Talk:Samba AD Smart Card Login
multiple domain controllers
There can (and actually should) be multiple domain controllers. In this case, each DC needs its own private key and the certificate, because any of them can participate in the authentication process. So the procedure of creating the DC key and certificate should be repeated for each DC in turn, changing set_dc_guid= parameter in openssl.cnf for each. Or this can be asked by openssl.
the HOWTO suggest to set 20 years expiration time for the Root CA, the example requests 10 years (3650 days).
It turned out that users in our domain does not have userPrincipalName attributes to begin with. And in the AD "Users and Computers" configuration in windows10, in "Attribute Editor" page, there's no way to insert an attribute. I had to add UPNs manually using samba-tool user edit command.