openssl x509 -in /usr/local/samba/private/tls/myCert.pem -noout -text

Certificate:
    Data:
        Version: 3 (0x2)
         Serial Number:
            d7:16:0c:a9:2e:ce:6f:a6
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=DE, ST=My State, L=My City, O=My Company, OU=My Section, CN=DC1.samdom.example.com/emailAddress=demo@example.com
        Validity
            Not Before: Jun 22 06:44:35 2013 GMT
            Not After : Jun 22 06:44:35 2014 GMT
        Subject: C=DE, ST=My State, L=My City, O=My Company, OU=My Section, CN=DC1.samdom.example.com/emailAddress=demo@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                  .....{removed to keep this example output shorter}.....
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                D3:CC:57:AD:2E:03:AC:EE:F9:1F:88:C7:96:A3:79:23:1E:1A:7E:45
            X509v3 Authority Key Identifier: 
                keyid:D3:CC:57:AD:2E:03:AC:EE:F9:1F:88:C7:96:A3:79:23:1E:1A:7E:45
            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        .....{removed to keep this example output shorter}.....



Verifying the certificate

Local

# openssl verify /usr/local/samba/private/tls/myCert.pem
myCert.pem: C = DE, ST = My State, L = My City, O = My Company, OU = My Section, CN = DC1.samdom.example.com, emailAddress = demo@example.com
error 18 at 0 depth lookup:self signed certificate
OK

If you are using a CA file in your smb.conf, use the following command instead:

# openssl verify /usr/local/samba/private/tls/myCert.pem -CApath /path/to/ca-file.pem


Remote via TCP

# openssl s_client -showcerts -connect dc1.samdom.example.com:636

CONNECTED(00000003)
depth=0 C = DE, ST = My State, L = My City, O = My Company, OU = My Section, CN = DC1.samdom.example.com, emailAddress = demo@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = DE, ST = My State, L = My City, O = My Company, OU = My Section, CN = DC1.samdom.example.com, emailAddress = demo@example.com
verify return:1
---
Certificate chain
 0 s:/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com
   i:/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com
-----BEGIN CERTIFICATE-----
.....{removed to keep this example output shorter}.....
-----END CERTIFICATE-----
---
Server certificate
subject=/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com
issuer=/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com
---
No client certificate CA names sent
---
SSL handshake has read 1870 bytes and written 322 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 7B522F38E50A807426CBB438841A40360B8A32C2A6FA74B1705D2978E7100E9A
    Session-ID-ctx: 
    Master-Key: D65E7EC785151B6DDA2CAB40320A16DADB5A24019B23C533738B43EA36DBC4E766BE16C292E35976BB6CD09B1C537D21
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1371887189
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

You can quit s_client by pressing [Ctrl]+[C].

If you are using a CA file in your smb.conf, use the following command instead:

# openssl s_client -showcerts -connect localhost:636 -CAfile /path/to/ca-file.pem