[Samba] samba-tool auth in scripts
Rowland Penny
rpenny at samba.org
Thu Jan 10 14:18:00 UTC 2019
On Thu, 10 Jan 2019 14:38:11 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Rowland Penny via samba
> > Verzonden: donderdag 10 januari 2019 14:09
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] samba-tool auth in scripts
> >
> > On Thu, 10 Jan 2019 11:42:46 +0100
> > Jakob Lenfers <lenfers at bigsss-bremen.de> wrote:
> >
> > > Am 09.01.19 um 14:01 schrieb Rowland Penny via samba:
> > >
> > > > Try reading this:
> > > >
> > > >
> > https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_
> > records_with_BIND9
> > > >
> > > > It's for DHCP updating dns records, but it uses a
> > dedicated user and
> > > > kerberos, so it should help you.
> > >
> > > Thats exactly what I wanted, thanks. Just a little problem,
> > > "samba-tool [...] -k yes" after manual kinit works fine. If
> > I want to
> > > use a special ticket cache as in your example, I cannot find an
> > > option in man samba-tool to supply that filename and the following
> > > command therefore fails (asking for password):
> > >
> > > | # init ticket if necessary
> > > | klist -c ~/tmp/ticket-cache -s || kinit -F -k -t
> > > ~/etc/dehydrated-service.keytab -c ~/tmp/ticket-cache
> > > dehydrated-service at MY.DOMAIN
> > > | # change records
> > > | samba-tool dns add barva.my.domain my.domain jakob-test
> > TXT "TEEEST"
> > > -k yes
> > >
> >
> > You don't ;-)
> > You do what the script should have done (I feel version 0.8.10 will
> > soon make an appearance), export the cache to use <export
> > KRB5CCNAME="/tmp/dhcp-dyndns.cc"> and then use '$KRB5CCNAME'
> > wherever '/tmp/dhcp-dyndns.cc' appears, except for:
> >
> > kinit -F -k -t /etc/dhcpduser.keytab -c /tmp/dhcp-dyndns.cc
> > "${SETPRINCIPAL}"
> >
> > Where all you need is:
> >
> > kinit -F -k -t /etc/dhcpduser.keytab "${SETPRINCIPAL}"
> >
> > I have updated my dhcp-dyndns.sh script to match the above and it
> > appears to be working without errors. If this continues for 24hrs
> > the wikipage will be updated.
> >
> > As far as samba-tool is concerned, you will probably have to add
> > -Udehydrated-service to the command.
>
>
> Hmm, that will miss the cache file also, maybe this works after the
> kinit:
>
> su - dehydrated-service -c "samba-tool dns add barva.my.domain
> my.domain jakob-test TXT 'TEEEST' -k yes"
>
> And dont forget to add this user to DNSAdmins Also.
>
If it was run from the command line, yes it wouldn't use the wanted
cache, but in a script you can set the cache to use.
This works for me:
export KRB5CCNAME="/tmp/dhcp-dyndns.cc"; kinit -F -k
-t /etc/dhcpduser.keytab dhcpduser at SAMDOM.EXAMPLE.COM; samba-tool dns
add dc4.samdom.example.com samdom.example.com devstation TXT 'TEEEST'
-k yes
The above is all one line.
and results in:
Record added successfully
and this in AD:
dnsRecord: NDR: struct dnsp_DnssrvRpcRecord
wDataLength : 0x0007 (7)
wType : DNS_TYPE_TXT (16)
version : 0x05 (5)
rank : DNS_RANK_ZONE (240)
flags : 0x0000 (0)
dwSerial : 0x000009cc (2508)
dwTtlSeconds : 0x00000384 (900)
dwReserved : 0x00000000 (0)
dwTimeStamp : 0x00000000 (0)
data : union dnsRecordData(case 16)
txt : "TEEEST"
Rowland
More information about the samba
mailing list