This is a cryptographically signed message in MIME format.

--===============0331604504==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=sha1; boundary="------------ms020402060802090007030404"

This is a cryptographically signed message in MIME format.

--------------ms020402060802090007030404
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit

thank you for your answer,
I will discuss with my team of active directory, kerberos and pkinit today.

I think you understood our problem in the main facts, we have windowsXP
clients (sp2, all fixes) and linux clients (debians, ubunto and others
debian like).

The main security problem is linked to the datas stored on the file
server and the crossing of an open network (worldwide intranet) to
connect our distant agencies.

I think we're going to put as you propose a ssl tunnel controlled by a
small openvpn server or ssltunel with a good control of certificates
validity. The advantage of this solution is that we have lots of clients
that implements certificates much better than 802.1X API in windows
implements it.


But the problem with this, as you said, samba will not deal with it, and
we're going to ask for our customers to remember another login/pass...




Andrew Bartlett a écrit :

>On Tue, 2006-02-07 at 10:14 +0100, romain BOTTAN wrote:
>
>
>>Hello everybody,
>>
>>I'll try to find out some info about Samba and a way to put x509
>>authenticate method but i don't find anything clear about it.
>>
>>

>
>There are not many 'good' options to put x509 certificates into the
>Samba authentication space, and if very much depends on the client and
>domain environment.
>
>Perhaps you are looking for an AD implementation, with PKINIT on
>kerberos? This is the only real solution for windows clients.
>
>If you control the clients (say they run Linux), you could push all CIFS
>connections via a SSL tunnel, but Samba wouldn't 'know' about this, so
>would not actually authenticate the users as such.
>
>Perhaps you need to explain what you are trying to do a bit more.
>
>Andrew Bartlett
>
>
>


--
=============
Romain BOTTAN
ALCATEL CIT - Service Sécurité
26 Av. JF Champollion - BP 1076
31035 TOULOUSE cedex 1
Tél: +33(0)5 34 35 33 74
Port: +33(0)6 15 41 44 50
Fax: +33(0)5 34 35 33 99


--------------ms020402060802090007030404--

--===============0331604504==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--===============0331604504==--