Joachim Lindenberg
2023-Dec-18 15:02 UTC
[Samba] AD-level Certificate Authorities with samba?
I am using Letsencrypt certificates everywhere, including all samba domain members and internal services. Of course that requires internal names to have at least wildcard DNS-resolution for letsencrypt, and proxying port 80 to the relevant letsencrypt service. But it saves me from configuring trust anchors manually across all clients. Joachim -----Urspr?ngliche Nachricht----- Von: samba <samba-bounces at lists.samba.org> Im Auftrag von Kees van Vloten via samba Gesendet: Montag, 18. Dezember 2023 14:54 An: samba at lists.samba.org Betreff: Re: [Samba] AD-level Certificate Authorities with samba? Op 17-12-2023 om 17:54 schreef Michael Tokarev via samba:> Hi! > > What's the way to have a domain-based certificate authority so that > various TLS services can be enabled within a domain, including LDAPS > and other similar services? > > The whole CA thing is already complex enough, microsoft has tools to > do all this on their domain management collection (Active Directory > Certificate Services). What's the way to do all this in/with samba- > based AD?I am using easyrsa to manage certificates, it does what it says, it is easy :-) Copy the certs and keys to the right location and update smb.conf accordingly: scp and some scripting will do the trick. - Kees.> > Thanks, > > /mjt >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Hi, Op 18-12-2023 om 16:02 schreef Joachim Lindenberg via samba:> I am using Letsencrypt certificates everywhere, including all samba > domain members and internal services. Of course that requires > internal names to have at least wildcard DNS-resolution for > letsencrypt, and proxying port 80 to the relevant letsencrypt > service. But it saves me from configuring trust anchors manually > across all clients. JoachimWe're also doing LetsEncrypt, only we switched to dns-based validation using acme-dns (https://github.com/joohoi/acme-dns) That way you avoid the port 80 issue. MJ