Tried anybody set letsencrypt certificate for Samba (Active Directory mode)


#1

Hi, is here anybody, who tried to set letsencrypt certificate to Samba as Domain Controller (AD)?

Anybody helps?


#2

It seems as though in principle this could work.

A Domain Controller’s certificate needs the id_kp_serverAuth EKU, which is the same EKU issued for web servers (or IRC servers, or any other kind of server) and thus is included in a Let’s Encrypt certificate.

It also needs the certificate’s common name or a DNS SAN to exactly match the FQDN that the Active Directory DC is claiming to be. SO if your DC claims to be dc.mycorp.example then the Let’s Encrypt certificate needs to be issued for that name, not for www.mycorp.example or mycorp.example or anything else. The periodic renewal needs to happen for that name too, which could be awkward for most DCs which aren’t externally facing.

The certificate needs to be issued by a CA trusted by the Controller (easy enough to arrange) and by all its clients. You could use Group Policy to add the relevant CA certificate to all clients if they don’t trust the CA you want to use.

It’s not clear that this has any benefit over using self-signed certificates, or in a bigger organisation using certificates from an in-house CA. AD clients are almost by definition not random members of the public, so they don’t need a publicly trusted certificate, just one their own organisation trusts.


#3

benefit for doing this is that domain certificate is valid (auto installed only for domain hosts)

but when you connect to domain (ldap) external application, so valid certificated is required, but this host is not in domain, and will be occured error at validating self-signed certificate