[Samba] samba-tool auth in scripts

Rowland Penny rpenny at samba.org
Thu Jan 10 13:09:01 UTC 2019

On Thu, 10 Jan 2019 11:42:46 +0100
Jakob Lenfers <lenfers at bigsss-bremen.de> wrote:

> Am 09.01.19 um 14:01 schrieb Rowland Penny via samba:
> > Try reading this:
> > 
> > https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
> > 
> > It's for DHCP updating dns records, but it uses a dedicated user and
> > kerberos, so it should help you.
> Thats exactly what I wanted, thanks. Just a little problem,
> "samba-tool [...] -k yes" after manual kinit works fine. If I want to
> use a special ticket cache as in your example, I cannot find an
> option in man samba-tool to supply that filename and the following
> command therefore fails (asking for password):
> | # init ticket if necessary
> | klist -c ~/tmp/ticket-cache -s || kinit -F -k -t
> ~/etc/dehydrated-service.keytab -c ~/tmp/ticket-cache
> dehydrated-service at MY.DOMAIN
> | # change records
> | samba-tool dns add barva.my.domain my.domain jakob-test TXT "TEEEST"
> -k yes

You don't ;-)
You do what the script should have done (I feel version 0.8.10 will
soon make an appearance), export the cache to use <export
KRB5CCNAME="/tmp/dhcp-dyndns.cc"> and then use '$KRB5CCNAME' wherever
'/tmp/dhcp-dyndns.cc' appears, except for:

kinit -F -k -t /etc/dhcpduser.keytab -c /tmp/dhcp-dyndns.cc

Where all you need is:

kinit -F -k -t /etc/dhcpduser.keytab "${SETPRINCIPAL}"

I have updated my dhcp-dyndns.sh script to match the above and it
appears to be working without errors. If this continues for 24hrs the
wikipage will be updated.

As far as samba-tool is concerned, you will probably have to add
-Udehydrated-service to the command.


More information about the samba mailing list