[Samba] DCs: TLS question
miguel medalha
medalist at sapo.pt
Tue Jan 7 14:29:28 UTC 2025
>> I also use OpenVPN with pfSense but I use the opposite method: create the
>> CA, key, and certificate in pfSense, export them and use them in Samba,
with
>> the corresponding lines in the DC's smb.conf. For example:
>>
>> tls cafile = tls/myca.crt
>> tls certfile = tls/mycertificate.crt
>> tls keyfile = tls/mykey.key
>>
>> This way it is possible to have more control over the expiry dates of
>> certificates.
> What does the used CA have to look like? One CA enough for all DCs in
> the domain?
Yes, one CA. CA stands for Certificate Authority. You generate this one
first and then you generate the server certificates against this one.
> I assume the cert would simply have to have the correct CN of the DC.
Yes, each server certificate contains the fully qualified domain name of the
Samba DC:
server.example.com
In pfSense:
--------------
System / Certificate Manager / CAs:
Add: Create a CA certificate with Key Type RSA and at least 2028 bits
length, digest algorithm at least sha256. Fill the data of your
organization. Save.
Export your CA Certificate.
System / Certificate / Manager / Certificates:
Add/Sign a New Certificate having your newly created CA as Certificate
authority. Under "Certificate Type" choose "Server Certificate". Fill the
other details. Save.
Export your Server Certificate and Key.
Copy both certificates and key to the private/tls directory under your Samba
installation. Give the server private key the permission 600 to protect it.
Write the following lines in smb.conf (adapting the names to your case, of
course). For example:
tls cafile = tls/CAcertificate.crt
tls certfile = tls/server.domain.com.crt
tls keyfile = tls/ server.domain.com.key
System / User Manager / Authentication Servers / Edit:
Point your " Peer Certificate Authority" to the newly created CA.
Do the same for the other DCs you authenticate against.
You also use this CA to create user certificates for OpenVPN authentication.
Beware that in some versions of pfSense there's a bug that prevents the
configuration of the AD Authentication servers from becoming effective until
you go to the pfSense main text interface and restart both the Web
Configurator and PHP. Some years ago, trying to solve this mystery caused me
a lot of headaches until I discovered the cause.
After that, you can go to Diagnostics / Authentication and test if
authentication is working against the intended DCs.
I hope this helps somewhat.
More information about the samba
mailing list