OK - solved
Changed the content of:
/var/lib/samba/private/tls/cert.pem to contain the content of the *-cert.crt file in the key-certificate package form the zentyal CA
/var/lib/samba/private/tls/key.pem to contain the content of the *-private-key.pem file in the key-certificatepackage form the zentyal CA
/var/lib/samba/private/tls/ca.pem to empty (no content). The file somehow needs to exist otherwise the start of the zentyal samba service fails.
Edited
/usr/share/zentyal/stubs/samba/smb.conf.mas to include at the end:
tls enabled = yes
tls keyfile = tls/key.pem
tls certfile = tls/cert.pem
tls cafile =
Restart the zentyal samba service:
sudo zs samba stop
sudo zs samba stop
NOTE: Despite the empty setting for
tls cafile in
smb.config.mas, the start of the zentyal samba service fails if no
tls/ca.pem file exists. Having an empty
tls/ca.pem resolved this for me.