Samba LDAP certificate expired

Support
, ,
1

NethServer Version: 8
Module: samba

When trying to authenticate an external service at AD LDAP Service, I noticed that the presented certificate is expired since a long time.

#openssl s_client -showcerts -connect x.x.x.x:636

Connecting to y.y.y.y
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 O=Samba Administration, OU=Samba - temporary autogenerated HOST certificate, CN=NSDC-HOMESB8496.xx.xx.xx
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O=Samba Administration, OU=Samba - temporary autogenerated HOST certificate, CN=NSDC-HOMESB8496.xx.xx.xx
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 O=Samba Administration, OU=Samba - temporary autogenerated HOST certificate, CN=NSDC-HOMESB8496.xx.xx.xx
verify error:num=10:certificate has expired
notAfter=Nov  6 08:43:11 2021 GMT
verify return:1
depth=0 O=Samba Administration, OU=Samba - temporary autogenerated HOST certificate, CN=NSDC-HOMESB8496.xx.xx.xx
notAfter=Nov  6 08:43:11 2021 GMT
verify return:1
---
Certificate chain
 0 s:O=Samba Administration, OU=Samba - temporary autogenerated HOST certificate, CN=NSDC-HOMESB8496.xx.xx.xx
   i:O=Samba Administration, OU=Samba - temporary autogenerated CA certificate, CN=NSDC-HOMESB8496.xx.xx.xx
   a:PKEY: RSA, 4096 (bit); sigalg: sha256WithRSAEncryption
   v:NotBefore: Dec  7 08:43:11 2019 GMT; NotAfter: Nov  6 08:43:11 2021 GMT
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
Server certificate
subject=O=Samba Administration, OU=Samba - temporary autogenerated HOST certificate, CN=NSDC-HOMESB8496.xx.xx.xx
issuer=O=Samba Administration, OU=Samba - temporary autogenerated CA certificate, CN=NSDC-HOMESB8496.xx.xx.xx
---
Acceptable client certificate CA names
O=Samba Administration, OU=Samba - temporary autogenerated CA certificate, CN=NSDC-HOMESB8496.xx.xx.xx
Requested Signature Algorithms: RSA+SHA256:rsa_pss_pss_sha256:RSA-PSS+SHA256:ECDSA+SHA256:ed25519:RSA+SHA384:rsa_pss_pss_sha384:RSA-PSS+SHA384:ECDSA+SHA384:ed448:RSA+SHA512:rsa_pss_pss_sha512:RSA-PSS+SHA512:ECDSA+SHA512:UNDEF:UNDEF
Shared Requested Signature Algorithms: RSA+SHA256:rsa_pss_pss_sha256:RSA-PSS+SHA256:ECDSA+SHA256:ed25519:RSA+SHA384:rsa_pss_pss_sha384:RSA-PSS+SHA384:ECDSA+SHA384:ed448:RSA+SHA512:rsa_pss_pss_sha512:RSA-PSS+SHA512:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: rsa_pss_rsae_sha256
Peer Temp Key: X25519, 253 bits
---
SSL handshake has read 2496 bytes and written 415 bytes
Verification error: certificate has expired
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 4096 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 10 (certificate has expired)
---
closed

(it is a server instance migrated from NS7, probably the autogenerated certificate is still an certificate from NS7? not sure?

In addition there are a lot of decryption errors in /var/log/messages

Feb 13 19:43:38 ns8-host samba-dc[2720]: Auth: [LDAP,simple bind/TLS] user [HOME]\[ldapservice@xx.xx.xx] at [Fri, 13 Feb 2026 19:43:38.405649 UTC] with [Plaintext] status [NT_STATUS_OK] workstation [NSDC-HOMESB8496] remote host [ipv4:y.y.y.y:42712] became [HOME]\[ldapservice] [S-1-5-21-1960968967-3681124264-3238789705-1103]. local host [ipv4:y.y.y.y:636]
Feb 13 19:43:38 ns8-host ldapproxy[2522]: 2026/02/13 19:43:38 [info] 26#26: *4870561 client disconnected, bytes from/to client:159/278, bytes from/to upstream:278/159
Feb 13 19:43:38 ns8-host ldapproxy[2522]: 2026/02/13 19:43:38 [info] 26#26: *4870563 client 127.0.0.1:51246 connected to 127.0.0.1:20001
Feb 13 19:43:38 ns8-host ldapproxy[2522]: 2026/02/13 19:43:38 [info] 26#26: *4870563 proxy y.y.y.y:42714 connected to y.y.y.y:636
Feb 13 19:43:38 ns8-host samba-dc[2720]: Auth: [LDAP,simple bind/TLS] user [HOME]\[ldapservice@xx.xx.xx] at [Fri, 13 Feb 2026 19:43:38.466259 UTC] with [Plaintext] status [NT_STATUS_OK] workstation [NSDC-HOMESB8496] remote host [ipv4:y.y.y.y:42714] became [HOME]\[ldapservice] [S-1-5-21-1960968967-3681124264-3238789705-1103]. local host [ipv4:y.y.y.y:636]
Feb 13 19:43:38 ns8-host ldapproxy[2522]: 2026/02/13 19:43:38 [info] 26#26: *4870563 client disconnected, bytes from/to client:239/402, bytes from/to upstream:402/239
Feb 13 19:43:38 ns8-host samba-dc[2720]: Auth: [LDAP,simple bind/TLS] user [(null)]\[cn=ldapservice,dc=directory,dc=nh] at [Fri, 13 Feb 2026 19:43:38.754695 UTC] with [Plaintext] status [NT_STATUS_NO_SUCH_USER] workstation [NSDC-HOMESB8496] remote host [ipv4:10.0.1.12:53326] mapped to [(null)]\[(null)]. local host [ipv4:y.y.y.y:389]
Feb 13 19:43:38 ns8-host samba-dc[2720]: Auth: [LDAP,simple bind/TLS] user [HOME]\[ldapservice@xx.xx.xx] at [Fri, 13 Feb 2026 19:43:38.861785 UTC] with [Plaintext] status [NT_STATUS_OK] workstation [NSDC-HOMESB8496] remote host [ipv4:y.y.y.y:56468] became [HOME]\[ldapservice] [S-1-5-21-1960968967-3681124264-3238789705-1103]. local host [ipv4:y.y.y.y:636]
Feb 13 19:43:38 ns8-host samba-dc[2720]: TLS source4/lib/tls/tls_tstream.c:1449 - Decryption has failed.
Feb 13 19:43:38 ns8-host samba-dc[2720]: TLS source4/lib/tls/tls_tstream.c:1449 - Decryption has failed.
Feb 13 19:43:39 ns8-host samba-dc[2720]: TLS source4/lib/tls/tls_tstream.c:1449 - Decryption has failed.
Feb 13 19:43:39 ns8-host samba-dc[2720]: Auth: [LDAP,simple bind/TLS] user [HOME]\[CN=USER1,CN=Users,DC=ad,DC=home,DC=lan] at [Fri, 13 Feb 2026 19:43:39.033551 UTC] with [Plaintext] status [NT_STATUS_OK] workstation [NSDC-HOMESB8496] remote host [ipv4:y.y.y.y:56468] became [HOME]\[USER1] [S-1-5-21-1960968967-3681124264-3238789705-1107]. local host [ipv4:y.y.y.y:636]
Feb 13 19:43:39 ns8-host samba-dc[2720]: TLS source4/lib/tls/tls_tstream.c:1449 - Decryption has failed.
Feb 13 19:43:39 ns8-host samba-dc[2720]: TLS source4/lib/tls/tls_tstream.c:1449 - Decryption has failed.
Feb 13 19:43:39 ns8-host samba-dc[2720]: TLS source4/lib/tls/tls_tstream.c:1449 - Decryption has failed.
Feb 13 19:43:39 ns8-host ldapproxy[2522]: 2026/02/13 19:43:39 [info] 26#26: *4870565 client 127.0.0.1:51254 connected to 127.0.0.1:20001
Feb 13 19:43:39 ns8-host ldapproxy[2522]: 2026/02/13 19:43:39 [info] 26#26: *4870565 proxy y.y.y.y:42722 connected to y.y.y.y:636
Feb 13 19:43:39 ns8-host samba-dc[2720]: Auth: [LDAP,simple bind/TLS] user [HOME]\[ldapservice@xx.xx.xx] at [Fri, 13 Feb 2026 19:43:39.249473 UTC] with [Plaintext] status [NT_STATUS_OK] workstation [NSDC-HOMESB8496] remote host [ipv4:y.y.y.y:42722] became [HOME]\[ldapservice] [S-1-5-21-1960968967-3681124264-3238789705-1103]. local host [ipv4:y.y.y.y:636]
Feb 13 19:43:39 ns8-host ldapproxy[2522]: 2026/02/13 19:43:39 [info] 26#26: *4870565 client disconnected, bytes from/to client:158/277, bytes from/to upstream:277/158
Feb 13 19:43:39 ns8-host ldapproxy[2522]: 2026/02/13 19:43:39 [info] 26#26: *4870567 client 127.0.0.1:51264 connected to 127.0.0.1:20001
Feb 13 19:43:39 ns8-host ldapproxy[2522]: 2026/02/13 19:43:39 [info] 26#26: *4870567 proxy y.y.y.y:42724 connected to y.y.y.y:636
Feb 13 19:43:39 ns8-host samba-dc[2720]: Auth: [LDAP,simple bind/TLS] user [HOME]\[ldapservice@xx.xx.xx] at [Fri, 13 Feb 2026 19:43:39.293483 UTC] with [Plaintext] status [NT_STATUS_OK] workstation [NSDC-HOMESB8496] remote host [ipv4:y.y.y.y:42724] became [HOME]\[ldapservice] [S-1-5-21-1960968967-3681124264-3238789705-1103]. local host [ipv4:y.y.y.y:636]
Feb 13 19:43:39 ns8-host ldapproxy[2522]: 2026/02/13 19:43:39 [info] 26#26: *4870567 client disconnected, bytes from/to client:238/414, bytes from/to upstream:414/238

Seems this is related to the expired certificate - but not sure?

Saw the HowTo on Installation of Custom Certificate, however I’m uncertain:

  • Do I really need to install a customer certificate to get a new actual valid certificate for the AD LDAP access - is this the right procedure for this issue?
  • Or is there a way to generate a new “auto-generated” certificate for samba for LDAP access?
  • Is there or will there be any mechanism forseen in NS8 to update this certificate automatically?

Thanks for any hint.

2

Which samba core app version is installed? You can check it in Software Center/Core applications.

grafik
grafik3031Ă—1470 157 KB

With the upgrade to Samba 3.4.2 the certificate should be renewed automatically. Before the certificate was created on first start of samba and never renewed.
I couldn’t reproduce, even on a migrated system from NS7 the certificate was renewed.

Does it help to restart Samba?

runagent -m samba1 systemctl --user restart samba-dc

This error can be ignored and also occurs when the certficate is not expired.

3

I had still Samba 3.4.1, now upgraded to v3.4.2, and the certificate renewed automatically.

Thanks a lot for that!

Regarding the certificate: Just a question: why the certificate is issued for .ns8.test?

---
Certificate chain
 0 s:CN=host-22982.ns8.test
   i:CN=host-22982.ns8.test
   a:PKEY: RSA, 4096 (bit); sigalg: sha256WithRSAEncryption
   v:NotBefore: Apr 27 15:22:36 2025 GMT; NotAfter: Apr 25 15:22:36 2035 GMT
.....
---
Server certificate
subject=CN=host-22982.ns8.test
issuer=CN=host-22982.ns8.test

and why it is valid for some view (internal) IP addresses, which I’m not sure where they are coming from?

When attempting an LDAP access from another traefik proxy with auth_ldap module, the following error is logged (where xx.xx.xx.xx is the actual NS8 server IP, xx.xx.xx.IP1 from a dynamic IP and xx.xx.xx.IP2 are IPs from mobile hosts used for mail access, but not all active currently).


Attempt 1/1: LDAP Result Code 200 “Network Error”: tls: failed to verify certificate: x509: certificate
is valid for 127.0.0.1, ::1, <xx.xx.xx.IP1>, <IPv6_IP1>, <IPv6_IP2>, <xx.xx.xx.IP2>, <IPv6_IP>, <IPv6_IP>, not <xx.xx.xx.xx>

Does this mean when I want to connect to AD via LDAP I still would need an custom certificate at the samba module installed?

I would need LDAP authentication just from a different traefik proxy (reusing the user database from NS8 and using the auth_ldap module from traefik). Even more nicer would be even that the internal NS8 traefik proxy could be configured to do authentication at the NS8 internal AD for specific HTTP/HTTPS routes configured in NS8 traefik.

Thanks.

4

Maybe this thread helps?

1 Like
5

As samba isn’t a service that’s used publicly, in most cases a self signed certificate is used and the clients are setup to ignore that if necessary.
For traefik that would mean to set the insecureSkipVerify option, see Traefik HTTP Documentation - Traefik or LDAP Authentication | Traefik Hub Documentation

If you really need a valid certificate you can either upload one or use a letsencrypt certificate by requesting it on the TLS certificates page for the samba DC hostname which is shown at the file server page.

To get the samba DC hostname on CLI:

runagent -m samba1 podman exec samba-dc hostname

This is the default traefik self-signed cert and it includes the IPs of localhost and the host itself.

This sounds like a Feature request.
So there should be for example a HTTP authentication for a specific HTTP route that allows the connection for samba users only?

1 Like
6

Many thanks, managed to get it work with the insecureSkipVerify option.

regarding

Yes, this would be the idea, for web applications which do not support authentication or to base the authentication on the NS8 user base for external applications.

2 Likes