[Samba] Auto generated certificates?

Rowland Penny rpenny at samba.org
Wed Nov 9 10:17:08 UTC 2022

On 09/11/2022 08:41, Harald Hannelius wrote:
> On Tue, 8 Nov 2022, Rowland Penny via samba wrote:
>> On 08/11/2022 08:47, Harald Hannelius via samba wrote:
>>> I read that Samba creates self-signed certificates for itself when 
>>> started the first time. These have a lifetime of 700 days. Does this 
>>> mean that Samba will stop working 700 days after installing it unless 
>>> I renew these myself manually?
>>> Are there caveats in using our own self-signed certs with longer 
>>> lifetimes or even "real" certificates?
>>> Also, wouldn't it be good if all Samba certificates would have a 
>>> Alternate Name of "DOMAIN" so when e.g. ldap-clients connect to the 
>>> domain-address the certificate would match?
>> The real question is: what are you using the certificates for ?
> We would like to create, delete and modify accounts. Lock accounts, and 
> change passwords via a PHP library.
> It would be nice to use the ldaps port, just in case.
>> If it is for ldap searches, then can I suggest you use kerberos 
>> instead, it is even more secure.
> A little concerned about data on the wire.

If you use kerberos, I am reliably informed that the data is encrypted 
from end to end, as I said, kerberos is more secure than using ldaps 
with Samba.


More information about the samba mailing list