1<HTML> 2<HEAD> 3<TITLE> 4[Appendix A] Configuring Samba with SSL</title><META NAME="DC.title" CONTENT=""><META NAME="DC.creator" CONTENT=""><META NAME="DC.publisher" CONTENT="O'Reilly & Associates, Inc."><META NAME="DC.date" CONTENT="1999-11-05T21:41:36Z"><META NAME="DC.type" CONTENT="Text.Monograph"><META NAME="DC.format" CONTENT="text/html" SCHEME="MIME"><META NAME="DC.source" CONTENT="" SCHEME="ISBN"><META NAME="DC.language" CONTENT="en-US"><META NAME="generator" CONTENT="Jade 1.1/O'Reilly DocBook 3.0 to HTML 4.0"></head> 5<BODY BGCOLOR="#FFFFFF" TEXT="#000000" link="#990000" vlink="#0000CC"> 6<table BORDER="0" CELLPADDING="0" CELLSPACING="0" width="90%"> 7<tr> 8<td width="25%" valign="TOP"> 9<img hspace=10 vspace=10 src="gifs/samba.s.gif" 10alt="Using Samba" align=left valign=top border=0> 11</td> 12<td height="105" valign="TOP"> 13<br> 14<H2>Using Samba</H2> 15<font size="-1"> 16Robert Eckstein, David Collier-Brown, Peter Kelly 17<br>1st Edition November 1999 18<br>1-56592-449-5, Order Number: 4495 19<br>416 pages, $34.95 20</font> 21<p> <a href="http://www.oreilly.com/catalog/samba/">Buy the hardcopy</a> 22<p><a href="index.html">Table of Contents</a> 23</td> 24</tr> 25</table> 26<hr size=1 noshade> 27<!--sample chapter begins --> 28 29<center> 30<DIV CLASS="htmlnav"> 31<TABLE WIDTH="515" BORDER="0" CELLSPACING="0" CELLPADDING="0"> 32<TR> 33<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="172"> 34<A CLASS="sect1" HREF="ch09_03.html" TITLE="9.3 Extra Resources"> 35<IMG SRC="gifs/txtpreva.gif" ALT="Previous: 9.3 Extra Resources" BORDER="0"></a></td><TD ALIGN="CENTER" VALIGN="TOP" WIDTH="171"> 36<B> 37<FONT FACE="ARIEL,HELVETICA,HELV,SANSERIF" SIZE="-1"> 38Appendix A</font></b></td><TD ALIGN="RIGHT" VALIGN="TOP" WIDTH="172"> 39<A CLASS="sect1" HREF="appa_02.html" TITLE="A.2 Requirements"> 40<IMG SRC="gifs/txtnexta.gif" ALT="Next: A.2 Requirements" BORDER="0"></a></td></tr></table> <hr noshade size=1></center> 41</div> 42<blockquote> 43<div class="samplechapter"> 44<H1 CLASS="appendix"> 45<A CLASS="title" NAME="appa-73322"> 46A. Configuring Samba with SSL</a></h1><DIV CLASS="htmltoc"> 47<P> 48<B> 49Contents:</b><br> 50<A CLASS="sect1" HREF="#appa-pgfId-986440" TITLE="A.1 About Certificates"> 51About Certificates</a><br> 52<A CLASS="sect1" HREF="appa_02.html" TITLE="A.2 Requirements"> 53Requirements</a><br> 54<A CLASS="sect1" HREF="appa_03.html" TITLE="A.3 Installing SSLeay"> 55Installing SSLeay</a><br> 56<A CLASS="sect1" HREF="appa_04.html" TITLE="A.4 Setting Up SSL Proxy"> 57Setting Up SSL Proxy</a><br> 58<A CLASS="sect1" HREF="appa_05.html" TITLE="A.5 SSL Configuration Options"> 59SSL Configuration Options</a></p><P> 60</p></div><P CLASS="para">This appendix describes how to set up Samba to use secure connections between the Samba server and its clients. The protocol used here is Netscape's Secure Sockets Layer (SSL). For this example, we will establish a secure connection between a Samba server and a Windows NT workstation. </p><P CLASS="para"> 61Before we begin, we will assume that you are familiar with the fundamentals of public-key cryptography and X.509 certificates. If not, we highly recommend Bruce Schneier's <I CLASS="filename"> 62Applied Cryptography, 2nd Edition</i> (Wiley) as the premiere source for learning the many secret faces of cryptography.</p><P CLASS="para"> 63If you would like more information on Samba and SSL, be sure to look at the document <I CLASS="filename"> 64SSLeay.txt</i> in the <I CLASS="filename"> 65docs/textdocs</i> directory of the Samba distribution, which is the basis for this appendix.</p><DIV CLASS="sect1"> 66<H2 CLASS="sect1"> 67<A CLASS="title" NAME="appa-pgfId-986440"> 68A.1 About Certificates</a></h2><P CLASS="para"> 69Here are a few quick questions and answers from the <I CLASS="filename"> 70SSLeay.txt</i> file in the Samba documentation, regarding the benefits of SSL and certificates. This text was written by Christian Starkjohann for the Samba projects. </p><DIV CLASS="sect2"> 71<H3 CLASS="sect2"> 72<A CLASS="title" NAME="appa-pgfId-990471"> 73A.1.1 What is a Certificate?</a></h3><P CLASS="para"> 74A certifcate is issued by an issuer, usually a <EM CLASS="emphasis"> 75Certification Authority</em> (CA), who confirms something by issuing the certificate. The subject of this confirmation depends on the CA's policy. CAs for secure web servers (used for shopping malls, etc.) usually attest only that the given public key belongs the given domain name. Company-wide CAs might attest that you are an employee of the company, that you have permissions to use a server, and so on. </p></div><DIV CLASS="sect2"> 76<H3 CLASS="sect2"> 77<A CLASS="title" NAME="appa-pgfId-990473"> 78A.1.2 What is an X.509 certificate, technically?</a></h3><P CLASS="para"> 79Technically, the certificate is a block of data signed by the certificate issuer (the CA). The relevant fields are:</p><UL CLASS="itemizedlist"> 80<LI CLASS="listitem"> 81<P CLASS="para"> 82<A CLASS="listitem" NAME="appa-pgfId-990475"> 83</a>Unique identifier (name) of the certificate issuer</p></li><LI CLASS="listitem"> 84<P CLASS="para"> 85<A CLASS="listitem" NAME="appa-pgfId-990476"> 86</a>Time range during which the certificate is valid</p></li><LI CLASS="listitem"> 87<P CLASS="para"> 88<A CLASS="listitem" NAME="appa-pgfId-990477"> 89</a>Unique identifier (name) of the certified object</p></li><LI CLASS="listitem"> 90<P CLASS="para"> 91<A CLASS="listitem" NAME="appa-pgfId-990478"> 92</a>Public key of the certified object</p></li><LI CLASS="listitem"> 93<P CLASS="para"> 94<A CLASS="listitem" NAME="appa-pgfId-990479"> 95</a>The issuer's signature over all the above</p></li></ul><P CLASS="para"> 96If this certificate is to be verified, the verifier must have a table of the names and public keys of trusted CAs. For simplicity, these tables should list certificates issued by the respective CAs for themselves (self-signed certificates).</p></div><DIV CLASS="sect2"> 97<H3 CLASS="sect2"> 98<A CLASS="title" NAME="appa-pgfId-990481"> 99A.1.3 What are the implications of this certificate structure?</a></h3><P CLASS="para"> 100Four implications follow:</p><UL CLASS="itemizedlist"> 101<LI CLASS="listitem"> 102<P CLASS="para"> 103<A CLASS="listitem" NAME="appa-pgfId-990485"> 104</a>Because the certificate contains the subjects's public key, the certificate and the private key together are all that is needed to encrypt and decrypt.</p></li><LI CLASS="listitem"> 105<P CLASS="para"> 106<A CLASS="listitem" NAME="appa-pgfId-990489"> 107</a>To verify certificates, you need the certificates of all CAs you trust. </p></li><LI CLASS="listitem"> 108<P CLASS="para"> 109<A CLASS="listitem" NAME="appa-pgfId-990490"> 110</a>The simplest form of a dummy-certificate is one that is signed by the subject.</p></li><LI CLASS="listitem"> 111<P CLASS="para"> 112<A CLASS="listitem" NAME="appa-pgfId-990491"> 113</a>A CA is needed. The client can't simply issue local certificates for servers it trusts because the server determines which certificate it presents. </p></li></ul></div></div></div></blockquote> 114<div> 115<center> 116<hr noshade size=1><TABLE WIDTH="515" BORDER="0" CELLSPACING="0" CELLPADDING="0"> 117<TR> 118<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="172"> 119<A CLASS="sect1" HREF="ch09_03.html" TITLE="9.3 Extra Resources"> 120<IMG SRC="gifs/txtpreva.gif" ALT="Previous: 9.3 Extra Resources" BORDER="0"></a></td><TD ALIGN="CENTER" VALIGN="TOP" WIDTH="171"> 121<A CLASS="book" HREF="index.html" TITLE=""> 122<IMG SRC="gifs/txthome.gif" ALT="" BORDER="0"></a></td><TD ALIGN="RIGHT" VALIGN="TOP" WIDTH="172"> 123<A CLASS="sect1" HREF="appa_02.html" TITLE="A.2 Requirements"> 124<IMG SRC="gifs/txtnexta.gif" ALT="Next: A.2 Requirements" BORDER="0"></a></td></tr><TR> 125<TD ALIGN="LEFT" VALIGN="TOP" WIDTH="172"> 1269.3 Extra Resources</td><TD ALIGN="CENTER" VALIGN="TOP" WIDTH="171"> 127<A CLASS="index" HREF="inx.html" TITLE="Book Index"> 128<IMG SRC="gifs/index.gif" ALT="Book Index" BORDER="0"></a></td><TD ALIGN="RIGHT" VALIGN="TOP" WIDTH="172"> 129A.2 Requirements</td></tr></table><hr noshade size=1></center> 130</div> 131 132<!-- End of sample chapter --> 133<CENTER> 134<FONT SIZE="1" FACE="Verdana, Arial, Helvetica"> 135<A HREF="http://www.oreilly.com/"> 136<B>O'Reilly Home</B></A> <B> | </B> 137<A HREF="http://www.oreilly.com/sales/bookstores"> 138<B>O'Reilly Bookstores</B></A> <B> | </B> 139<A HREF="http://www.oreilly.com/order_new/"> 140<B>How to Order</B></A> <B> | </B> 141<A HREF="http://www.oreilly.com/oreilly/contact.html"> 142<B>O'Reilly Contacts<BR></B></A> 143<A HREF="http://www.oreilly.com/international/"> 144<B>International</B></A> <B> | </B> 145<A HREF="http://www.oreilly.com/oreilly/about.html"> 146<B>About O'Reilly</B></A> <B> | </B> 147<A HREF="http://www.oreilly.com/affiliates.html"> 148<B>Affiliated Companies</B></A><p> 149<EM>© 1999, O'Reilly & Associates, Inc.</EM> 150</FONT> 151</CENTER> 152</BODY> 153</html> 154
