help with TLS certificates for Samba4 - Samba

This is a discussion on help with TLS certificates for Samba4 - Samba ; I'm hoping someone on the list can help me work out some issues with the automated TLS certificate generation in Samba4. I have now generalised the tls code in Samba4, so we have a lib/tls/ subsystem that is used by ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: help with TLS certificates for Samba4

  1. help with TLS certificates for Samba4

    I'm hoping someone on the list can help me work out some issues with
    the automated TLS certificate generation in Samba4.

    I have now generalised the tls code in Samba4, so we have a lib/tls/
    subsystem that is used by both our internal LDAP code (both client and
    server) and our internal web server.

    As I have mentioned previously, sites that have real certificates will
    be able to use those, but smbd will auto-generate self-signed
    certificates for sites that don't.

    Mostly recently I have been trying to test our ldb tools using ldaps
    against a w2k3 server. To do that I need to install a certificate on
    w2k3 for the windows LDAP server to use. If I don't have a certificate
    installed on w2k3 then I get the following in the event log:

    LDAP over Secure Sockets Layer (SSL) will be unavailable at this
    time because the server was unable to obtain a certificate.

    So, I would like to install the certificates that have been auto
    generated by smbd into a w2k3 server. To do that I have run:

    openssl pkcs12 -export -in cert.pem -inkey key.pem -certfile ca.pem \
    -name "Samba" -out samba.p12

    Then double-clicked on the samba.p12 in windows. That launches the
    certificate install wizard. Unfortunately it gives me an error like
    this:

    An internal error occurred. This can be either the user profile is
    not accessible or the private key that you are importing might
    require a cryptographic service provider that is not installed on
    your system.

    I suspect one of the following possible problems:

    1) w2k3 cannot handle certificates generated by gnutls.

    2) I am not passing some mandatory option to gnutls when generating
    the certificate, and thus end up leaving off some important
    attribute in the generated certificate.

    3) the conversion to a p12 file using openssl is broken.

    I have placed the certificates and generated p12 files in
    http://samba.org/~tridge/tls/ and I would greatly appreciate it if
    someone more knowledgeable about TLS certificates on windows than I am
    could take a look at them and see if they can spot the problem. The
    password on the p12 file is "samba".

    Cheers, Tridge

  2. Re: help with TLS certificates for Samba4

    Try this:

    1) In Windows, right click on the .pfx/.p12 file and run through the
    certificate import wizard.
    2) Import into the personal store for the user you are logged in as
    3) Open MMC. Add 2 Cert Manager snap-ins. One for the computer
    account, the other for the user account.
    4) Drag the cert you just imported from the personal store in the user
    account and drop to the personal store for the computer account

    This was on w2k3 SP1 from console. I stumbled across this by accident
    after running into a similar problem trying to import a cert for IIS
    made the same way using pkcs12. Funny that even after I imported it to
    my own personal store, I couldn't export, then import it to the
    computer personal store without that stupid error. Hooray for drag and
    drop.

    Hopefully this will work for you too!

    - Glen

    Andrew Tridgell wrote:
    > I'm hoping someone on the list can help me work out some issues with
    > the automated TLS certificate generation in Samba4.
    >
    > I have now generalised the tls code in Samba4, so we have a lib/tls/
    > subsystem that is used by both our internal LDAP code (both client and
    > server) and our internal web server.
    >
    > As I have mentioned previously, sites that have real certificates will
    > be able to use those, but smbd will auto-generate self-signed
    > certificates for sites that don't.
    >
    > Mostly recently I have been trying to test our ldb tools using ldaps
    > against a w2k3 server. To do that I need to install a certificate on
    > w2k3 for the windows LDAP server to use. If I don't have a certificate
    > installed on w2k3 then I get the following in the event log:
    >
    > LDAP over Secure Sockets Layer (SSL) will be unavailable at this
    > time because the server was unable to obtain a certificate.
    >
    > So, I would like to install the certificates that have been auto
    > generated by smbd into a w2k3 server. To do that I have run:
    >
    > openssl pkcs12 -export -in cert.pem -inkey key.pem -certfile ca.pem \
    > -name "Samba" -out samba.p12
    >
    > Then double-clicked on the samba.p12 in windows. That launches the
    > certificate install wizard. Unfortunately it gives me an error like
    > this:
    >
    > An internal error occurred. This can be either the user profile is
    > not accessible or the private key that you are importing might
    > require a cryptographic service provider that is not installed on
    > your system.
    >
    > I suspect one of the following possible problems:
    >
    > 1) w2k3 cannot handle certificates generated by gnutls.
    >
    > 2) I am not passing some mandatory option to gnutls when generating
    > the certificate, and thus end up leaving off some important
    > attribute in the generated certificate.
    >
    > 3) the conversion to a p12 file using openssl is broken.
    >
    > I have placed the certificates and generated p12 files in
    > http://samba.org/~tridge/tls/ and I would greatly appreciate it if
    > someone more knowledgeable about TLS certificates on windows than I am
    > could take a look at them and see if they can spot the problem. The
    > password on the p12 file is "samba".
    >
    > Cheers, Tridge



  3. Re: help with TLS certificates for Samba4

    Well so much for the drag and drop! It appeared to work such that the
    cert was *there*, but it failed to load saying the private key was
    inaccessible. Which sent me down this path...

    %SystemRoot%\Documents and Settings\All Users\ Application
    Data\Microsoft\Crypto\RDA\MachineKeys

    "Administrators" and "System" should have full control. Also any
    account that runs the service that will be accessing the key such as
    "Network Service".

    Anyway, once I added these permissions everything worked. I was able
    to import the .pfx file directly into the computer certificate store.

    - Glen


+ Reply to Thread