Hi folks, Does anybody have experience using ADCS in conjunction with Samba? I would like to create certificates using ADCS as a CA to create certificates to be deployed to servers running web applications. It would be very convenient to have joined Windows computers automatically trust certificates issued my own CA instead of having to import certificates manually on every browser on every computer. Is that scenario possible running only Samba? I can't find much in the way of documentation. Am I correct in understanding that the certificates and keys in private/tls/ are only meant to enable StartTLS/LDAPS connections? Pietro
Hai Pierro,> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Pietro Stäheli via samba > Verzonden: vrijdag 15 februari 2019 10:48 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Samba and AD Certificate Services > > Hi folks, > > Does anybody have experience using ADCS in conjunction with Samba? I > would like to create certificates using ADCS as a CA to create > certificates to be deployed to servers running web applications. It > would be very convenient to have joined Windows computers > automatically > trust certificates issued my own CA instead of having to import > certificates manually on every browser on every computer.Your looking for this: https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Configure_Windows_to_Accept_Your_CA Dont look at the "Smart Card Login" part but the pics here show perfeclty howto do this.> > Is that scenario possible running only Samba? I can't find much in the > way of documentation.Hmm, there was more on the wiki.. I'll do a extra search..> > Am I correct in understanding that the certificates and keys in > private/tls/ are only meant to enable StartTLS/LDAPS connections?For samba yes, but if you add the RootCA to you computers then you can do with with what you want. Small tip of you want own certs. https://hohnstaedt.de/xca/ but you can use anything you like to generate certs. If you search good in the list, you wil find some user that make lets encrypt work also with dehydrated.> > > PietroGreetz, Louis
On 15.02.2019 11:11, L.P.H. van Belle via samba wrote:> [...] > Small tip of you want own certs. > https://hohnstaedt.de/xca/ but you can use anything you like to generate certs. >Thanks for sharing this, Louis, looks like a neat little tool. Viktor
>> Does anybody have experience using ADCS in conjunction with Samba? I >> would like to create certificates using ADCS as a CA to create >> certificates to be deployed to servers running web applications. It >> would be very convenient to have joined Windows computers >> automatically >> trust certificates issued my own CA instead of having to import >> certificates manually on every browser on every computer. > > Your looking for this: > https://wiki.samba.org/index.php/Samba_AD_Smart_Card_Login#Configure_Windows_to_Accept_Your_CA > > Dont look at the "Smart Card Login" part but the pics here show perfeclty howto do this. >Oh, cool, thanks Louis! I completely ignored that because I wasn't interested in smart cards :) When I've got time I will run some tests to see if things work the way I want them to once I rip out the Windows DC.