Michael Tokarev
2023-Dec-17 16:54 UTC
[Samba] AD-level Certificate Authorities with samba?
Hi! What's the way to have a domain-based certificate authority so that various TLS services can be enabled within a domain, including LDAPS and other similar services? The whole CA thing is already complex enough, microsoft has tools to do all this on their domain management collection (Active Directory Certificate Services). What's the way to do all this in/with samba- based AD? Thanks, /mjt
Andrew Bartlett
2023-Dec-18 00:37 UTC
[Samba] AD-level Certificate Authorities with samba?
On Sun, 2023-12-17 at 19:54 +0300, Michael Tokarev via samba wrote:> Hi! > What's the way to have a domain-based certificate authority so > thatvarious TLS services can be enabled within a domain, > includingLDAPS and other similar services? > The whole CA thing is already complex enough, microsoft has tools > todo all this on their domain management collection (Active > DirectoryCertificate Services). What's the way to do all this > in/with samba-based AD?You run it the same as any other CA, outside Samba, and just replace Samba's auto-generated certs. Modern Samba versions even have a smbcontrol signal to allow reload without a restart. What we don't have is the certificate auto-enrolment stuff. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead https://catalyst.net.nz/services/sambaCatalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
Kees van Vloten
2023-Dec-18 13:54 UTC
[Samba] AD-level Certificate Authorities with samba?
Op 17-12-2023 om 17:54 schreef Michael Tokarev via samba:> Hi! > > What's the way to have a domain-based certificate authority so that > various TLS services can be enabled within a domain, including > LDAPS and other similar services? > > The whole CA thing is already complex enough, microsoft has tools to > do all this on their domain management collection (Active Directory > Certificate Services).? What's the way to do all this in/with samba- > based AD?I am using easyrsa to manage certificates, it does what it says, it is easy :-) Copy the certs and keys to the right location and update smb.conf accordingly: scp and some scripting will do the trick. - Kees.> > Thanks, > > /mjt >
Hi Michael,> What's the way to have a domain-based certificate authority so that > various TLS services can be enabled within a domain, including > LDAPS and other similar services? > > The whole CA thing is already complex enough, microsoft has tools to > do all this on their domain management collection (Active Directory > Certificate Services).? What's the way to do all this in/with samba- > based AD?we use SmallStep [1] internaly. It is not a drop-in replacement for ADCS but you can get something quite similar. And by the way, I'm personnaly happy no to have to deal with ADCS, I had a few problems with it in the past and there have been a few nasty security issues due to that piece of software in the last few years. Cheers, Denis [1] https://smallstep.com/> > Thanks, > > /mjt >