Thanks Gabben and Andrew. I've understood but a new question emerged: Each DC server on my domain has a different pair cert/key and a different CA cert after deployment, correct? If so, is it a best practice to generate new cert for each DC server and sign them with a unique CA? OBS: Every DC servers belongs to the same domain. -- Igor Sousa Em dom., 14 de jun. de 2020 ?s 16:46, Andrew Bartlett <abartlet at samba.org> escreveu:> On Sun, 2020-06-14 at 16:24 -0300, Igor Sousa via samba wrote: > > Hi everyone, > > > > I have a question about certificates generated on Samba AD/DC > > deployment. > > After all server configuration, I notice that there are ca.pem, > > cert.pem > > and key.pem on /usr/local/samba/private/tls directory. I realize the > > ca.pem > > and cert.pem have 2 years validity. Will Samba AD/DC generate > > automatically > > new certs before this time over? Or, must I have to generate them > > manually? > > No, they will need be automatically renewed. > > So yes, you need to generate them manually. > > The original intention was that the certificates be replaced by the > administrator. > > However, I think we would accept patches to extend the initial validity > on the autogenerated certificates, given that replacement almost never > happens. This makes more sense then to renew them, as that would break > software which has the current certificate manually accepted, and > potentially break a manually installed certificate. > > Andrew Bartlett > > -- > Andrew Bartlett https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Developer, Catalyst IT > https://catalyst.net.nz/services/samba > > > >
Hi Igor, You certainly don?t want a different CA for each DC, and you typically do want an individually generated certificate and private key for each server. PKI is typically a tree hierarchy, which is a critical feature in the trust relationships across any environment. You want one (root) CA, and possibly 1-3 intermediate CAs depending on the complexity of your infrastructure ( intermediate CA certificates are capable of signing host specific certs.). Each DC, (and each web server, application server you deploy with SSL/TLS protected services) needs to present its own server certificate (+ the full chain of certs used to sign its server cert) to clients so that clients can check validity of the server cert for themselves (based on the trusted certs in the client CA trust store). Then the root and the intermediate certificate authority (CA) certs get pushed in the the root trust storage facility on every host OS in your environment, so that they all trust a certificate presented by any server that they connect to which has a cert signed by your CA infrastructure. The level of complexity you need to engage in depends on the size and needs of your environment. If you have simple needs in a smaller environment, take a look at OpenVPN project?s ?easy-rsa? Good luck.> On Jun 14, 2020, at 1:15 PM, Igor Sousa via samba <samba at lists.samba.org> wrote: > > Thanks Gabben and Andrew. I've understood but a new question emerged: Each > DC server on my domain has a different pair cert/key and a different CA > cert after deployment, correct? > > If so, is it a best practice to generate new cert for each DC server and > sign them with a unique CA? OBS: Every DC servers belongs to the same > domain. > > -- > Igor Sousa > > > Em dom., 14 de jun. de 2020 ?s 16:46, Andrew Bartlett <abartlet at samba.org> > escreveu: > >> On Sun, 2020-06-14 at 16:24 -0300, Igor Sousa via samba wrote: >>> Hi everyone, >>> >>> I have a question about certificates generated on Samba AD/DC >>> deployment. >>> After all server configuration, I notice that there are ca.pem, >>> cert.pem >>> and key.pem on /usr/local/samba/private/tls directory. I realize the >>> ca.pem >>> and cert.pem have 2 years validity. Will Samba AD/DC generate >>> automatically >>> new certs before this time over? Or, must I have to generate them >>> manually? >> >> No, they will need be automatically renewed. >> >> So yes, you need to generate them manually. >> >> The original intention was that the certificates be replaced by the >> administrator. >> >> However, I think we would accept patches to extend the initial validity >> on the autogenerated certificates, given that replacement almost never >> happens. This makes more sense then to renew them, as that would break >> software which has the current certificate manually accepted, and >> potentially break a manually installed certificate. >> >> Andrew Bartlett >> >> -- >> Andrew Bartlett https://samba.org/~abartlet/ >> Authentication Developer, Samba Team https://samba.org >> Samba Developer, Catalyst IT >> https://catalyst.net.nz/services/samba >> >> >> >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
That would make a lot of sense. Andrew Bartlett On Sun, 2020-06-14 at 17:15 -0300, Igor Sousa wrote:> Thanks Gabben and Andrew. I've understood but a new question emerged: > Each DC server on my domain has a different pair cert/key and a > different CA cert after deployment, correct? > > If so, is it a best practice to generate new cert for each DC server > and sign them with a unique CA? OBS: Every DC servers belongs to the > same domain. > > -- > Igor Sousa > > > Em dom., 14 de jun. de 2020 ?s 16:46, Andrew Bartlett < > abartlet at samba.org> escreveu: > > On Sun, 2020-06-14 at 16:24 -0300, Igor Sousa via samba wrote: > > > Hi everyone, > > > > > > I have a question about certificates generated on Samba AD/DC > > > deployment. > > > After all server configuration, I notice that there are ca.pem, > > > cert.pem > > > and key.pem on /usr/local/samba/private/tls directory. I realize > > the > > > ca.pem > > > and cert.pem have 2 years validity. Will Samba AD/DC generate > > > automatically > > > new certs before this time over? Or, must I have to generate them > > > manually? > > > > No, they will need be automatically renewed. > > > > So yes, you need to generate them manually. > > > > The original intention was that the certificates be replaced by the > > administrator. > > > > However, I think we would accept patches to extend the initial > > validity > > on the autogenerated certificates, given that replacement almost > > never > > happens. This makes more sense then to renew them, as that would > > break > > software which has the current certificate manually accepted, and > > potentially break a manually installed certificate. > > > > Andrew Bartlett > >-- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Mandi! Andrew Bartlett via samba In chel di` si favelave...> That would make a lot of sense.But this (eg, certificate management, or non-management ;) it is not a trouble, right? Currently, on my first DC: root at vdcsv1:~# openssl x509 -in /var/lib/samba/private/tls/ca.pem -noout -dates notBefore=Sep 20 10:39:47 2017 GMT notAfter=Aug 21 10:39:47 2019 GMT root at vdcsv1:~# openssl x509 -in /var/lib/samba/private/tls/cert.pem -noout -dates notBefore=Sep 20 10:39:47 2017 GMT notAfter=Aug 21 10:39:47 2019 GMT so both CA and cert are expired. But my domain works as expected. Probably is because i've disabled CA verification in libldap (eg: TLS_REQCERT never in /etc/ldap/ldap.conf), but make it sense. Speaking differently: 1) what are the advantage and the drawbacks of managing certificates in samba? 2) how behave Windows Server? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Gabben, I got what you said. Then, could I use a commercial CA to sign my DC certs? Is there any security issue if I do it? I ask it because I've seen that WPA2-Enterprise has a security issue on Android devices, specifically early versions until Android 7, that do not allow configure verification of expected server name in the User Interface. -- Igor Sousa Em dom., 14 de jun. de 2020 ?s 17:28, gabben <gabbenx at gmail.com> escreveu:> Hi Igor, > > You certainly don?t want a different CA for each DC, and you typically do > want an individually generated certificate and private key for each server. > > PKI is typically a tree hierarchy, which is a critical feature in the > trust relationships across any environment. You want one (root) CA, and > possibly 1-3 intermediate CAs depending on the complexity of your > infrastructure ( intermediate CA certificates are capable of signing host > specific certs.). Each DC, (and each web server, application server you > deploy with SSL/TLS protected services) needs to present its own server > certificate (+ the full chain of certs used to sign its server cert) to > clients so that clients can check validity of the server cert for > themselves (based on the trusted certs in the client CA trust store). > > Then the root and the intermediate certificate authority (CA) certs get > pushed in the the root trust storage facility on every host OS in your > environment, so that they all trust a certificate presented by any server > that they connect to which has a cert signed by your CA infrastructure. > > The level of complexity you need to engage in depends on the size and > needs of your environment. If you have simple needs in a smaller > environment, take a look at OpenVPN project?s ?easy-rsa? > > Good luck. > > > > On Jun 14, 2020, at 1:15 PM, Igor Sousa via samba <samba at lists.samba.org> > wrote: > > > > Thanks Gabben and Andrew. I've understood but a new question emerged: > Each > > DC server on my domain has a different pair cert/key and a different CA > > cert after deployment, correct? > > > > If so, is it a best practice to generate new cert for each DC server and > > sign them with a unique CA? OBS: Every DC servers belongs to the same > > domain. > > > > -- > > Igor Sousa > > > > > > Em dom., 14 de jun. de 2020 ?s 16:46, Andrew Bartlett < > abartlet at samba.org> > > escreveu: > > > >> On Sun, 2020-06-14 at 16:24 -0300, Igor Sousa via samba wrote: > >>> Hi everyone, > >>> > >>> I have a question about certificates generated on Samba AD/DC > >>> deployment. > >>> After all server configuration, I notice that there are ca.pem, > >>> cert.pem > >>> and key.pem on /usr/local/samba/private/tls directory. I realize the > >>> ca.pem > >>> and cert.pem have 2 years validity. Will Samba AD/DC generate > >>> automatically > >>> new certs before this time over? Or, must I have to generate them > >>> manually? > >> > >> No, they will need be automatically renewed. > >> > >> So yes, you need to generate them manually. > >> > >> The original intention was that the certificates be replaced by the > >> administrator. > >> > >> However, I think we would accept patches to extend the initial validity > >> on the autogenerated certificates, given that replacement almost never > >> happens. This makes more sense then to renew them, as that would break > >> software which has the current certificate manually accepted, and > >> potentially break a manually installed certificate. > >> > >> Andrew Bartlett > >> > >> -- > >> Andrew Bartlett https://samba.org/~abartlet/ > >> Authentication Developer, Samba Team https://samba.org > >> Samba Developer, Catalyst IT > >> https://catalyst.net.nz/services/samba > >> > >> > >> > >> > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > >
Joachim Lindenberg
2020-Jun-17 06:44 UTC
[Samba] Question about certificates on Samba AD/DC
>"If you have simple needs in a smaller environment, take a look at OpenVPN project?s ?easy-rsa?"I?d definitely try letsencrypt.org first - resolves the headache of establishing trust throughout the environment, and you have to get used to automate it and thus avoid expired certs. Regards, Joachim -----Urspr?ngliche Nachricht----- Von: samba <samba-bounces at lists.samba.org> Im Auftrag von gabben via samba Gesendet: Sunday, June 14, 2020 10:28 PM An: Igor Sousa <igorvolt at gmail.com> Cc: sambalist <samba at lists.samba.org>; Andrew Bartlett <abartlet at samba.org> Betreff: Re: [Samba] Question about certificates on Samba AD/DC Hi Igor, You certainly don?t want a different CA for each DC, and you typically do want an individually generated certificate and private key for each server. PKI is typically a tree hierarchy, which is a critical feature in the trust relationships across any environment. You want one (root) CA, and possibly 1-3 intermediate CAs depending on the complexity of your infrastructure ( intermediate CA certificates are capable of signing host specific certs.). Each DC, (and each web server, application server you deploy with SSL/TLS protected services) needs to present its own server certificate (+ the full chain of certs used to sign its server cert) to clients so that clients can check validity of the server cert for themselves (based on the trusted certs in the client CA trust store). Then the root and the intermediate certificate authority (CA) certs get pushed in the the root trust storage facility on every host OS in your environment, so that they all trust a certificate presented by any server that they connect to which has a cert signed by your CA infrastructure. The level of complexity you need to engage in depends on the size and needs of your environment. If you have simple needs in a smaller environment, take a look at OpenVPN project?s ?easy-rsa? Good luck.> On Jun 14, 2020, at 1:15 PM, Igor Sousa via samba <samba at lists.samba.org> wrote: > > Thanks Gabben and Andrew. I've understood but a new question emerged: > Each DC server on my domain has a different pair cert/key and a > different CA cert after deployment, correct? > > If so, is it a best practice to generate new cert for each DC server > and sign them with a unique CA? OBS: Every DC servers belongs to the > same domain. > > -- > Igor Sousa > > > Em dom., 14 de jun. de 2020 ?s 16:46, Andrew Bartlett > <abartlet at samba.org> > escreveu: > >> On Sun, 2020-06-14 at 16:24 -0300, Igor Sousa via samba wrote: >>> Hi everyone, >>> >>> I have a question about certificates generated on Samba AD/DC >>> deployment. >>> After all server configuration, I notice that there are ca.pem, >>> cert.pem and key.pem on /usr/local/samba/private/tls directory. I >>> realize the ca.pem and cert.pem have 2 years validity. Will Samba >>> AD/DC generate automatically new certs before this time over? Or, >>> must I have to generate them manually? >> >> No, they will need be automatically renewed. >> >> So yes, you need to generate them manually. >> >> The original intention was that the certificates be replaced by the >> administrator. >> >> However, I think we would accept patches to extend the initial >> validity on the autogenerated certificates, given that replacement >> almost never happens. This makes more sense then to renew them, as >> that would break software which has the current certificate manually >> accepted, and potentially break a manually installed certificate. >> >> Andrew Bartlett >> >> -- >> Andrew Bartlett https://samba.org/~abartlet/ >> Authentication Developer, Samba Team https://samba.org Samba >> Developer, Catalyst IT https://catalyst.net.nz/services/samba >> >> >> >> > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba