NethServer Version: 8
Module: Samba
Good evening.
I’m trying to set up NethServer 8 to act as domain controller and connect my mail server to it, but I’m having trouble with setting up LDAPS certificate.
Samba uses custom auto-generated certificate, is there some way to replace it? I would like to use a cert from my custom CA.
I’ve tried uploading it in TLS certificates, but I suspect these certs are only used by Traefik.
I never tried to do this, but you could follow a path like this:
- put the certificate files in the samba
configvolume, - in
configvolume also modifyinclude.confto load the custom certificates - restart samba-dc container
2 Likes
What would be the path to the config volume from the Samba container’s standpoint? Or is it the same?
config volume is mounted on container’s /etc/samba directory.
1 Like
I’ve placed my certificates in /home/samba1/.local/share/containers/storage/volumes/config/_data/and I’ve set the permissions similar to other files in that dir:
ls /home/samba1/.local/share/containers/storage/volumes/config/_data/ -la
total 32
drwxr-xr-x. 3 samba1 samba1 145 Aug 28 10:48 .
drwx------. 3 samba1 samba1 19 Aug 28 09:43 ..
-rw-r–r–. 1 samba1 samba1 1403 Aug 28 09:36 dc1.mydomain.local.crt
-rw-r–r–. 1 samba1 samba1 1704 Aug 28 09:36 dc1.mydomain.local.key
-rw-r–r–. 1 samba1 samba1 8 Aug 7 2023 gdbcommands
-rw-r–r–. 1 samba1 samba1 212 Aug 28 10:45 include.conf
-rw-r–r–. 1 samba1 samba1 1260 Aug 28 10:46 smb.conf
-rw-r–r–. 1 samba1 samba1 8917 Apr 8 2024 smb.conf.distro
I can see the files inside the container, but something is wrong with the permissions:
/usr/local/bin/runagent -m samba1 podman exec samba-dc ls /etc/samba/ -la
ls: cannot access ‘/etc/samba/dc1.mydomain.local.crt’: Permission denied
ls: cannot access ‘/etc/samba/dc1.mydomain.local.key’: Permission denied
total 24
drwxr-xr-x. 3 root root 145 Aug 28 10:48 .
drwxr-xr-x. 1 root root 55 Jul 24 09:04 ..
-??? ? ? ? ? ? dc1.mydomain.local.crt
-??? ? ? ? ? ? dc1.mydomain.local.key
-rw-r–r–. 1 root root 8 Aug 7 2023 gdbcommands
-rw-r–r–. 1 root root 212 Aug 28 10:45 include.conf
-rw-r–r–. 1 root root 1260 Aug 28 10:46 smb.conf
-rw-r–r–. 1 root root 8917 Apr 8 2024 smb.conf.distro
The Samba server cannot read them:
TLS failed to initialise certfile /etc/samba/dc1.mydomain.local.crt and keyfile /etc/samba/dc1.mydomain.local.key - Error while reading file.
Ok, I’ve managed to get help from an LLM.
All you need to do to set permissions correctly is to run these commands:
yum install policycoreutils-python-utils
semanage fcontext -a -t container_file_t “/home/samba1/.local/share/containers/storage/volumes/config/_data/dc1.mydomain.local."
restorecon -v "/home/samba1/.local/share/containers/storage/volumes/config/_data/dc1.mydomain.local.”
ls -Zla
While the permission issue was indeed caused by a bad SELinux label, the LLM advice you followed was misleading: you ended up changing the system’s default SELinux labeling policy, then used it to reset the labels.
That’s not necessary with Podman volumes: labels are managed automatically, unless files are moved into volumes by the host root user.
Suggested actions:
- Check for the presence of a custom policy with
semanage fcontext -C -land remove it. - Avoid modifying files directly with the host root user; instead, operate from the container shell.
- Use
chconto fix individual files when needed.
2 Likes
Thank you for pointing this out, I’m not very familiar with SELinux.
I think I’ve managed to fix this mistake: sudo semanage fcontext -C -l shows an empty list and Samba starts without problems.
1 Like
I often see procedures that directly modify volume contents under paths like /home/XXX1/.local/share/containers/storage/volumes/YYY/_data/… When this low-level approach is used, both ownership (chown) and SELinux labeling (chcon) issues must be considered.
That’s why, at least for text/config files, I prefer to enter the container shell and create files with cat, or install vi inside the container and edit them there. In other cases podman cp may be preferable.
I’m glad you managed to install a custom TLS certificate for Samba! If you have some time to donate, please share a short article in the Howto category!
2 Likes
It’s done.
2 Likes