Possible to not use NDES? #36
Comments
|
NDES was just a requirement for Samba. I've since removed that requirement. Canonical probably just copied my docs from the Samba wiki at some point, and didn't even check the requirements themselves. I got lots of push back from our own customers for using NDES, which is why it was removed. |
|
I would check with Canonical. It's possible their adsys code still uses NDES (it's a little easier than parsing the certs from the SYSVOL and LDAP). |
|
Super, big thanks for such a quick response David! Happy Holidays! Thanks, |
|
Merry Christmas :) |
|
Hi David! @dmulder Any comment on that? Thanks, |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi David!
First thanks for all your work enabling Certificate Auto Enrollment for Linux!
I have been discussing the setup of certmonger/cepces with my customer's PKI team and they had some reservations regarding cepces using NDES. Is it cepces that uses NDES or Samba? I am not sure here :-).
According to my PKI colleague NDES is no longer considered secure and they will not allow me to use it.
They did not give me any specific reason why not to use NDES, but maybe it is the SHA1 issue. That should be possible to mitigate.
NDES is listed as a requirement on the Windows Server side in the ADSys documentation (Canonical) that uses certmonger/cepces in a similar way that samba-gpupdate does.
https://github.com/ubuntu/adsys/wiki/11.-Certificate-autoenrollment .
And watching the presentation "sambaXP 2022: Certificate Auto Enrollment in Samba" you talk about moving away from NDES and using LDAP to fetch the root chain instead. 09:48-10:32, 11:50-11.60, 14.06-14.17.
https://www.youtube.com/watch?v=-79I1Sgwxt4
What are the current options of not using NDES?
That would make my customer's PKI team happy and much easier for me to implement a more secure solution for my customer.
Thanks,
Gustav
The text was updated successfully, but these errors were encountered: