Talk:Samba AD Smart Card Login: Difference between revisions
No edit summary |
|||
(One intermediate revision by the same user not shown) | |||
Line 1: | Line 1: | ||
== multiple domain controllers == |
== multiple domain controllers == |
||
There can (and actually should) be multiple domain controllers. |
There can (and actually should) be multiple domain controllers. In this case, each DC needs its own private key and the certificate, because any of them can participate in the authentication process. So the procedure of creating the DC key and certificate should be repeated for each DC in turn, changing set_dc_guid= parameter in openssl.cnf for each. Or this can be asked by openssl. |
||
== expiration time == |
== expiration time == |
Latest revision as of 14:28, 17 December 2022
multiple domain controllers
There can (and actually should) be multiple domain controllers. In this case, each DC needs its own private key and the certificate, because any of them can participate in the authentication process. So the procedure of creating the DC key and certificate should be repeated for each DC in turn, changing set_dc_guid= parameter in openssl.cnf for each. Or this can be asked by openssl.
expiration time
the HOWTO suggest to set 20 years expiration time for the Root CA, the example requests 10 years (3650 days).
userPrincipalName
It turned out that users in our domain does not have userPrincipalName attributes to begin with. And in the AD "Users and Computers" configuration in windows10, in "Attribute Editor" page, there's no way to insert an attribute. I had to add UPNs manually using samba-tool user edit command.