Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible to not use NDES? #36

Closed
gustavstrandberg opened this issue Dec 21, 2023 · 5 comments
Closed

Possible to not use NDES? #36

gustavstrandberg opened this issue Dec 21, 2023 · 5 comments

Comments

@gustavstrandberg
Copy link

gustavstrandberg commented Dec 21, 2023

Hi David!

First thanks for all your work enabling Certificate Auto Enrollment for Linux!

I have been discussing the setup of certmonger/cepces with my customer's PKI team and they had some reservations regarding cepces using NDES. Is it cepces that uses NDES or Samba? I am not sure here :-).

According to my PKI colleague NDES is no longer considered secure and they will not allow me to use it.
They did not give me any specific reason why not to use NDES, but maybe it is the SHA1 issue. That should be possible to mitigate.

NDES is listed as a requirement on the Windows Server side in the ADSys documentation (Canonical) that uses certmonger/cepces in a similar way that samba-gpupdate does.
https://github.com/ubuntu/adsys/wiki/11.-Certificate-autoenrollment .

And watching the presentation "sambaXP 2022: Certificate Auto Enrollment in Samba" you talk about moving away from NDES and using LDAP to fetch the root chain instead. 09:48-10:32, 11:50-11.60, 14.06-14.17.
https://www.youtube.com/watch?v=-79I1Sgwxt4

What are the current options of not using NDES?
That would make my customer's PKI team happy and much easier for me to implement a more secure solution for my customer.

Thanks,
Gustav

@dmulder
Copy link
Collaborator

dmulder commented Dec 21, 2023

NDES was just a requirement for Samba. I've since removed that requirement. Canonical probably just copied my docs from the Samba wiki at some point, and didn't even check the requirements themselves. I got lots of push back from our own customers for using NDES, which is why it was removed.

@dmulder
Copy link
Collaborator

dmulder commented Dec 21, 2023

I would check with Canonical. It's possible their adsys code still uses NDES (it's a little easier than parsing the certs from the SYSVOL and LDAP).

@dmulder dmulder closed this as completed Dec 21, 2023
@gustavstrandberg
Copy link
Author

gustavstrandberg commented Dec 21, 2023

Super, big thanks for such a quick response David!
I will definitely check with Canonical.

Happy Holidays!

Thanks,
Gustav

@dmulder
Copy link
Collaborator

dmulder commented Dec 21, 2023

Merry Christmas :)

@gustavstrandberg
Copy link
Author

gustavstrandberg commented Jan 9, 2024

Hi David! @dmulder
Here's the response from the adsys team.

ubuntu/adsys#883 (comment)

Any comment on that?

Thanks,
Gustav

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants