[Samba] samba certificates ldap problems etc. a tip..

L.P.H. van Belle belle at bazuin.nl
Wed May 11 09:30:20 UTC 2016



Since lots of questions these days are also about certificate i have one to share. 


Here you can get a very simple windows tool to create a CA and client Certs:



I have only one bug found here, when you create a wildcart cert. 

Use the SECOND name for *.domain.tld and the first call it wildcard.domain.tld. 

Certs are saved in : C:\Users\Username\.certmgr-db\somename here.. 


Now setup your created root cert for servers and pc's. 



Add in /etc/ldap/ldap.conf ( minimal )

TLS_CACERT      /etc/ssl/certs/ca-certificates.crt



Setup your own "rootCA" like this.

( if not done, apt-get install ca-certificates )


mkdir -p /usr/local/share/ca-certificates/yourCArootFolder 

copy your root CA cert in /usr/local/share/ca-certificates/yourCArootFolder 

run : update-ca-certificates


! MUST BE /usr/local/share/ca-certificates else its not picked up with the update-ca-certificates command.



you should see:


Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.

Running hooks in /etc/ca-certificates/update.d....done.



Now after done above your CA Cert is hashed in /etc/ssl/certs

And its added in /etc/ssl/certs/ca-certificates.crt


For windows: 

Now setup a GPO to deploy the rootCa to your pc's and your good to go. 

How : 



and an example to add to smb.conf


    tls enabled = yes

    tls keyfile = /etc/ssl/local/private/proxy.key.pem

    tls certfile = /etc/ssl/local/certs/proxy.cert.pem

    tls cafile = /etc/ssl/certs/company-root-ca.pem


this : /etc/ssl/certs/company-root-ca.pem is a symlink created by update-ca-certificates. 


This folder : /etc/ssl/local is adviced for your personal certificates. 

Try to avoid mixing personal/(un)official certificates in /etc/ssl/certs.


So create a folders 



Much easier to maintain this way. 



Few other samples. 


Squid ldap simple auth sample.


auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \

    -b "ou=COMPANY,dc=internal,dc=domain,dc=tld" \

    -D some-user-to-bind2ldap at REALM \

    -W /etc/squid/private/ldap-passwordfile \

    -f sAMAccountName=%s \

    -H ldaps://dc2.internal.domain.tld \

    -H ldaps://dc1.internal.domain.tld


^^ protect the /etc/squid/private/ldap-passwordfile file 

Watch the –H and not –h.  ,,  

-H => URI

-h => hostname



A postfix sample  (/etc/postfix/ads-aliases.cf ) 


server_host = ldaps://dc1.internal.domain.tld ldaps://dc2.internal.domain.tld

search_base = OU=Aliases,dc=internal,dc=domain,dc=tld

version = 3


bind_dn = CN=some-user-to-bind2ldap,OU=srv-accounts,dc=internal,dc=domain,dc=tld

bind_pw = somepassword 


scope = sub

query_filter = (&(objectClass=contact)(displayName=%s))

result_attribute = displayName










More information about the samba mailing list