Talk:Samba AD Smart Card Login
From SambaWiki
multiple domain controllers
There can (and actually should) be multiple domain controllers. In this case, the procedure should be repeated for each DC in turn, changing set_dc_guid= parameter in openssl.cnf for each. Or this can be asked by openssl.
expiration time
the HOWTO suggest to set 20 years expiration time for the Root CA, the example requests 10 years (3650 days).
userPrincipalName
It turned out that users in our domain does not have userPrincipalName attributes to begin with. And in the AD "Users and Computers" configuration in windows10, in "Attribute Editor" page, there's no way to insert an attribute. I had to add UPNs manually using samba-tool user edit command.