Using SambaRobert Eckstein, David Collier-Brown, Peter Kelly1st Edition November 1999 1-56592-449-5, Order Number: 4495 416 pages, $34.95 |
A.5 SSL Configuration Options
Table A.1 summarizes the configuration options introduced in the previous section for using SSL. Note that all of these options are global in scope; in other words, they must appear in the
[global]
section of the configuration file.
Table A.1: SSL Configuration Options Option
Parameters
Function
Default
Scope
ssl
boolean
Indicates whether SSL mode is enabled with Samba.
no
Global
ssl hosts
string (list of addresses)
Specifies a list of hosts that must always connect using SSL.
None
Global
ssl hosts resign
string (list of addresses)
Specifies a list of hosts that never connect using SS.
None
Global
ssl CA certDir
string (fully-qualified pathname)
Specifies the directory where the certificates are stored.
None
Global
ssl CA certFile
string (fully-qualified pathname)
Specifies a file that contains all of the certificates for Samba.
None
Global
ssl server cert
string (fully-qualified pathname)
Specifies the location of the server's certificate.
None
Global
ssl server key
string (fully-qualified pathname)
Specifies the location of the server's private key.
None
Global
ssl client cert
string (fully-qualified pathname)
Specifies the location of the client's certificate.
None
Global
ssl client key
string (fully-qualified pathname)
Specifies the location of the client's private key.
None
Global
ssl require clientcert
boolean
Indicates whether Samba should require each client to have a certificate.
no
Global
ssl require servercert
boolean
Indicates whether the server itself should have a certificate.
no
Global
ssl ciphers
String
Specifies the cipher suite to use during protocol negotiation.
None
Global
ssl version
ssl2or3
,ssl3
, ortls1
Specifies the version of SSL to use.
ssl2or3
Global
ssl compatibility
boolean
Indicates whether compatibility with other implementations of SSL should be activated.
no
Global
A.5.1 ssl
This global option configures Samba to use SSL for communication between itself and clients. The default value of this option is
no
. You can reset it as follows:[global] ssl = yesNote that in order to use this option, you must have a proxy for Windows 95/98 clients, such as in the model presented earlier in this chapter.
A.5.2 ssl hosts
This option specifies the hosts that will be forced into using SSL. The syntax for specifying hosts and addresses is the same as the
hosts
allow
and thehosts
deny
configuration options. For example:[global] ssl = yes ssl hosts = 192.168.220.This example specifies that all hosts that fall into the 192.168.220 subnet must use SSL connections with the client. This type of structure is useful if you know that various connections will be made by a subnet that lies across an untrusted network, such as the Internet. If neither this option nor the
ssl
hosts
resign
option has been specified, andssl
is set toyes
, Samba will allow only SSL connections from all clients.A.5.3 ssl hosts resign
This option specifies the hosts that will not be forced into SSL mode. The syntax for specifying hosts and addresses is the same as the
hosts
allow
and thehosts
deny
configuration options. For example:[global] ssl = yes ssl hosts resign = 160.2.310. 160.2.320.This example specifies that all hosts that fall into the 160.2.310 or 160.2.320 subnets will not use SSL connections with the client. If neither this option nor the
ssl
hosts
option has been specified, andssl
is set toyes
, Samba will allow only SSL connections from all clients.A.5.4 ssl CA certDir
This option specifies the directory containing the certificate authority's certificates that Samba will use to authenticate clients. There must be one file in this directory for each certificate authority, named as specified earlier in this chapter. Any other files in this directory are ignored. For example:
[global] ssl = yes ssl hosts = 192.168.220. ssl CA certDir = /usr/local/samba/certThere is no default for this option. You can alternatively use the option
ssl
CA
certFile
if you wish to place all the certificate authority information in the same file.A.5.5 ssl CA certFile
This option specifies a file that contains the certificate authority's certificates that Samba will use to authenticate clients. This option differs from
ssl
CA
certDir
in that there is only one file used for all the certificate authorities. An example of its usage follows:[global] ssl = yes ssl hosts = 192.168.220. ssl CA certFile = /usr/local/samba/cert/certFileThere is no default for this option. You can also use the option
ssl
CA
certDir
if you wish to have a separate file for each certificate authority that Samba trusts.A.5.6 ssl server cert
This option specifies the location of the server's certificate. This option is mandatory; the server must have a certificate in order to use SSL. For example:
[global] ssl = yes ssl hosts = 192.168.220. ssl CA certFile = /usr/local/samba/cert/certFile ssl server cert = /usr/local/samba/private/server.pemThere is no default for this option. Note that the certificate may contain the private key for the server.
A.5.7 ssl server key
This option specifies the location of the server's private key. You should ensure that the location of the file cannot be accessed by anyone other than
root
. For example:[global] ssl = yes ssl hosts = 192.168.220. ssl CA certFile = /usr/local/samba/cert/certFile ssl server key = /usr/local/samba/private/samba.pemThere is no default for this option. Note that the private key may be contained in the certificate for the server.
A.5.8 ssl client cert
This option specifies the location of the client's certificate. The certificate may be requested by the Samba server with the
ssl
require
clientcert
option; the certificate is also used by smbclient. For example:[global] ssl = yes ssl hosts = 192.168.220. ssl CA certFile = /usr/local/samba/cert/certFile ssl server cert = /usr/local/ssl/private/server.pem ssl client cert= /usr/local/ssl/private/clientcert.pemThere is no default for this option.
A.5.9 ssl client key
This option specifies the location of the client's private key. You should ensure that the location of the file cannot be accessed by anyone other than
root
. For example:[global] ssl = yes ssl hosts = 192.168.220. ssl CA certDir = /usr/local/samba/cert/ ssl server key = /usr/local/ssl/private/samba.pem ssl client key = /usr/local/ssl/private/clients.pemThere is no default for this option. This option is only needed if the client has a certificate.
A.5.10 ssl require clientcert
This option specifies whether the client is required to have a certificate. The certificates listed with either the
ssl
CA
certDir
or thessl
CA
certFile
will be searched to confirm that the client has a valid certificate and is authorized to connect to the Samba server. The value of this option is a simple boolean. For example:[global] ssl = yes ssl hosts = 192.168.220. ssl CA certFile = /usr/local/samba/cert/certFile ssl require clientcert = yesWe recommend that you require certificates from all clients that could be connecting to the Samba server. The default value for this option is
no
.A.5.11 ssl require servercert
This option specifies whether the server is required to have a certificate. Again, this will be used by the smbclient program. The value of this option is a simple boolean. For example:
[global] ssl = yes ssl hosts = 192.168.220. ssl CA certFile = /usr/local/samba/cert/certFile ssl require clientcert = yes ssl require servercert = yesAlthough we recommend that you require certificates from all clients that could be connecting to the Samba server, a server certificate is not required. It is, however, recommended. The default value for this option is
no
.A.5.12 ssl ciphers
This option sets the ciphers on which SSL will decide during the negotiation phase of the SSL connection. Samba can use any of the following ciphers:
DEFAULT DES-CFB-M1 NULL-MD5 RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5 EXP-RC2-CBC-MD5 IDEA-CBC-MD5 DES-CBC-MD5 DES-CBC-SHA DES-CBC3-MD5 DES-CBC3-SHA RC4-64-MD5 NULLIt is best not to set this option unless you are familiar with the SSL protocol and want to mandate a specific cipher suite.
A.5.13 ssl version
This global option specifies the version of SSL that Samba will use when handling encrypted connections. The default value is
ssl2or3
, which specifies that either version 2 or 3 of the SSL protocol can be used, depending on which version is negotiated in the handshake between the server and the client. However, if you want Samba to use only a specific version of the protocol, you can specify the following:[global] ssl version = ssl3Again, it is best not to set this option unless you are familiar with the SSL protocol and want to mandate a specific version.
A.5.14 ssl compatibility
This global option specifies whether Samba should be configured to use other versions of SSL. However, because no other versions exist at this writing, the issue is moot and the variable should always be left at the default.
Back to: Using Samba
© 2001, O'Reilly & Associates, Inc.