[Samba] DCs: TLS question
Stefan G. Weichinger
lists at xunil.at
Tue Jan 7 13:29:04 UTC 2025
Am 07.01.25 um 13:19 schrieb miguel medalha:
>> In a samba-domain at a customer we use the AD-DCs for authenticating
>> VPN-users.
>
>> I export the ca.pem and cert.pem from /var/lib/samba/private/tls and
>> import them in the pfSense we use as VPN gateway.
>
>> When the certs are close to expiry I rm the files from that directory
>> and let samba recreate all 3 files (CA, key, cert)
>
> I also use OpenVPN with pfSense but I use the opposite method: create the
> CA, key, and certificate in pfSense, export them and use them in Samba, with
> the corresponding lines in the DC's smb.conf. For example:
>
> tls cafile = tls/myca.crt
> tls certfile = tls/mycertificate.crt
> tls keyfile = tls/mykey.key
>
> This way it is possible to have more control over the expiry dates of
> certificates.
Oh, that sounds good to me.
What does the used CA have to look like? One CA enough for all DCs in
the domain?
I assume the cert would simply have to have the correct CN of the DC.
thanks for that suggestion!
More information about the samba
mailing list