Default smb.conf does not set ldap ssl value so default value is then: ldap ssl = start tls For a very basic configuration like a home workgroup, this parameter is just not taken into account and it causes some big slowdown in using such shares. We should either propose a proper TLS configuration by default or set ldap ssl to "off" WDYT?
The 'ldap admin dn' used by Samba requires significant privileges in the case of using ldapsam, we really should not be exposing the credentials of this DN by default. I would much prefer a sane TLS configuration. With correctly configured TLS, there is little performance difference: [root@tiger ~]# grep '^ldap ssl' /etc/samba/smb.conf;time pdbedit -L |wc -l ldap ssl = no 21 real 0m0.133s user 0m0.008s sys 0m0.010s [root@tiger ~]# grep '^ldap ssl' /etc/samba/smb.conf;time pdbedit -L |wc -l ldap ssl = no 21 real 0m0.088s user 0m0.015s sys 0m0.011s [root@tiger ~]# grep '^ldap ssl' /etc/samba/smb.conf;time pdbedit -L |wc -l ldap ssl = no 21 real 0m0.030s user 0m0.006s sys 0m0.002s [root@tiger ~]# grep '^ldap ssl' /etc/samba/smb.conf;time pdbedit -L |wc -l ldap ssl = no 21 real 0m0.036s user 0m0.007s sys 0m0.008s [root@tiger ~]# grep '^ldap ssl' /etc/samba/smb.conf;time pdbedit -L |wc -l ldap ssl = no 21 real 0m0.040s user 0m0.007s sys 0m0.012 VS: [root@tiger ~]# grep '^ldap ssl' /etc/samba/smb.conf;time pdbedit -L |wc -l ldap ssl = start_tls 21 real 0m0.057s user 0m0.026s sys 0m0.009s [root@tiger ~]# grep '^ldap ssl' /etc/samba/smb.conf;time pdbedit -L |wc -l ldap ssl = start_tls 21 real 0m0.061s user 0m0.025s sys 0m0.009s [root@tiger ~]# grep '^ldap ssl' /etc/samba/smb.conf;time pdbedit -L |wc -l ldap ssl = start_tls 21 real 0m0.059s user 0m0.026s sys 0m0.011s [root@tiger ~]# grep '^ldap ssl' /etc/samba/smb.conf;time pdbedit -L |wc -l ldap ssl = start_tls 21 real 0m0.060s user 0m0.024s sys 0m0.009s [root@tiger ~]# grep '^ldap ssl' /etc/samba/smb.conf;time pdbedit -L |wc -l ldap ssl = start_tls 21 real 0m0.050s user 0m0.020s sys 0m0.006s So, about 10-20ms overhead. If we are really concerned about performance with security, we could consider to defaulting to ldapi:/// : [root@tiger ~]# grep -E '^(passdb backend|ldap ssl)' /etc/samba/smb.conf;time pdbedit -L |wc -l passdb backend = ldapsam:ldapi:/// ldap ssl = no 21 real 0m0.028s user 0m0.006s sys 0m0.005s [root@tiger ~]# grep -E '^(passdb backend|ldap ssl)' /etc/samba/smb.conf;time pdbedit -L |wc -l passdb backend = ldapsam:ldapi:/// ldap ssl = no 21 real 0m0.036s user 0m0.006s sys 0m0.010s [root@tiger ~]# grep -E '^(passdb backend|ldap ssl)' /etc/samba/smb.conf;time pdbedit -L |wc -l passdb backend = ldapsam:ldapi:/// ldap ssl = no 21 real 0m0.026s user 0m0.003s sys 0m0.005s [root@tiger ~]# grep -E '^(passdb backend|ldap ssl)' /etc/samba/smb.conf;time pdbedit -L |wc -l passdb backend = ldapsam:ldapi:/// ldap ssl = no 21 real 0m0.035s user 0m0.008s sys 0m0.008s [root@tiger ~]# grep -E '^(passdb backend|ldap ssl)' /etc/samba/smb.conf;time pdbedit -L |wc -l passdb backend = ldapsam:ldapi:/// ldap ssl = no 21 real 0m0.027s user 0m0.003s sys 0m0.004s But, I think we should consider a requirement first, and develop all the pieces to fulfil it. For example, we may rather want to focus on delivering an easy-to-administer LDAP+Kerberos environment: [bgmilne@tiger ~]$ ldapwhoami SASL/GSSAPI authentication started SASL username: bgmilne@RANGER.DNSALIAS.COM SASL SSF: 56 SASL data security layer installed. dn:uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com [root@tiger ~]# ldapwhoami -H ldap://$HOSTNAME -ZZ -Y GSSAPI SASL/GSSAPI authentication started SASL username: host/tiger.ranger.dnsalias.com@RANGER.DNSALIAS.COM SASL SSF: 56 SASL data security layer installed. dn:cn=tiger.ranger.dnsalias.com,ou=hosts,dc=ranger,dc=dnsalias,dc=com [root@tiger ~]# ldapwhoami -H ldapi:/// -Y EXTERNAL SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn:uid=account admin,ou=system accounts,dc=ranger,dc=dnsalias,dc=com [root@tiger ~]# su - ldap -s /bin/bash -c 'kinit -t /etc/openldap/ldap.keytab ldap/$HOSTNAME' [root@tiger ~]# su - ldap -s /bin/bash -c 'klist' Credentials cache: FILE:/tmp/krb5cc_78 Principal: ldap/tiger.ranger.dnsalias.com@RANGER.DNSALIAS.COM Issued Expires Principal Oct 17 14:24:05 2011 Oct 17 21:04:05 2011 krbtgt/RANGER.DNSALIAS.COM@RANGER.DNSALIAS.COM [root@tiger ~]# su - ldap -s /bin/bash -c 'ldapwhoami -Y GSSAPI' SASL/GSSAPI authentication started SASL username: ldap/tiger.ranger.dnsalias.com@RANGER.DNSALIAS.COM SASL SSF: 56 SASL data security layer installed. dn:cn=ldap,cn=tiger.ranger.dnsalias.com,ou=hosts,dc=ranger,dc=dnsalias,dc=com One also wonders if we should make it easier for admins to deploy services which use their selected authentication mechanism by default (e.g. if configured for Kerberos, and the admin installs squid, ask if squid should be configured for Kerberos SSO auth, and try and make it easy to retrieve keytabs etc.).
CC: (none) => bgmilne
Pinging. because nothing happened to this report since more than 3 months ago, and it still has the status NEW or REOPENED. @ Buchan Please set status to ASSIGNED. If for work flow reasons you can't do that, then please put OK on the whiteboard instead.
CC: (none) => marja11
I don't see much impact with start_tls enabled.
Status: NEW => RESOLVEDResolution: (none) => WORKSFORME