Op 09-11-2022 om 09:41 schreef Harald Hannelius via samba:> > On Tue, 8 Nov 2022, Rowland Penny via samba wrote: >> On 08/11/2022 08:47, Harald Hannelius via samba wrote: >>> >>> I read that Samba creates self-signed certificates for itself when >>> started the first time. These have a lifetime of 700 days. Does this >>> mean that Samba will stop working 700 days after installing it >>> unless I renew these myself manually? >>> >>> Are there caveats in using our own self-signed certs with longer >>> lifetimes or even "real" certificates? >>> >>> Also, wouldn't it be good if all Samba certificates would have a >>> Alternate Name of "DOMAIN" so when e.g. ldap-clients connect to the >>> domain-address the certificate would match? >>> >> The real question is: what are you using the certificates for ? > > We would like to create, delete and modify accounts. Lock accounts, > and change passwords via a PHP library. > > It would be nice to use the ldaps port, just in case. > >> If it is for ldap searches, then can I suggest you use kerberos >> instead, it is even more secure. > > A little concerned about data on the wire. >It is not difficult to use your own certificates. I use easyrsa to create and manage them, that works pretty simple. Add your own ca-cert to the system ca-certs on every machine to make your certs trusted everywhere. Then modify smb.conf with: ??????? tls enabled = yes ??????? tls keyfile = /var/lib/samba/private/tls/hostname.domain.com.key ??????? tls certfile = /etc/ssl/certs/hostname.domain.com.crt ??????? tls cafile = /etc/ssl/certs/ca.pem (these are the paths on debian and ubuntu) - Kees