[Samba] Enabling LDAPS in Samba in a dual-DC setup

L.P.H. van Belle belle at bazuin.nl
Fri Apr 5 11:53:19 UTC 2019

If you dont want to juse the selfsigned certs. 

I can recommend: 

Setup you own CA root. 
Setup the certificates for the servers and deploy the Root Cert. 

Now its in you hand then things expire. 

I've not tested that yet but its high on my list to test.  



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Stephen via samba
> Verzonden: vrijdag 5 april 2019 13:14
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Enabling LDAPS in Samba in a dual-DC setup
> Hi everyone, I have a basic SAMBA setup with a main AD DC ad1 and a 
> backup AD DC ad2, running on Samba 4.5.16-Debian on Raspbian.
> I would now like to enable LDAPS so my users can authenticate 
> in other 
> non Samba services using Active Directory. From reading the 
> documentation here: 
> https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LD
> APS)_on_a_Samba_AD_DC
> I understand that for the most basic LDAPS setup using the 
> pre-existing 
> self-signed certificate I need only add the following lines to my 
> smb.conf to enable this:
> tls enabled  = yes
> tls keyfile  = tls/key.pem
> tls certfile = tls/cert.pem
> tls cafile   = tls/ca.pem
> My questions related to this are:
> 1) Since I have a dual DC setup do I need to manually enable tls for 
> LDAPS separately on the secondary DC, or will this be automatically 
> detected from the primary and the settings copied over automatically?
> 2) How do I go about creating a dedicated user account that 
> can be used 
> with third-party services (in this case redmine) to access AD 
> via LDAPS 
> to retrieve user login credentials securely? For the avoidance of 
> confusion here I understand the processes used to create a basic AD 
> account. What I am specifically interested in is the particular 
> combination of privileges or permissions i would need to set 
> on a basic 
> account to allow LDAPS access using this account. I believe I 
> will need 
> to create such an account to use with redmine since I have read that 
> anonymous LDAPS access is not possible with AD.
> 3) What will happen in 700 days time when the self-certified 
> certificate 
> initially created by Samba on its first execution expires? Will 
> everything just suddenly stop working suddenly and authentication in 
> Redmine come grinding to a halt? How should I remedy this?
> Thanks
> Stephen Ellwood
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list