samba - Nov 2022 - Auto generated certificates?

On 08/11/2022 08:47, Harald Hannelius via samba wrote:
> 
> I read that Samba creates self-signed certificates for itself when 
> started the first time. These have a lifetime of 700 days. Does this 
> mean that Samba will stop working 700 days after installing it unless I 
> renew these myself manually?
> 
> Are there caveats in using our own self-signed certs with longer 
> lifetimes or even "real" certificates?
> 
> Also, wouldn't it be good if all Samba certificates would have a 
> Alternate Name of "DOMAIN" so when e.g. ldap-clients connect to
the
> domain-address the certificate would match?
> 
> 
The real question is: what are you using the certificates for ?

If it is for ldap searches, then can I suggest you use kerberos instead, 
it is even more secure.

Rowland

On Tue, 8 Nov 2022, Rowland Penny via samba wrote:
> On 08/11/2022 08:47, Harald Hannelius via samba wrote:
>> 
>> I read that Samba creates self-signed certificates for itself when
started
>> the first time. These have a lifetime of 700 days. Does this mean that 
>> Samba will stop working 700 days after installing it unless I renew
these
>> myself manually?
>> 
>> Are there caveats in using our own self-signed certs with longer
lifetimes
>> or even "real" certificates?
>> 
>> Also, wouldn't it be good if all Samba certificates would have a
Alternate
>> Name of "DOMAIN" so when e.g. ldap-clients connect to the
domain-address
>> the certificate would match?
>> 
> The real question is: what are you using the certificates for ?
We would like to create, delete and modify accounts. Lock accounts, and 
change passwords via a PHP library.

It would be nice to use the ldaps port, just in case.
> If it is for ldap searches, then can I suggest you use kerberos instead, it
> is even more secure.
A little concerned about data on the wire.

-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020