[Samba] DCs: TLS question

Stefan G. Weichinger lists at xunil.at
Tue Jan 7 13:29:04 UTC 2025


Am 07.01.25 um 13:19 schrieb miguel medalha:
>> In a samba-domain at a customer we use the AD-DCs for authenticating
>> VPN-users.
> 
>> I export the ca.pem and cert.pem from /var/lib/samba/private/tls and
>> import them in the pfSense we use as VPN gateway.
> 
>> When the certs are close to expiry I rm the files from that directory
>> and let samba recreate all 3 files (CA, key, cert)
> 
> I also use OpenVPN with pfSense but I use the opposite method: create the
> CA, key, and certificate in pfSense, export them and use them in Samba, with
> the corresponding lines in the DC's smb.conf. For example:
> 
> tls cafile = tls/myca.crt
> tls certfile = tls/mycertificate.crt
> tls keyfile = tls/mykey.key
> 
> This way it is possible to have more control over the expiry dates of
> certificates.

Oh, that sounds good to me.

What does the used CA have to look like? One CA enough for all DCs in 
the domain?

I assume the cert would simply have to have the correct CN of the DC.

thanks for that suggestion!





More information about the samba mailing list