samba - Jan 2021 - Revisiting with IDM/FreeIPA the CA certificates used for samba.

Hi everyone,

I've been happily running our SOHO/Family on Samba AD/DC with RHEL for 
over 2.5 years. As you can gather from that, you can imagine I've been 
bitten by the default certs expiring,. :)

I switched to easy-rsa urgently when the certs expired but I have many 
questions related to the proper implementation of the lifecycle of those 
certs in a Samba context:

- with two DC's (dc00 and dc01), the CN of each cert carries the CN of the 
DC (dc00.ad.lasthome.solace.krynn) but should I -also- add a SAN to each 
cert so that they report properly to the AD domain name? 
("ad.lasthome.solace.krynn")

In short, this would make certs carry information like this:
CN : dc00.... (or dc01)
SAN: ad.lasthome.solace.krynn

Would this also help when 'dc00' is down or unavailable?

- Is there anything special about the certs of the Samba servers if I'm 
using Win10 endpoints (Mostly 20H2 at the moment) or do Win10 endpoints 
accept self-signed certs as long as they are joined into that domain? It 
seems like it because I've not deployed my custom easy-rsa CA to the 
Windows machines..

So far, Windows 10 seems pretty lenient about this and it was only through 
the use of OpenShift that I realized 1) my AD certs had expired and 2) 
they didn't carry a SAN of the AD domain itself, only the CN of the DC 
machine.

I'm going to try to use RedHat IDM (FreeIPA based) to lifecycle the certs 
of my RHEL & Linux systems and see where this takes me.

Any comments? What are others doing?

Vincent S. Cojot