This is a cryptographically signed message in MIME format.

--===============1292795432==
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=sha1; boundary="------------ms020101010108050805070000"

This is a cryptographically signed message in MIME format.

--------------ms020101010108050805070000
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit


>what about some vpn tunnels between you local and remote networks?

(perhaps you already have this) if you're considering using samba >over
the internet, it seems like site-to-site or vpn would serve you best in
terms of security. that's what i do with my remote offices.

It's what we have for now, a vpn that allow distant users to have a
subnetwork address and access an http server with teamwork onto.
For know the File server is located on an wired insulated lan (we uses a
switch Rj45) to be sure nobody can come into.
now we want distant users log into the file server, with a security as
secure as switching manually on this physical subnet, thats were ssl
encryption play with certificates rsa keys. It's a prove a security for
us.

Anthony Messina a écrit :

> romain BOTTAN wrote:
>
>> thank you for your answer,
>> I will discuss with my team of active directory, kerberos and pkinit
>> today.
>>
>> I think you understood our problem in the main facts, we have
>> windowsXP clients (sp2, all fixes) and linux clients (debians, ubunto
>> and others debian like).
>>
>> The main security problem is linked to the datas stored on the file
>> server and the crossing of an open network (worldwide intranet) to
>> connect our distant agencies.
>>
>> I think we're going to put as you propose a ssl tunnel controlled by
>> a small openvpn server or ssltunel with a good control of
>> certificates validity. The advantage of this solution is that we have
>> lots of clients that implements certificates much better than 802.1X
>> API in windows implements it.
>>
>>
>> But the problem with this, as you said, samba will not deal with it,
>> and we're going to ask for our customers to remember another
>> login/pass...
>>
>>
>>
>>
>> Andrew Bartlett a écrit :
>>
>>> On Tue, 2006-02-07 at 10:14 +0100, romain BOTTAN wrote:
>>>
>>>
>>>> Hello everybody,
>>>>
>>>> I'll try to find out some info about Samba and a way to put x509
>>>> authenticate method but i don't find anything clear about it.
>>>>
>>>
>>>
>>>
>>> There are not many 'good' options to put x509 certificates into the
>>> Samba authentication space, and if very much depends on the client and
>>> domain environment.
>>>
>>> Perhaps you are looking for an AD implementation, with PKINIT on
>>> kerberos? This is the only real solution for windows clients.
>>>
>>> If you control the clients (say they run Linux), you could push all
>>> CIFS
>>> connections via a SSL tunnel, but Samba wouldn't 'know' about this, so
>>> would not actually authenticate the users as such.
>>>
>>> Perhaps you need to explain what you are trying to do a bit more.
>>>
>>> Andrew Bartlett
>>>

>
> what about some vpn tunnels between you local and remote networks?
> (perhaps you already have this) if you're considering using samba
> over the internet, it seems like site-to-site or vpn would serve you
> best in terms of security. that's what i do with my remote offices.
>


-


--------------ms020101010108050805070000--

--===============1292795432==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--===============1292795432==--