This appendix describes how to set up Samba to use secure connections between the Samba server and its clients. The protocol used here is Netscape's Secure Sockets Layer (SSL). For this example, we will establish a secure connection between a Samba server and a Windows NT workstation.
Before we begin, we will assume that you are familiar with the fundamentals of public-key cryptography and X.509 certificates. If not, we highly recommend Bruce Schneier's Applied Cryptography, 2nd Edition (Wiley) as the premiere source for learning the many secret faces of cryptography.
If you would like more information on Samba and SSL, be sure to look at the document SSLeay.txt in the docs/textdocs directory of the Samba distribution, which is the basis for this appendix.
Here are a few quick questions and answers from the SSLeay.txt file in the Samba documentation, regarding the benefits of SSL and certificates. This text was written by Christian Starkjohann for the Samba projects.
A certifcate is issued by an issuer, usually a Certification Authority (CA), who confirms something by issuing the certificate. The subject of this confirmation depends on the CA's policy. CAs for secure web servers (used for shopping malls, etc.) usually attest only that the given public key belongs the given domain name. Company-wide CAs might attest that you are an employee of the company, that you have permissions to use a server, and so on.
Technically, the certificate is a block of data signed by the certificate issuer (the CA). The relevant fields are:
If this certificate is to be verified, the verifier must have a table of the names and public keys of trusted CAs. For simplicity, these tables should list certificates issued by the respective CAs for themselves (self-signed certificates).
Four implications follow: