samba - Nov 2022 - Auto generated certificates?

On 09/11/2022 08:41, Harald Hannelius wrote:
> 
> On Tue, 8 Nov 2022, Rowland Penny via samba wrote:
>> On 08/11/2022 08:47, Harald Hannelius via samba wrote:
>>>
>>> I read that Samba creates self-signed certificates for itself when 
>>> started the first time. These have a lifetime of 700 days. Does
this
>>> mean that Samba will stop working 700 days after installing it
unless
>>> I renew these myself manually?
>>>
>>> Are there caveats in using our own self-signed certs with longer 
>>> lifetimes or even "real" certificates?
>>>
>>> Also, wouldn't it be good if all Samba certificates would have
a
>>> Alternate Name of "DOMAIN" so when e.g. ldap-clients
connect to the
>>> domain-address the certificate would match?
>>>
>> The real question is: what are you using the certificates for ?
> 
> We would like to create, delete and modify accounts. Lock accounts, and 
> change passwords via a PHP library.
> 
> It would be nice to use the ldaps port, just in case.
> 
>> If it is for ldap searches, then can I suggest you use kerberos 
>> instead, it is even more secure.
> 
> A little concerned about data on the wire.
> 
If you use kerberos, I am reliably informed that the data is encrypted 
from end to end, as I said, kerberos is more secure than using ldaps 
with Samba.

Rowland

Op 09-11-2022 om 11:17 schreef Rowland Penny via samba:
>
>
> On 09/11/2022 08:41, Harald Hannelius wrote:
>>
>> On Tue, 8 Nov 2022, Rowland Penny via samba wrote:
>>> On 08/11/2022 08:47, Harald Hannelius via samba wrote:
>>>>
>>>> I read that Samba creates self-signed certificates for itself
when
>>>> started the first time. These have a lifetime of 700 days. Does
>>>> this mean that Samba will stop working 700 days after
installing it
>>>> unless I renew these myself manually?
>>>>
>>>> Are there caveats in using our own self-signed certs with
longer
>>>> lifetimes or even "real" certificates?
>>>>
>>>> Also, wouldn't it be good if all Samba certificates would
have a
>>>> Alternate Name of "DOMAIN" so when e.g. ldap-clients
connect to the
>>>> domain-address the certificate would match?
>>>>
>>> The real question is: what are you using the certificates for ?
>>
>> We would like to create, delete and modify accounts. Lock accounts, 
>> and change passwords via a PHP library.
>>
>> It would be nice to use the ldaps port, just in case.
>>
>>> If it is for ldap searches, then can I suggest you use kerberos 
>>> instead, it is even more secure.
>>
>> A little concerned about data on the wire.
>>
>
> If you use kerberos, I am reliably informed that the data is encrypted 
> from end to end, as I said, kerberos is more secure than using ldaps 
> with Samba.
>
> Rowland
>
You're right about kerberos, it sends encrypted data.
But reading the use-case: create, modify, delete, (etc.) accounts, I 
don't see how that can be done with kerberos alone.

- Kees.