Join Log in
Score:0
Chase Stuart avatar Server

Adding SSL certs to Samba from CA

jp flag
Chase Stuart

I have a wildcard SSL cert from A CA that I am trying to get to work on my samba ADDC. Samba will fail on Samba restart when smb.conf looks like this:

    tls enabled  = yes
    tls keyfile  = tls/mycert.crt
    tls certfile = tls/thekey.p7b
    tls cafile   = tls/myca.ca-bundle
    # client ldap sasl wrapping = sign and seal
    ldap server require strong auth = allow_sasl_over_tls

It fails with a "TLS failed to initialise certfile...and keyfile" Trying to verify the cert also comes back as this error

error 20 at 0 depth lookup: unable to get local issuer certificate error verification failed

Also converted the files to PEM files and tried that but switched them back when it wasnt working.

Any help with this would be appreciated thanks!

218
1 + 0
ssl
Score:1
avatar Server
br flag
garethTheRed

You seem to have misread the man page for the samba conf file. The following options need adjustment in your config:

tls keyfile (G)

This option can be set to a file (PEM format) containing the RSA private key. This file must be accessible without a pass-phrase, i.e. it must not be encrypted.

This path is relative to private dir if the path does not start with a /.

Default: tls keyfile = tls/key.pem

You have this set to tls/mycert.crt. While a file named mycert which ends in .crt may be a private key, I suspect that its actually your certificate.

You should replace this with the private key file.

You should have previously created (or potentially received from the CA) the private key file. You can verify that this file is in PEM format using cat my.key (insert correct name) where, if its in PEM format, it will begin with -----BEGIN PRIVATE KEY----- (or potentially -----BEGIN RSA PRIVATE KEY-----). If it shows up as a mix of text and non-printable characters when you view the file, then the file is in DER format, and you will need the help of a tool such as OpenSSL to convert this file to PEM.

tls certfile (G)

This option can be set to a file (PEM format) containing the RSA certificate.

This path is relative to private dir if the path does not start with a /.

Default: tls certfile = tls/cert.pem

You have this set to tls/thekey.p7b. Again, while a file named thekey with a .p7b extension may be a PEM encoded certificate, I suspect that it is a certificate or certificate bundle in PKCS#7 format.

You should replace this with the certificate file.

I'd suggest this should be tls/mycert.crt, but only if that file is in PEM format. You can verify this with cat mycert.crt where, if its in PEM format, it will start -----BEGIN CERTIFICATE-----. As for the private key, OpenSSL can help you convert between formats.

The tls cafile = tls/myca.ca-bundle could potentially be correct if the myca.ca-bundle file is a concatenation of PEM formatted CA certificates. Again, use cat to view the file and it should contain one or more blocks beginning with -----BEGIN CERTIFICATE-----.

If you fix the above, it should get you closer to a working Samba LDAPS. However, note this warning on the Samba wiki.

+ 1
Chase Stuart avatar
jp flag
Chase Stuart
Thanks for fixing the question Gareth. The key and the cert are in the correct spots I just misnamed them when I renamed them for this question. I did have them all converted to a pem file in one instance, but next I will try just converting the key. Thank you so much for your detailed answer!
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.