[Samba] TLS ca/cert/key creation

Gregory Sloop gregs at sloop.net
Tue Jan 1 18:35:17 UTC 2019 

I'm working to put up a production FeeeNAS box tied to Samba/AD for authentication for users connecting to the FreeNAS share(s).
In joining FreeNAS to the AD domain, one immediately runs into "problems" with TLS/encryption.

Samba, in the defaults requires TLS. I could disable TLS security in Samba, but that's probably not a great idea. 
So, I'll need a key/cert for the FreeNAS box to do TLS with the Samba AD... And so I'm getting ready to create the CA/certs/keys I need.

Lets not get lost in examining FreeNAS. I'm configuring FreeNAS using the regular control panel, and setting it up just as it would work against a "regular" Windows AD. And I know it works from a test-bed Samba setup - but not using TLS.

---
As an aside - I assume that needing to use TLS means that FreeNAS is talking to Samba vis LDAP, and not Kerberos? Because, my limited understanding was that Kerberos is secure without wrapping in TLS, but LDAP isn't. So, if we were using Kerberos, there's be no need of TLS. But since we're using TLS, we must be using LDAP, and thus the need to secure the LDAP channel with CA/Cert/Key. 

But perhaps I don't grok that properly...

Someone is welcome to put me straight, if I've misunderstood something - but lets, also, not get too caught up in that side discussion. The real crux of my question follows. [A point to a wiki article or something might help me educate myself, if I'm confused.] :)
---

** These questions and the answers are what I need most. **

So, I understand that Samba creates it's own CA/Cert/Key on first start up.

The Wiki appears to show how to generate your own self-signed cert. Several questions in relation to generating my own, outside the Samba server.

- I assume I can self sign certs, using my own CA. Correct? i.e. Not using the Samba generated CA/Cert(s)/Key(s).
[But I'll have to copy/provide the CA.cert to the samba server [and any TLS clients for client/server certificate validation purposes.]

-The Wiki shows 2048 bit keys, and 1 year expiry. I assume this is simply the example, and 4096 bit keys and, say 10y expiry are accepted. Correct?

Are there any other limits I should be aware of? (Probably limited by the version of OpenSSL the version of Samba was compiled with on the target system? If that's the case, there's probably no hard-and-fast rule about what's acceptable...since it's version/distro/compliation dependant.) 

---
I generally hate using the OpenSSL tools to generate CA/certs/keys and use GNUTLS's tools to do it. Has anyone done this for Samba, and if so, are there any gotcha's I should watch out for? 

Any other general tips I should watch out for?

TIA
-Greg

More information about the samba mailing list