[Samba] samba certificates ldap problems etc. a tip..

L.P.H. van Belle belle at bazuin.nl
Wed May 11 09:30:20 UTC 2016 

Hai, 

 

Since lots of questions these days are also about certificate i have one to share. 

 

Here you can get a very simple windows tool to create a CA and client Certs:

 https://realtimelogic.com/blog/2014/05/How-to-act-as-a-Certificate-Authority-the-Easy-Way 

 

I have only one bug found here, when you create a wildcart cert. 

Use the SECOND name for *.domain.tld and the first call it wildcard.domain.tld. 

Certs are saved in : C:\Users\Username\.certmgr-db\somename here.. 

 

Now setup your created root cert for servers and pc's. 

 

 

Add in /etc/ldap/ldap.conf ( minimal )

TLS_CACERT      /etc/ssl/certs/ca-certificates.crt

TLS_REQCERT allow

 

Setup your own "rootCA" like this.

( if not done, apt-get install ca-certificates )

 

mkdir -p /usr/local/share/ca-certificates/yourCArootFolder 

copy your root CA cert in /usr/local/share/ca-certificates/yourCArootFolder 

run : update-ca-certificates

 

! MUST BE /usr/local/share/ca-certificates else its not picked up with the update-ca-certificates command.

 

 

you should see:

update-ca-certificates

Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.

Running hooks in /etc/ca-certificates/update.d....done.

 

 

Now after done above your CA Cert is hashed in /etc/ssl/certs

And its added in /etc/ssl/certs/ca-certificates.crt

 

For windows: 

Now setup a GPO to deploy the rootCa to your pc's and your good to go. 

How : 

https://technet.microsoft.com/nl-nl/library/cc770315(v=ws.10).aspx 

 

and an example to add to smb.conf

 

    tls enabled = yes

    tls keyfile = /etc/ssl/local/private/proxy.key.pem

    tls certfile = /etc/ssl/local/certs/proxy.cert.pem

    tls cafile = /etc/ssl/certs/company-root-ca.pem

 

this : /etc/ssl/certs/company-root-ca.pem is a symlink created by update-ca-certificates. 

 

This folder : /etc/ssl/local is adviced for your personal certificates. 

Try to avoid mixing personal/(un)official certificates in /etc/ssl/certs.

 

So create a folders 

/etc/ssl/local/certs

/etc/ssl/local/private

Much easier to maintain this way. 

 

 

Few other samples. 

 

Squid ldap simple auth sample.

 

auth_param basic program /usr/lib/squid/basic_ldap_auth -R -v 3 \

    -b "ou=COMPANY,dc=internal,dc=domain,dc=tld" \

    -D some-user-to-bind2ldap at REALM \

    -W /etc/squid/private/ldap-passwordfile \

    -f sAMAccountName=%s \

    -H ldaps://dc2.internal.domain.tld \

    -H ldaps://dc1.internal.domain.tld

 

^^ protect the /etc/squid/private/ldap-passwordfile file 

Watch the –H and not –h.  ,,  

-H => URI

-h => hostname

 

 

A postfix sample  (/etc/postfix/ads-aliases.cf ) 

 

server_host = ldaps://dc1.internal.domain.tld ldaps://dc2.internal.domain.tld

search_base = OU=Aliases,dc=internal,dc=domain,dc=tld

version = 3

 

bind_dn = CN=some-user-to-bind2ldap,OU=srv-accounts,dc=internal,dc=domain,dc=tld

bind_pw = somepassword 

 

scope = sub

query_filter = (&(objectClass=contact)(displayName=%s))

result_attribute = displayName

 

 

 

 

Greetz, 

 

Louis

 

 

More information about the samba mailing list