From ad9fb6798e309f1da7b71a505ce789d965ea1275 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Wed, 10 May 2023 08:25:45 -0500 Subject: [PATCH] samba-dc: Omit tls cafile setting The `tls cafile` setting in `smb.conf` is not necessary. It is used for verifying peer certificates for mutual TLS authentication, not to specify the intermediate certificate authority chain like I thought. The setting cannot simply be left out, though. If it is not specified, Samba will attempt to load a file from a built-in default path, which will fail, causing the server to crash. This is avoided by setting the value to the empty string. --- group_vars/samba-dc.yml | 1 - roles/samba-dc/templates/smb.conf.j2 | 4 +--- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/group_vars/samba-dc.yml b/group_vars/samba-dc.yml index 906ebc4..6a61a0d 100644 --- a/group_vars/samba-dc.yml +++ b/group_vars/samba-dc.yml @@ -16,7 +16,6 @@ samba_shares: samba_tls_enabled: true samba_tls_keyfile: /etc/pki/tls/private/samba.key samba_tls_certfile: /etc/pki/tls/certs/samba.cer -samba_tls_cafile: /etc/pki/tls/certs/samba-ca.crt collectd_processes: - name: samba diff --git a/roles/samba-dc/templates/smb.conf.j2 b/roles/samba-dc/templates/smb.conf.j2 index b998db7..d915378 100644 --- a/roles/samba-dc/templates/smb.conf.j2 +++ b/roles/samba-dc/templates/smb.conf.j2 @@ -20,9 +20,7 @@ tls enabled = yes tls keyfile = {{ samba_tls_keyfile }} tls certfile = {{ samba_tls_certfile }} -{% if samba_tls_cafile is defined %} - tls cafile = {{ samba_tls_cafile }} -{% endif %} + tls cafile = {{ samba_tls_cafile|d('') }} {% endif %} [netlogon]