Certificate services

Denis CARDON dcardon at tranquil.it
Mon Feb 15 15:49:31 UTC 2021 

Hi Thomas,

ADCS is a separate product from ADDC. As stated in my previous mail you 
can install ADCS on a member server which is joined to an existing 
Samba-DC.

If you want to re-implement a certificate service similar to ADCS on 
Linux you'll have to code. There are alternative CA that you can run on 
Linux, and ADCS is mostly useful if you need auto-enrollment.

Cheers,

Denis

Le 15/02/2021 à 16:01, Thomas Epperson via samba-technical a écrit :
> Is this something I need to implement with code changes to samba or can I
> implement this using an existing configuration (and another process to
> implement the certificate services)? (Perhaps server services in smb.conf?)
> 
> Thomas
> 
> On Tue, Feb 9, 2021 at 3:46 AM Denis CARDON <dcardon at tranquil.it> wrote:
> 
>> Hi Andrew and Thomas,
>>
>> Le 09/02/2021 à 09:26, Andrew Bartlett via samba-technical a écrit :
>>> On Fri, 2021-02-05 at 23:03 -0500, Thomas Epperson via samba-technical
>>> wrote:
>>>> Hello,
>>>>
>>>> Have there been any efforts or are there any technical boundaries to
>>>> implementing the certificate services in samba (as would be used with
>>>> active directory) ? I am looking to implement it and thought adding
>>>> it to
>>>> samba would make sense.
>>>
>>> I've not looked into it but are you thinking in terms of what would
>>> allow a member server to self-issue a certificate in its own name etc?
>>
>> I have a client who had to setup an ADCS (AD Certificate Service) for
>> VMWare Horizon. It has been set up on a member server joined to a
>> Samba-AD domain and it does work properly (at least for that use case)
>> for auto enrollment.
>>
>> They have a separate CA for the other stuff (user certificates, https
>> server certificates, etc.), so I cannot say for every use cases.
>>
>> Cheers,
>>
>> Denis
>>
>>> A CA manager is a complex beast (once CRLs or OCSP etc start happening)
>>> so I wonder if we should bridge any interfaces we need to supply to an
>>> existing project.
>>>
>>> But beyond that have a go I suppose!  I've not heard of any other
>>> efforts that are Samba-integrated.
>>>
>>> Andrew,
>>>
>>
> 
>

More information about the samba-technical mailing list