Samba AD DCでLDAP over SSL(LDAPS)を構成する
はじめに
Active Directoryは、LDAP(Lightweight Directory Access Protocol)を読み取りおよび書き込みアクセスに使用します。 デフォルトでは、LDAP接続は暗号化されていません。 LDAPトラフィックを保護するには、SSL / TLSを使用できます。 このドキュメントでは、Sambaに証明書をインストールすることにより、LDAP over SSL(LDAPS)を有効にする方法について説明します。
General information
- To use TLS, Samba has to be compiled with „--enable-gnutls“. To verify, use the following command:
# smbd -b | grep "ENABLE_GNUTLS" ENABLE_GNUTLS
- The private key must be accessible without a passphrase, i.e. it must not be encrypted!
- The files that samba uses have to be in PEM format (Base64-encoded DER). The content is enclosed between e. g. "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
- When intermediate certificates are used they should be appended to the cert.pem file after the server certificate
Important smb.conf parameters for LDAPS
LDAPS is controlled by various smb.conf parameters, which all start with „tls“. See the manpage for details.
The „tls*“ parameters are set in the „[global]“ section of your smb.conf. After any changes, you will have to restart Samba.
Using the Samba autogenerated self-signed certificate (default)
On its first startup, Samba creates a private key, a self signed certificate and a CA certificate:
- /usr/local/samba/private/tls/ca.pem
- /usr/local/samba/private/tls/cert.pem
- /usr/local/samba/private/tls/key.pem
The certificates are valid for 700 days after creation (the lifetime used when auto-creating the certificates is hardcoded in „source4/lib/tls/tlscert.c“).
By default TLS is enabled („tls enabled = yes“), the above files are used and correspond to the following smb.conf parameters:
tls enabled = yes tls keyfile = tls/key.pem tls certfile = tls/cert.pem tls cafile = tls/ca.pem
Using a custom self-signed certificate
- Change into the directory you want to store the key and certificate
# cd /usr/local/samba/private/tls/
- Create a private key (2048 bit) and a self-signed certificate, valid for 1 year. You'll be asked a couple of questions. It is very important that you fill „Common Name“, with the FQDN of the DC you are generating the certificate for („hostname -f“)!
# openssl req -newkey rsa:2048 -keyout myKey.pem -nodes -x509 -days 365 -out myCert.pem Generating a 2048 bit RSA private key ......+++ ..................+++ writing new private key to 'myKey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:DE State or Province Name (full name) []:My State Locality Name (eg, city) [Default City]:My City Organization Name (eg, company) [Default Company Ltd]:My Company Organizational Unit Name (eg, section) []:My Department Common Name (eg, your name or your server's hostname) []:DC1.samdom.example.com Email Address []:demo@example.com
- Restrict rights on the private key
# chmod 600 myKey.pem
- Add the following to your smb.conf
tls enabled = yes tls keyfile = tls/myKey.pem tls certfile = tls/myCert.pem tls cafile =
- Restart Samba.
Using a trusted certificate
- Change into the directory you want to store the key and certificate
# cd /usr/local/samba/private/tls/
- Create a 2048 server key
# openssl genrsa -out myKey.pem 2048
- Generate a certificate request (CSR). You'll be asked a couple of questions. The most important is, that you fill „Common Name“ with the FQDN of the DC you are generating the certificate for („hostname -f“)!
# openssl req -new -key myKey.pem -out myCSR.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:DE State or Province Name (full name) []:My State Locality Name (eg, city) [Default City]:My City Organization Name (eg, company) [Default Company Ltd]:My Company Organizational Unit Name (eg, section) []:My Department Common Name (eg, your name or your server's hostname) []:DC1.samdom.example.com Email Address []:demo@example.com
- Use your CSR to obtain a trusted certificate from a CA. Please check the vendors page for details on the process.
- If you received your trusted certificate, store it in the directory with the server key (name it e. g. myCert.pem).
- If your CA requires intermediate certificates also store it in same directory as the other files (e. g. myIntermediate.pem).
- Add the following parameters to your smb.conf
tls enabled = yes tls keyfile = tls/myKey.pem tls certfile = tls/myCert.pem tls cafile = tls/myIntermediate .pem # if not required, set empty
- Restart Samba.
View certificate details
# openssl x509 -in /usr/local/samba/private/tls/myCert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d7:16:0c:a9:2e:ce:6f:a6
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=DE, ST=My State, L=My City, O=My Company, OU=My Section, CN=DC1.samdom.example.com/emailAddress=demo@example.com
Validity
Not Before: Jun 22 06:44:35 2013 GMT
Not After : Jun 22 06:44:35 2014 GMT
Subject: C=DE, ST=My State, L=My City, O=My Company, OU=My Section, CN=DC1.samdom.example.com/emailAddress=demo@example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
.....{removed to keep this example output shorter}.....
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
D3:CC:57:AD:2E:03:AC:EE:F9:1F:88:C7:96:A3:79:23:1E:1A:7E:45
X509v3 Authority Key Identifier:
keyid:D3:CC:57:AD:2E:03:AC:EE:F9:1F:88:C7:96:A3:79:23:1E:1A:7E:45
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
.....{removed to keep this example output shorter}.....
Verifying the certificate
Local
# openssl verify /usr/local/samba/private/tls/myCert.pem myCert.pem: C = DE, ST = My State, L = My City, O = My Company, OU = My Section, CN = DC1.samdom.example.com, emailAddress = demo@example.com error 18 at 0 depth lookup:self signed certificate OK
If you are using a CA file in your smb.conf, use the following command instead:
# openssl verify /usr/local/samba/private/tls/myCert.pem -CApath /path/to/ca-file.pem
Remote via TCP
# openssl s_client -showcerts -connect dc1.samdom.example.com:636
CONNECTED(00000003)
depth=0 C = DE, ST = My State, L = My City, O = My Company, OU = My Section, CN = DC1.samdom.example.com, emailAddress = demo@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = DE, ST = My State, L = My City, O = My Company, OU = My Section, CN = DC1.samdom.example.com, emailAddress = demo@example.com
verify return:1
---
Certificate chain
0 s:/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com
i:/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com
-----BEGIN CERTIFICATE-----
.....{removed to keep this example output shorter}.....
-----END CERTIFICATE-----
---
Server certificate
subject=/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com
issuer=/C=DE/ST=My State/L=My City/O=My Company/OU=My Section/CN=DC1.samdom.example.com/emailAddress=demo@example.com
---
No client certificate CA names sent
---
SSL handshake has read 1870 bytes and written 322 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 7B522F38E50A807426CBB438841A40360B8A32C2A6FA74B1705D2978E7100E9A
Session-ID-ctx:
Master-Key: D65E7EC785151B6DDA2CAB40320A16DADB5A24019B23C533738B43EA36DBC4E766BE16C292E35976BB6CD09B1C537D21
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1371887189
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
You can quit s_client by pressing [Ctrl]+[C].
If you are using a CA file in your smb.conf, use the following command instead:
# openssl s_client -showcerts -connect localhost:636 -CApath /path/to/ca-file.pem