Closed gustavstrandberg closed 10 months ago
dmulder
commented
10 months ago NDES was just a requirement for Samba. I've since removed that requirement. Canonical probably just copied my docs from the Samba wiki at some point, and didn't even check the requirements themselves. I got lots of push back from our own customers for using NDES, which is why it was removed.
dmulder
commented
10 months ago I would check with Canonical. It's possible their adsys code still uses NDES (it's a little easier than parsing the certs from the SYSVOL and LDAP).
gustavstrandberg
commented
10 months ago Super, big thanks for such a quick response David! I will definitely check with Canonical.
Happy Holidays!
Thanks, Gustav
dmulder
commented
10 months ago Merry Christmas :)
gustavstrandberg
commented
10 months ago Hi David! @dmulder Here's the response from the adsys team.
https://github.com/ubuntu/adsys/issues/883#issuecomment-1881393763
Any comment on that?
Thanks, Gustav
Hi David!
First thanks for all your work enabling Certificate Auto Enrollment for Linux!
I have been discussing the setup of certmonger/cepces with my customer's PKI team and they had some reservations regarding cepces using NDES. Is it cepces that uses NDES or Samba? I am not sure here :-).
According to my PKI colleague NDES is no longer considered secure and they will not allow me to use it. They did not give me any specific reason why not to use NDES, but maybe it is the SHA1 issue. That should be possible to mitigate.
NDES is listed as a requirement on the Windows Server side in the ADSys documentation (Canonical) that uses certmonger/cepces in a similar way that samba-gpupdate does. https://github.com/ubuntu/adsys/wiki/11.-Certificate-autoenrollment .
And watching the presentation "sambaXP 2022: Certificate Auto Enrollment in Samba" you talk about moving away from NDES and using LDAP to fetch the root chain instead. 09:48-10:32, 11:50-11.60, 14.06-14.17. https://www.youtube.com/watch?v=-79I1Sgwxt4
What are the current options of not using NDES? That would make my customer's PKI team happy and much easier for me to implement a more secure solution for my customer.
Thanks, Gustav