はじめに

Active Directoryは、LDAP（Lightweight Directory Access Protocol）を読み取りおよび書き込みアクセスに使用します。 デフォルトでは、LDAP接続は暗号化されていません。 LDAPトラフィックを保護するには、SSL / TLSを使用できます。 このドキュメントでは、Sambaに証明書をインストールすることにより、LDAP over SSL（LDAPS）を有効にする方法について説明します。

一般情報

• TLSを使うには、Sambaを„--enable-gnutls“でコンパイルする必要があります。確認するには、次のコマンドを使用してください：

# smbd -b | grep "ENABLE_GNUTLS"
   ENABLE_GNUTLS

• 秘密鍵はパスフレーズなしでアクセスできる必要があります。つまり、暗号化しないでください！

• sambaが使用するファイルは、PEM形式（Base64エンコードDER）でなければなりません。内容は、"-----BEGIN CERTIFICATE-----" と "-----END CERTIFICATE-----"で、囲まれています。

• 中間証明書を使用する場合は、サーバー証明書の後にcert.pemファイルに追加する必要があります。

LDAPSの重要なsmb.confパラメータ

LDAPSはさまざまなsmb.confパラメータによって制御され、すべてが "tls"で始まります。 詳細については、マニュアルページを参照してください。

"tls *"パラメータは、smb.confの "[global]"セクションで設定します。 変更が終わったら、Sambaを再起動する必要があります。

Sambaで自動生成された自己署名証明書を使用する（デフォルト）

最初の起動時に、Sambaは秘密鍵、自己署名証明書、およびCA証明書を作成します。

• /usr/local/samba/private/tls/ca.pem
• /usr/local/samba/private/tls/cert.pem
• /usr/local/samba/private/tls/key.pem

証明書は作成後700日間有効です（証明書の自動作成時に使用される有効期間は "source4/lib/tls/tlscert.c"にハードコードされています）。

デフォルトでは、TLSが有効（ "tls enabled = yes"）の場合、上記のファイルが使用され、次のsmb.confパラメータに対応します。

tls enabled  = yes
tls keyfile  = tls/key.pem
tls certfile = tls/cert.pem
tls cafile   = tls/ca.pem

独自の自己署名証明書を使用する

• キーと証明書を保存するディレクトリに移動します

# cd /usr/local/samba/private/tls/

• 1年間有効な秘密鍵（2048ビット）と自己署名証明書を作成します。 いくつかの質問があります。 "Common Name"に証明書を生成するDCのFQDN（ "hostname -f"）を入力することは非常に重要です！

# openssl req -newkey rsa:2048 -keyout myKey.pem -nodes -x509 -days 365 -out myCert.pem

Generating a 2048 bit RSA private key
......+++
..................+++
writing new private key to 'myKey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DE
State or Province Name (full name) []:My State
Locality Name (eg, city) [Default City]:My City
Organization Name (eg, company) [Default Company Ltd]:My Company
Organizational Unit Name (eg, section) []:My Department
Common Name (eg, your name or your server's hostname) []:DC1.samdom.example.com
Email Address []:demo@example.com

• 秘密鍵のアクセス権を制限する

# chmod 600 myKey.pem

• smb.confに以下を追加してください

tls enabled  = yes
tls keyfile  = tls/myKey.pem
tls certfile = tls/myCert.pem
tls cafile   = 

• Sambaを再起動する。

Using a trusted certificate

• Change into the directory you want to store the key and certificate

# cd /usr/local/samba/private/tls/

• Create a 2048 server key

# openssl genrsa -out myKey.pem 2048

• Generate a certificate request (CSR). You'll be asked a couple of questions. The most important is, that you fill „Common Name“ with the FQDN of the DC you are generating the certificate for („hostname -f“)!

# openssl req -new -key myKey.pem -out myCSR.pem

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:DE
State or Province Name (full name) []:My State
Locality Name (eg, city) [Default City]:My City
Organization Name (eg, company) [Default Company Ltd]:My Company
Organizational Unit Name (eg, section) []:My Department
Common Name (eg, your name or your server's hostname) []:DC1.samdom.example.com
Email Address []:demo@example.com

• Use your CSR to obtain a trusted certificate from a CA. Please check the vendors page for details on the process.

• If you received your trusted certificate, store it in the directory with the server key (name it e. g. myCert.pem).

• If your CA requires intermediate certificates also store it in same directory as the other files (e. g. myIntermediate.pem).

• Add the following parameters to your smb.conf

tls enabled  = yes
tls keyfile  = tls/myKey.pem
tls certfile = tls/myCert.pem
tls cafile   = tls/myIntermediate .pem  # if not required, set empty

• Restart Samba.

View certificate details

# openssl x509 -in /usr/local/samba/private/tls/myCert.pem -noout -text

Certificate:
    Data:
        Version: 3 (0x2)
         Serial Number:
            d7:16:0c:a9:2e:ce:6f:a6
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=DE, ST=My State, L=My City, O=My Company, OU=My Section, CN=DC1.samdom.example.com/emailAddress=demo@example.com
        Validity
            Not Before: Jun 22 06:44:35 2013 GMT
            Not After : Jun 22 06:44:35 2014 GMT
        Subject: C=DE, ST=My State, L=My City, O=My Company, OU=My Section, CN=DC1.samdom.example.com/emailAddress=demo@example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                  .....{removed to keep this example output shorter}.....
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                D3:CC:57:AD:2E:03:AC:EE:F9:1F:88:C7:96:A3:79:23:1E:1A:7E:45
            X509v3 Authority Key Identifier: 
                keyid:D3:CC:57:AD:2E:03:AC:EE:F9:1F:88:C7:96:A3:79:23:1E:1A:7E:45
            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        .....{removed to keep this example output shorter}.....

Verifying the certificate

Local

# openssl verify /usr/local/samba/private/tls/myCert.pem
myCert.pem: C = DE, ST = My State, L = My City, O = My Company, OU = My Section, CN = DC1.samdom.example.com, emailAddress = demo@example.com
error 18 at 0 depth lookup:self signed certificate
OK

If you are using a CA file in your smb.conf, use the following command instead:

# openssl verify /usr/local/samba/private/tls/myCert.pem -CApath /path/to/ca-file.pem

Remote via TCP

# openssl s_client -showcerts -connect dc1.samdom.example.com:636

CONNECTED(00000003)
depth=0 C = DE, ST = My State, L = My City, O = My Company, OU = My Section, CN = DC1.samdom.example.com, emailAddress = demo@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = DE, ST = My State, L = My City, O = My Company, OU = My Section, CN = DC1.samdom.example.com, emailAddress = demo@example.com
verify return:1
---
Certificate chain
 0 s:/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com
   i:/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com
-----BEGIN CERTIFICATE-----
.....{removed to keep this example output shorter}.....
-----END CERTIFICATE-----
---
Server certificate
subject=/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com
issuer=/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com
---
No client certificate CA names sent
---
SSL handshake has read 1870 bytes and written 322 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 7B522F38E50A807426CBB438841A40360B8A32C2A6FA74B1705D2978E7100E9A
    Session-ID-ctx: 
    Master-Key: D65E7EC785151B6DDA2CAB40320A16DADB5A24019B23C533738B43EA36DBC4E766BE16C292E35976BB6CD09B1C537D21
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1371887189
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

You can quit s_client by pressing [Ctrl]+[C].

If you are using a CA file in your smb.conf, use the following command instead:

# openssl s_client -showcerts -connect localhost:636 -CApath /path/to/ca-file.pem