[Samba] Set same TLS Root CA cert on all Samba DC's?

[Norbert Hanke]

The clean way is you will have your own CA issue those certificates, and
have that CA added to the trust stores of all systems.

The certificate for a DC will typically have a CN with the fully
qualified domain name of that particular DC, and a 2 Subject Alternative
Names: one with the FQDN of the DC and one with the FQDN of the AD domain.

That way you can use it for both ldaps to the DC or ldaps to the domain
(the latter will DNS-resolve to one of the DCs).

regards,
Norbert

On 25.10.2023 17:21, Kees van Vloten via samba wrote:
>
> Op 25-10-2023 om 17:13 schreef Alex via samba:
>> And will Samba regenerate it's own server certs from that CA, or do I
>> need
>> to externally generate & renew them with openssl?
>> Does anything else need to be done before or after replacing the
>> certs in
>> Samba? This won't break server/domain trust with domain joined
>> workstations?
>
> Anything that server that uses TLS will create some certs, or use the
> distro default snake-oil certs.
>
> However in order to get secure communication, you need to have a
> common ca-cert on all your machines (servers and clients) and generate
> a cert and key pair for each server.
>
> Openssl can do it, but I prefer EasyRSA, which uses openssl under the
> hood.
>
> - Kees.
>
>>
>> Thanks
>>
>> On Wed, Oct 25, 2023 at 8:08 AM Kees van Vloten via samba <
>> samba at lists.samba.org> wrote:
>>
>>> Op 25-10-2023 om 16:45 schreef Alex via samba:
>>>> Hi!
>>>>
>>>> Is there a recommended way to set all the Samba DC's to use the
>>>> same TLS
>>>> Root CA certificate?
>>> In smb.conf put a line, like this to let it use a specific ca-cert:
>>>
>>> tls cafile = /etc/ssl/certs/ca.pem
>>>
>>> Now it is just a matter of distributing that to all the DCs
>>>
>>> - Kees.
>>>
>>>> Thanks,
>>>>
>>>> Peter
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>