Installing custom LDAPS certificate for Samba

RTechSn · August 28, 2025, 3:40pm

Hello all.
Today I would like to share how you can configure Samba to use your custom certificate for LDAPS.
First, we must place the the .crt and .key files into the container.
Use the following command to enter the container environment (notice if your samba instance number is different):
sudo /usr/local/bin/runagent -m samba1 podman exec -it samba-dc /bin/bash

Check, that your shell prompt is changed to root@dc1.
Then you can use cat to output each cert contents into a file:

Type cat > /etc/samba/cert.key << EOF and press Enter
Paste the contents of your key file and press Enter to add another new line
Type EOF and press Enter

New /etc/samba/cert.key file should be created.

Repeat this operation for .crt.file.
Now we must set permissions for the .key file, otherwise Samba will refuse to use it.

chmod 0600 /etc/samba/cert.key

You can check permissions and if your files have the correct SELinux settings:

ls -laZ /etc/samba/

total 32
drwxr-xr-x. 3 root root system_u:object_r:container_file_t:s0           145 Aug 28 12:37 .
drwxr-xr-x. 1 root root system_u:object_r:container_file_t:s0:c26,c233   55 Jul 24 09:04 ..
-rw-r--r--. 1 root root unconfined_u:object_r:container_file_t:s0      1403 Aug 28 09:36 cert.local.crt
-rw-------. 1 root root unconfined_u:object_r:container_file_t:s0      1704 Aug 28 09:36 cert.key
-rw-r--r--. 1 root root unconfined_u:object_r:container_file_t:s0         8 Aug  7  2023 gdbcommands
-rw-r--r--. 1 root root unconfined_u:object_r:container_file_t:s0       201 Aug 28 12:37 include.conf
-rw-r--r--. 1 root root system_u:object_r:container_file_t:s0          1260 Aug 28 15:33 smb.conf
-rw-r--r--. 1 root root unconfined_u:object_r:container_file_t:s0      8917 Apr  8  2024 smb.conf.distro

From the container point of view the files are owned by root, but in a system-wide context it will be your container user.The SELinux setting should be like this: unconfined_u:object_r:container_file_t:s0

If it’s not, exit the container then use sudo chcon -R -t container_file_t /home/samba1/.local/share/containers/storage/volumes/config/_data/

Now when the files are in place, we can edit the include.conf file, it will be easier from the outside of the container, so exit it.

sudo nano /home/samba1/.local/share/containers/storage/volumes/config/_data/include.conf

Add the following lines:
tls enabled = yes
tls keyfile = /etc/samba/cert.key
tls certfile = /etc/samba/cert.crt

Restart your Samba container:

sudo /usr/local/bin/runagent -m samba1 podman restart samba-dc

You can check if the SSL cert has been used by running this command:
openssl s_client -showcerts -connect dc.mydomain.local:636

davidep · August 29, 2025, 8:46am

Thank you for this great how-to, RTechSn!

I just noticed this:

This package isn’t required for chcon to run, because it’s a command already provided by coreutils RPM, thus it should be always installed on Rocky Linux.

Debian users usually do not have SELinux enabled, and they can jump that part.

RTechSn · August 29, 2025, 2:04pm

That’s strange. I’m running Rocky Linux 9.5 and this command was not present, until I’ve installed policycoreutils.
Another thing I’ve noticed, I have to call runagent by it’s full path: /usr/local/bin/runagent.
I suspect something’s wrong with my $PATH when I’m running sudo. I didn’t do anything unusual during install.

[admin@neth1 ~]$ echo $PATH
/home/admin/.local/bin:/home/admin/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
[admin@neth1 ~]$ sudo echo $PATH
/home/admin/.local/bin:/home/admin/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin
[admin@neth1 ~]$ sudo runagent
sudo: runagent: command not found

Seems ok..

davidep · August 29, 2025, 4:06pm

Enter a root login shell to ensure PATH is properly set:

sudo su -