And will Samba regenerate it's own server certs from that CA, or do I need to externally generate & renew them with openssl? Does anything else need to be done before or after replacing the certs in Samba? This won't break server/domain trust with domain joined workstations? Thanks On Wed, Oct 25, 2023 at 8:08?AM Kees van Vloten via samba < samba at lists.samba.org> wrote:> > Op 25-10-2023 om 16:45 schreef Alex via samba: > > Hi! > > > > Is there a recommended way to set all the Samba DC's to use the same TLS > > Root CA certificate? > In smb.conf put a line, like this to let it use a specific ca-cert: > > tls cafile = /etc/ssl/certs/ca.pem > > Now it is just a matter of distributing that to all the DCs > > - Kees. > > > > > Thanks, > > > > Peter > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Kees van Vloten
2023-Oct-25 15:21 UTC
[Samba] Set same TLS Root CA cert on all Samba DC's?
Op 25-10-2023 om 17:13 schreef Alex via samba:> And will Samba regenerate it's own server certs from that CA, or do I need > to externally generate & renew them with openssl? > Does anything else need to be done before or after replacing the certs in > Samba? This won't break server/domain trust with domain joined workstations?Anything that server that uses TLS will create some certs, or use the distro default snake-oil certs. However in order to get secure communication, you need to have a common ca-cert on all your machines (servers and clients) and generate a cert and key pair for each server. Openssl can do it, but I prefer EasyRSA, which uses openssl under the hood. - Kees.> > Thanks > > On Wed, Oct 25, 2023 at 8:08?AM Kees van Vloten via samba < > samba at lists.samba.org> wrote: > >> Op 25-10-2023 om 16:45 schreef Alex via samba: >>> Hi! >>> >>> Is there a recommended way to set all the Samba DC's to use the same TLS >>> Root CA certificate? >> In smb.conf put a line, like this to let it use a specific ca-cert: >> >> tls cafile = /etc/ssl/certs/ca.pem >> >> Now it is just a matter of distributing that to all the DCs >> >> - Kees. >> >>> Thanks, >>> >>> Peter >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >>