Install SSL in SAMBA 4 AD DC

Published: March 03, 2020 by Galuh D Wijatmiko

• Categories:
• Authentication 12
• SecurityTunningAndHardening 22

• Tags:
• SSL 10
• centos7 15
• installation 12
• samba4 13

General Information

To use TLS, Samba has to be compiled with –enable-gnutls. To verify, use the following command:

  smbd -b | grep "ENABLE_GNUTLS"
  ENABLE_GNUTLS

1. The private key must be accessible without a passphrase, i.e. it must not be encrypted!
2. The files that samba uses have to be in PEM format (Base64-encoded DER). The content is enclosed between e. g.

   -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----

3. When intermediate certificates are used they should be appended to the cert.pem file after the server certificate e. g.

   roomit-int.tech.cert + roomit.tech.cert

Enable SSL SAMBA AD DC

in /etc/samba/smb.conf add under [global] option

        tls enabled  = yes
        tls keyfile  = /etc/samba/private/tls/roomitKey.pem
        tls certfile = /etc/samba/private/tls/roomitCert.pem
        tls cafile   = /etc/samba/private/tls/roomitIntermediate.pem

Change key certificate to 600 mode

  chmod 600 /etc/samba/private/tls/roomitKey.pem

Enable port 389 Accessible

in /etc/samba/smb.conf add under [global] option

        client ldap sasl wrapping = sign
        ldap server require strong auth = no

Restart SAMBA AD DC

 systemctl restart samba

Check Certificate

 echo | openssl s_client -servername addc1.roomit.tech -connect addc1.roomit.tech:636 2>/dev/null