[Samba] Enabling LDAPS in Samba in a dual-DC setup
L.P.H. van Belle
belle at bazuin.nl
Fri Apr 5 11:56:16 UTC 2019
And i just noticed that dehydrated is available in stretch.
apt-cache policy dehydrated
500 http://ftp.nl.debian.org/debian stretch/main amd64 Packages
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> L.P.H. van Belle via samba
> Verzonden: vrijdag 5 april 2019 13:53
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Enabling LDAPS in Samba in a dual-DC setup
> If you dont want to juse the selfsigned certs.
> I can recommend:
> Setup you own CA root.
> Setup the certificates for the servers and deploy the Root Cert.
> Now its in you hand then things expire.
> I've not tested that yet but its high on my list to test.
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Stephen via samba
> > Verzonden: vrijdag 5 april 2019 13:14
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Enabling LDAPS in Samba in a dual-DC setup
> > Hi everyone, I have a basic SAMBA setup with a main AD DC ad1 and a
> > backup AD DC ad2, running on Samba 4.5.16-Debian on Raspbian.
> > I would now like to enable LDAPS so my users can authenticate
> > in other
> > non Samba services using Active Directory. From reading the
> > documentation here:
> > https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LD
> > APS)_on_a_Samba_AD_DC
> > I understand that for the most basic LDAPS setup using the
> > pre-existing
> > self-signed certificate I need only add the following lines to my
> > smb.conf to enable this:
> > tls enabled = yes
> > tls keyfile = tls/key.pem
> > tls certfile = tls/cert.pem
> > tls cafile = tls/ca.pem
> > My questions related to this are:
> > 1) Since I have a dual DC setup do I need to manually
> enable tls for
> > LDAPS separately on the secondary DC, or will this be automatically
> > detected from the primary and the settings copied over
> > 2) How do I go about creating a dedicated user account that
> > can be used
> > with third-party services (in this case redmine) to access AD
> > via LDAPS
> > to retrieve user login credentials securely? For the avoidance of
> > confusion here I understand the processes used to create a basic AD
> > account. What I am specifically interested in is the particular
> > combination of privileges or permissions i would need to set
> > on a basic
> > account to allow LDAPS access using this account. I believe I
> > will need
> > to create such an account to use with redmine since I have
> read that
> > anonymous LDAPS access is not possible with AD.
> > 3) What will happen in 700 days time when the self-certified
> > certificate
> > initially created by Samba on its first execution expires? Will
> > everything just suddenly stop working suddenly and
> authentication in
> > Redmine come grinding to a halt? How should I remedy this?
> > Thanks
> > Stephen Ellwood
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba