[Samba] [Solved] Problem with intermediate certificate (tls cafile)

MAS Jean-Louis jean-louis.mas at imag.fr
Mon Aug 10 07:19:08 UTC 2020


Le 06/08/2020 à 17:43, Nick Howitt via samba a écrit :

> If I were guessing, based on some experience with certificate usage in
> other apps, concatenate your certificate and intermediate certificates
> into a single file which is then your "tls certfile" then point "tls
> cafile" to your issuers proper CA or just to your distro's CA bundle,
> e.g /etc/pki/tls/certs/ca-bundle.crt.

You're right, on Samba, it works that way

# smb.conf extract
tls cafile = /etc/ssl/certs/Comodo_AAA_Services_root.pem
tls certfile = /etc/ssl/certs/ad-rep2.example.com-certonly+intermediate.pem
tls keyfile = /etc/ssl/private/ad-rep2.example.com.key


openssl s_client -showcerts -connect ad-rep2.example.com:636

....
SSL handshake has read 6020 bytes and written 428 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

Note : You're quite right Christopher about not using localhost. I
retested with the FQDN but without the modifications Nick suggested
above, It doesn't work either.

By the way, should the Samba's documentation
(https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC#Using_a_trusted_certificate)
be modified to explain that particular point ?

Thanks

-- 
Jean Louis Mas



More information about the samba mailing list