[Samba] Set same TLS Root CA cert on all Samba DC's?

Kees van Vloten keesvanvloten at gmail.com
Wed Oct 25 15:21:13 UTC 2023

Op 25-10-2023 om 17:13 schreef Alex via samba:
> And will Samba regenerate it's own server certs from that CA, or do I need
> to externally generate & renew them with openssl?
> Does anything else need to be done before or after replacing the certs in
> Samba? This won't break server/domain trust with domain joined workstations?

Anything that server that uses TLS will create some certs, or use the 
distro default snake-oil certs.

However in order to get secure communication, you need to have a common 
ca-cert on all your machines (servers and clients) and generate a cert 
and key pair for each server.

Openssl can do it, but I prefer EasyRSA, which uses openssl under the hood.

- Kees.

> Thanks
> On Wed, Oct 25, 2023 at 8:08 AM Kees van Vloten via samba <
> samba at lists.samba.org> wrote:
>> Op 25-10-2023 om 16:45 schreef Alex via samba:
>>> Hi!
>>> Is there a recommended way to set all the Samba DC's to use the same TLS
>>> Root CA certificate?
>> In smb.conf put a line, like this to let it use a specific ca-cert:
>> tls cafile = /etc/ssl/certs/ca.pem
>> Now it is just a matter of distributing that to all the DCs
>> - Kees.
>>> Thanks,
>>> Peter
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list