[Samba] DCs: TLS question

Stefan G. Weichinger lists at xunil.at
Tue Jan 7 18:03:37 UTC 2025


Am 07.01.25 um 15:29 schrieb miguel medalha:

> Yes, one CA. CA stands for Certificate Authority. You generate this one
> first and then you generate the server certificates against this one.

sure

I already have a CA for the OpenVPN-server, so I could use that for 
generating the DC-certs also.

>> I assume the cert would simply have to have the correct CN of the DC.
> 
> Yes, each server certificate contains the fully qualified domain name of the
> Samba DC:
> 
> server.example.com
> 
> In pfSense:
> --------------
> System / Certificate Manager / CAs:
> Add: Create a CA certificate with Key Type RSA and at least 2028 bits
> length, digest algorithm at least sha256. Fill the data of your
> organization. Save.
> Export your CA Certificate.
> 
> System / Certificate / Manager / Certificates:
> Add/Sign a New Certificate having your newly created CA as Certificate
> authority. Under "Certificate Type" choose "Server Certificate". Fill the
> other details. Save.
> Export your Server Certificate and Key.
> 
> Copy both certificates and key to the private/tls directory under your Samba
> installation. Give the server private key the permission 600 to protect it.
> Write the following lines in smb.conf (adapting the names to your case, of
> course). For example:
> 
> tls cafile = tls/CAcertificate.crt
> tls certfile = tls/server.domain.com.crt
> tls keyfile = tls/ server.domain.com.key
> 
> System / User Manager / Authentication Servers / Edit:
> Point your " Peer Certificate Authority" to the newly created CA.
> Do the same for the other DCs you authenticate against.
> 
> You also use this CA to create user certificates for OpenVPN authentication.
> 
> Beware that in some versions of pfSense there's a bug that prevents the
> configuration of the AD Authentication servers from becoming effective until
> you go to the pfSense main text interface and restart both the Web
> Configurator and PHP. Some years ago, trying to solve this mystery caused me
> a lot of headaches until I discovered the cause.
> 
> After that, you can go to Diagnostics / Authentication and test if
> authentication is working against the intended DCs.

Thanks a lot for your detailed explanation/howto!

I know that pfsense-behavior, hit this myself back then when setting 
that up for the first time ;-)

I'll try your method on a new DC for a test and also let the 
pfsense-LDAP-authentication use that.

thanks





More information about the samba mailing list