Certificate Auto Enrollment

From SambaWiki

Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba's samba-gpupdate command. Certificate Auto Enrollment is available in Samba 4.16 and above.

Configuring Certificate Auto Enrollment on the Server

The Windows server roles Certification Authority, Certificate Enrollment Policy Web Service, Certificate Enrollment Web Service, Certification Authority Web Enrollment, and Network Device Enrollment Service all must be installed and configured.

Configure Group Policy auto enrollment as described in the documentation here.

Enable Certificate Auto Enrollment on the Client

To setup Certificate Auto Enrollment:

  1. Install certmonger, cepces, and sscep. Samba uses sscep to download the CA root chain, then uses certmonger paired with cepces to monitor the host certificate templates.
  2. Join to an Active Directory domain (one where the CA has been previously configured as explained above).
  1. Enable group policy apply:
    • For a Winbind joined machine by setting the smb.conf global parameter 'apply group policies = yes'.
    • For a SSSD joined machine by installing the oddjob-gpupdate package.
  2. To verify Certificate Auto Enrollment is correctly configured, issue the command `/usr/sbin/samba-gpupdate --rsop`
Resultant Set of Policy
Computer Policy

 GPO: Default Domain Policy
CSE: gp_cert_auto_enroll_ext
Policy Type: Auto Enrollment Policy
[ CA Certificate ] =
[ Auto Enrollment Server ] = <REDACTED DNS NAME>
[ Templates ] =
[ Machine ]

Issuing the `getcert list` command will display the installed certificates:

Number of certificates and requests being tracked: 1.
Request ID 'Machine':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/lib/samba/private/certs/Machine.key'
        certificate: type=FILE,location='/var/lib/samba/certs/Machine.crt'
        CA: <My CA>
        issuer: CN=<My CA>
        subject: CN=<my hostname>
        expires: 2017-08-15 17:37:02 UTC
        dns: <my hostname>
        key usage: digitalSignature,keyEncipherment
        eku: id-kp-clientAuth,id-kp-serverAuth
        certificate template/profile: Machine
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes


Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs.