[Samba] Revisiting with IDM/FreeIPA the CA certificates used for samba.
vincent at cojot.name
vincent at cojot.name
Fri Jan 22 23:24:53 UTC 2021
Hi everyone,
I've been happily running our SOHO/Family on Samba AD/DC with RHEL for
over 2.5 years. As you can gather from that, you can imagine I've been
bitten by the default certs expiring,. :)
I switched to easy-rsa urgently when the certs expired but I have many
questions related to the proper implementation of the lifecycle of those
certs in a Samba context:
- with two DC's (dc00 and dc01), the CN of each cert carries the CN of the
DC (dc00.ad.lasthome.solace.krynn) but should I -also- add a SAN to each
cert so that they report properly to the AD domain name?
("ad.lasthome.solace.krynn")
In short, this would make certs carry information like this:
CN : dc00.... (or dc01)
SAN: ad.lasthome.solace.krynn
Would this also help when 'dc00' is down or unavailable?
- Is there anything special about the certs of the Samba servers if I'm
using Win10 endpoints (Mostly 20H2 at the moment) or do Win10 endpoints
accept self-signed certs as long as they are joined into that domain? It
seems like it because I've not deployed my custom easy-rsa CA to the
Windows machines..
So far, Windows 10 seems pretty lenient about this and it was only through
the use of OpenShift that I realized 1) my AD certs had expired and 2)
they didn't carry a SAN of the AD domain itself, only the CN of the DC
machine.
I'm going to try to use RedHat IDM (FreeIPA based) to lifecycle the certs
of my RHEL & Linux systems and see where this takes me.
Any comments? What are others doing?
Vincent S. Cojot
More information about the samba
mailing list