Re: [Samba] [resend] SAMBA and X509 certs ?
romain BOTTAN wrote:[color=blue]
> thank you for your answer,
> I will discuss with my team of active directory, kerberos and pkinit today.
> I think you understood our problem in the main facts, we have windowsXP
> clients (sp2, all fixes) and linux clients (debians, ubunto and others
> debian like).
> The main security problem is linked to the datas stored on the file
> server and the crossing of an open network (worldwide intranet) to
> connect our distant agencies.
> I think we're going to put as you propose a ssl tunnel controlled by a
> small openvpn server or ssltunel with a good control of certificates
> validity. The advantage of this solution is that we have lots of clients
> that implements certificates much better than 802.1X API in windows
> implements it.
> But the problem with this, as you said, samba will not deal with it, and
> we're going to ask for our customers to remember another login/pass...
> Andrew Bartlett a écrit :
>> On Tue, 2006-02-07 at 10:14 +0100, romain BOTTAN wrote:
>>> Hello everybody,
>>> I'll try to find out some info about Samba and a way to put x509
>>> authenticate method but i don't find anything clear about it.
>> There are not many 'good' options to put x509 certificates into the
>> Samba authentication space, and if very much depends on the client and
>> domain environment.
>> Perhaps you are looking for an AD implementation, with PKINIT on
>> kerberos? This is the only real solution for windows clients.
>> If you control the clients (say they run Linux), you could push all CIFS
>> connections via a SSL tunnel, but Samba wouldn't 'know' about this, so
>> would not actually authenticate the users as such.
>> Perhaps you need to explain what you are trying to do a bit more.
>> Andrew Bartlett
what about some vpn tunnels between you local and remote networks?
(perhaps you already have this) if you're considering using samba over
the internet, it seems like site-to-site or vpn would serve you best in
terms of security. that's what i do with my remote offices.
My Website: [url]http://messinet.com[/url]
My Online Gallery:
To unsubscribe from this list go to the following URL and read the