samba - May 2021 - DCs: Samba CA

Am 18.05.21 um 09:40 schrieb Stefan G. Weichinger via
samba:
> Am 12.05.21 um 16:39 schrieb Robert Marcano via samba:
> 
>> I recommend you manage your own CA and replace those files 
>> autogenerated by the Samba DC with yout CA and certificates signed by
it.
>>
>> Depending on your instalation size, you will need automation with 
>> tools like , dogtag (dogtagpki.org) for example, or use smaller 
>> graphical tools like XCA
> 
> Thanks for the suggestion.
> 
> I assume Samba does its own housekeeping, though? Never had to maintain 
> these certs etc myself over the years.
anyone?

I just compared things: I imported /var/lib/samba/private/tls/ca.pem 
into pfsense. No certificate cat-ed together with CA or something.

The ca.pem of one DC already has expired:
# openssl x509 -in ca.pem -text

[..]

         Validity
             Not Before: Feb  1 22:12:06 2019 GMT
             Not After : Jan  1 22:12:06 2021 GMT

Is that ... correct?

>
> The ca.pem of one DC already has expired:
> # openssl x509 -in ca.pem -text
>
> [..]
>
>          Validity
>              Not Before: Feb  1 22:12:06 2019 GMT
>              Not After : Jan  1 22:12:06 2021 GMT
>
> Is that ... correct?
>
By default, Samba DC self-signed certificates have a 700-day lifespan.

Have you seen
https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
?

You'll have to either renew the self-signed cert via Samba (haven't
tried
it, backup/delete certs and restart samba:
https://lists.samba.org/archive/samba/2017-February/206748.html), or manage
the certs separately.

Either way, you'll have new files in /var/lib/samba/private/tls and will
have to distribute accordingly.