similar to: Set same TLS Root CA cert on all Samba DC's?

And will Samba regenerate it's own server certs from that CA, or do I need to externally generate & renew them with openssl? Does anything else need to be done before or after replacing the certs in Samba? This won't break server/domain trust with domain joined workstations? Thanks On Wed, Oct 25, 2023 at 8:08?AM Kees van Vloten via samba < samba at lists.samba.org> wrote:

Op 25-10-2023 om 17:13 schreef Alex via samba: > And will Samba regenerate it's own server certs from that CA, or do I need > to externally generate & renew them with openssl? > Does anything else need to be done before or after replacing the certs in > Samba? This won't break server/domain trust with domain joined workstations? Anything that server that uses TLS will

Op 25-10-2023 om 16:45 schreef Alex via samba: > Hi! > > Is there a recommended way to set all the Samba DC's to use the same TLS > Root CA certificate? In smb.conf put a line, like this to let it use a specific ca-cert: tls cafile = /etc/ssl/certs/ca.pem Now it is just a matter of distributing that to all the DCs - Kees. > > Thanks, > > Peter

RPvs> On Tue, 1 Jan 2019 10:35:17 -0800 RPvs> Gregory Sloop via samba <samba at lists.samba.org> wrote: >> I'm working to put up a production FeeeNAS box tied to Samba/AD for >> authentication for users connecting to the FreeNAS share(s). In >> joining FreeNAS to the AD domain, one immediately runs into >> "problems" with TLS/encryption. RPvs>

If I were guessing, based on some experience with certificate usage in other apps, concatenate your certificate and intermediate certificates into a single file which is then your "tls certfile" then point "tls cafile" to your issuers proper CA or just to your distro's CA bundle, e.g /etc/pki/tls/certs/ca-bundle.crt. Nick On 06/08/2020 16:36, MAS Jean-Louis via samba

I have tried all the suggestions up till now but the error message is still there. I have tried this configuaration for roundcube: $config['imap_conn_options'] = array( 'ssl' => array( 'peer_name' => '<FQDN_OF_DOVECOT_CERTIFICATE>', 'verify_peer' => true, 'verify_depth' => 3, // 'cafile' =>

I'm working to put up a production FeeeNAS box tied to Samba/AD for authentication for users connecting to the FreeNAS share(s). In joining FreeNAS to the AD domain, one immediately runs into "problems" with TLS/encryption. Samba, in the defaults requires TLS. I could disable TLS security in Samba, but that's probably not a great idea. So, I'll need a key/cert for the

Hi All, This Samba release changelog (https://wiki.samba.org/index.php/Updating_Samba#Incorrect_TLS_File_Permissions) specifically mentions a security issue and that that the multiple *.pem files needed for LDAP via TLS all need "special permissions" - and mentions to delete old files without the required permissions to force file renewal. Yet in the official Samba documentation

I have several samba servers on Debian 10 all using : samba 2:4.9.5+dfsg-5+deb10u1 amd64 I use tls cafile, tls certfile and tls keyfile with certificates from Sectigo (https://cert-manager.com) And when checking my connexion from the samba server, or from outside, I've got "unable to verify the first certificate" even if tls_cafile is provided in smb.conf. What is wrong

On 7/5/19 9:32 PM, John Runyon wrote: > On Fri, 5 Jul 2019 at 14:28, hw <hw at gc-24.de <mailto:hw at gc-24.de>> wrote: > > I thought about that and checked the configuration I've been using to > create the certificate, and I can't see anywhere that it would expire > earlier than after 3650 days.  Is there another way to check this? > >

Really Rowland? As quoted: >> I believe I need to examine TLS since when I set "ldap server require >> strong auth = allow_sasl_over_tls" or "ldap server require strong >> auth = yes" user and group queries fail. This is OBVIOUSLY using LDAP and TLS. If this was via NTLM/Kerberos, the above setting wouldn't make the slightest difference. But all that

Hello,     Looking up a users group membership I'm showing different results on each DC. UID and GID mapping appears consistent but not all group membership is displayed. I've verified idmap.ldb is backup up and copied over to the other DC's. I do notice when taking a hot backup of idmap.ldb, the file size is dramatically smaller than the original. Using Microsoft RSAT to view

I think that you are right when you say that the problem may be the certificate recognition. As for Roundcube, I've inserted the uncommented php code that you provided in /usr/share/roundcube/main.inc.php.dist, which is the Raspbian file for /config/defaults.inc.php. Unfortunately Roundcube doesn't login and replies with the message "connection to storage server failed". And

Hi people, i have a problem with trying ldaps i use autogenerated self-signed certificate, i write in smb this: tls enabled = yes tls keyfile = tls/key.pem tls certfile = tls/cert.pem without cafile when i try to verify with: openssl verify /usr/local/samba/private/tls/myCert.pem it said me unable to verify the first certificate and if add -CApath works! and finally when i try from another

Thanks for the response. My current chain is as follows: caroot -> child-ca1 -> server cert My cacert.pem file has both the caroot and the child-ca1 certs. I have recompiled libvirt on my machine with some extra debug statements and verified that both the caroot cert and the child-ca1 certs are being loaded. But when I try to connect the caroot and child-ca1 certs only appear under the

Hi, for an application (egroupware) I tried to switch on TLS: tls enabled = Yes tls keyfile = /etc/ssl/private/edad001.pem tls certfile = /etc/ssl/certs/edad001.crt tls cafile = /etc/ssl/certs/RootCA_.crt But egroupware still told me tls is needed. With witch test I could test if TLS is work or not? Bye Gregor --

Hello,     When using a custom self-signed certificate, what is the appropriate value for 'tls verify peer ='? The wiki sates to use 'tls cafile =' for a custom self-signed certificate in smb.conf. If no ca exist, does Samba immediately fail the check if using the default 'tls verify peer = as strict as possible'? I've looked through the man page (Samba 4.7.5)

Hi, I'm trying to find out consequences of overlapped idmap settings that used with 4.3.11 DC's. I'm about to upgrade these DC's to 4.8 version. Before deploying new DCs, I want to make sure that any side effects regarding id map settings will be left behind. # ldbsearch -H /var/lib/samba/private/idmap.ldb | grep xidNumber \ | cut -d' ' -f2 | sort 0 100 3000000

I have been trying to get set of libvirtd system up and running. My PKI infrastructure involves a root CA and several intermediate CAs. I am trying to get the machines to trust each other across the different intermediate CAs. This is what I have so far: Libvirtd is starting and listening on tls port 16514 I have configured client/server certs/keys and it seems to be using all of these

Hi all, I am currently struggling with an odd sieve/Pigeonhole issue. Some weeks ago I had to replace our dovecot certificate due to expiration. In the past I did use a self-signed certificate, but because we now have a little openssl based CA I have decided to create signed certificate for imaps. Dovecot is happily accepting the new certificate which has integrated the whole cert-chain.