[Samba] file rights tls key files.

Rowland penny rpenny at samba.org
Fri Apr 15 09:24:01 UTC 2016

On 15/04/16 10:12, L.P.H. van Belle wrote:
> Yes, i can understand what your saying.
> But i have a "server" certificate, which i use for multple services.
> And since some of these services "run as" other user/group i have a special group for that. So logical i set 0440 on my key file and 444 on my cert files.
> And why does the key file ( any certficicate file  ) a 6, 4 is sufficient.
> Its just not logical make copies of the certificates thats not why i have a "server" certificate...
> Im just not happy with samba "enforcing" my security settings..
> So anyway to overrule this?
> Greetz,
> Louis
>> -----Oorspronkelijk bericht-----
>> Van: bj at SerNet.DE [mailto:bjacke at sernet.de] Namens Björn JACKE
>> Verzonden: vrijdag 15 april 2016 10:55
>> Aan: L.P.H. van Belle
>> CC: samba at lists.samba.org
>> Onderwerp: Re: [Samba] file rights tls key files.
>> On 2016-04-15 at 10:09 +0200 L.P.H. van Belle sent off:
>>> It there anyway to override this setting?  I do need 0440 here.  ( or
>> 0400 )
>>> 0600 is not needed imo.
>> can you say, why you need 440 here? I can't think of a valid use case for
>> that.
>> If another service should use a SSL certificate on that server, you would
>> give
>> that service another certificate then and not reuse the AD server SSL
>> cert.
>> Björn

I get the distinct feeling that the only way to 'override' this would be 
to modify the Samba code that enforces this and then recompile, do you 
really want to go down that path ?

couldn't you just store the certificate in two places, point Samba at 
one with the '0600' rights and everything else at the other with '0440' 
rights ?


More information about the samba mailing list