[Samba] Auto generated certificates?

Kees van Vloten keesvanvloten at gmail.com
Wed Nov 9 08:50:15 UTC 2022


Op 09-11-2022 om 09:41 schreef Harald Hannelius via samba:
>
> On Tue, 8 Nov 2022, Rowland Penny via samba wrote:
>> On 08/11/2022 08:47, Harald Hannelius via samba wrote:
>>>
>>> I read that Samba creates self-signed certificates for itself when 
>>> started the first time. These have a lifetime of 700 days. Does this 
>>> mean that Samba will stop working 700 days after installing it 
>>> unless I renew these myself manually?
>>>
>>> Are there caveats in using our own self-signed certs with longer 
>>> lifetimes or even "real" certificates?
>>>
>>> Also, wouldn't it be good if all Samba certificates would have a 
>>> Alternate Name of "DOMAIN" so when e.g. ldap-clients connect to the 
>>> domain-address the certificate would match?
>>>
>> The real question is: what are you using the certificates for ?
>
> We would like to create, delete and modify accounts. Lock accounts, 
> and change passwords via a PHP library.
>
> It would be nice to use the ldaps port, just in case.
>
>> If it is for ldap searches, then can I suggest you use kerberos 
>> instead, it is even more secure.
>
> A little concerned about data on the wire.
>
It is not difficult to use your own certificates.

I use easyrsa to create and manage them, that works pretty simple. Add 
your own ca-cert to the system ca-certs on every machine to make your 
certs trusted everywhere.

Then modify smb.conf with:

         tls enabled = yes
         tls keyfile = /var/lib/samba/private/tls/hostname.domain.com.key
         tls certfile = /etc/ssl/certs/hostname.domain.com.crt
         tls cafile = /etc/ssl/certs/ca.pem

(these are the paths on debian and ubuntu)

- Kees




More information about the samba mailing list