creating certificates for dc, user etc for samba tests

Fri Dec 6 09:26:33 UTC 2019

As far i can tell there solution is to make 2 config for openssl. 

https://github.com/PADL/heimdal/commit/d26daefd4ae35ef7448f8b3e7fba895b0f901
bd7 

shows
data/openssl.cnf.1.0 \
data/openssl.cnf.1.1 \ 
> workaround until openssl -objects lands < 

And 
https://github.com/PADL/heimdal/commit/d26daefd4ae35ef7448f8b3e7fba895b0f901
bd7#diff-71fc8c9f169ce490db429f9031aee4fa 

Shows the example openssl1.1.cnf
You could compair this one with the one your using atm. 

What is the os your using and openssl version? 

Greetz,

Louis

> -----Oorspronkelijk bericht-----
> Van: npower [mailto:npower at samba.org] 
> Verzonden: vrijdag 6 december 2019 10:21
> Aan: belle at samba.org; samba-team at lists.samba.org
> Onderwerp: Re: creating certificates for dc, user etc for samba tests
> 
> hmm, I thought I sent this to samba-technical... damn 
> autocompletion :-)
> 
> On 06/12/2019 08:47, L. van Belle via samba-team wrote:
> > Which openssl version? 
> 1.1.0
> >
> > You might be hitting these bugs. 
> > https://github.com/openssl/openssl/issues/6696 
> > https://github.com/heimdal/heimdal/issues/392 
> 
> yes, I had seen those and while they describe somewhat the situation I
> don't see a solution, I tried commenting out those entries and get
> similar results as described in  
> https://github.com/openssl/openssl/issues/6696
> 
> if there is a solution in the report there I didn't see it, my plan B
> was to dig out an old system with older openssl. Be good though if
> someone who knows about this can either fix the config files or update
> the instructions or... :-)
> 
> Anyway thanks
> 
> Noel
> 
> >
> >
> > Greetz, 
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba-technical 
> >> [mailto:samba-technical-bounces at lists.samba.org] Namens Noel 
> >> Power via samba-technical
> >> Verzonden: vrijdag 6 december 2019 9:15
> >> Aan: samba-technical
> >> Onderwerp: creating certificates for dc, user etc for samba tests
> >>
> >> Help!!
> >>
> >> Does anyone know anything about openssl & generating certs ?
> >>
> >> I tried to follow the instructions at
> >> selftest/manage-ca/manage-CA-samba.example.com.sh
> >>
> >> e.g.
> >>
> >>   ./manage-ca.sh manage-CA-samba.example.com.cnf create_dc
> >> testdc.samba.example.com 0123456789ABCDEF
> >>
> >>   problem creating object scardLogin=1.3.6.1.4.1.311.20.2.2
> >>
> >>   140087403947840:error:08064066:object identifier
> >> routines:OBJ_create:oid exists:crypto/objects/obj_dat.c:708:
> >>
> >> some google results seemed to indicate this error results 
> from changes
> >> in openssl where some attributes are now included by default 
> >> (iiuc) so I
> >> commented out that attribute in
> >> manage-ca.templates.d/openssl-BASE-template.cnf
> >>
> >> then the same error for msUPN & msKDC (so I did the same)
> >>
> >> the process gets further but error out with
> >>
> >> Using configuration from
> >> CA-samba.example.com/DCs/testdc.samba.example.com/DC-testdc.sa
> >> mba.example.com-S06-openssl.cnf
> >> Enter pass phrase for
> >> CA-samba.example.com/Private/CA-samba.example.com-private-key.pem:
> >> Error Loading extension section template_x509_extensions
> >> 140189838030656:error:0E06D06C:configuration file
> >> routines:NCONF_get_string:no
> >> value:crypto/conf/conf_lib.c:275:group=CA_default name=email_in_dn
> >> 140189838030656:error:0D06407A:asn1 encoding
> >> routines:a2d_ASN1_OBJECT:first num too 
> >> large:crypto/asn1/a_object.c:72:
> >> 140189838030656:error:2206706E:X509 V3
> >> routines:v2i_EXTENDED_KEY_USAGE:invalid object
> >> identifier:crypto/x509v3/v3_extku.c:93:section:,name:msKDC,value:
> >> 140189838030656:error:22098080:X509 V3 
> routines:X509V3_EXT_nconf:error
> >> in extension:crypto/x509v3/v3_conf.c:47:name=extendedKeyUsage,
> >> value=clientAuth,serverAuth,msKDC
> >>
> >> so I am stumpted as I am totally clueless about these 
> files and their
> >> content, there seems plenty of google hits about similar 
> errors but I
> >> don't know enough to interpret them, can anyone help ??
> >>
> >> Noel
> >>
> >>
> >>
> >
> 