[Samba] dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)
L.P.H. van Belle
belle at bazuin.nl
Mon Jan 14 09:49:43 UTC 2019
Hai,
Thank you for sharing this very apriciated.
If i may, a few small suggestion, to make is little bit better to read/understand.
In this line:
samba-tool domain exportkeytab --principal=dehydrated-service at YOUR.DOMAIN /home/dehydrated/etc/dehydrated-service.keytab
@YOUR.DOMAIN could you change this to : @YOUR.REALM
Because of this. ( per example )
DNS domain = primary.dnsdomain.tld and for REALM = YOUR.REALM. ( 2 different things here dont mix them. )
YOUR.REALM is not the same as primary.dnsdomain.tld.
REALM domain = PRIMARY.DNSDOMAIN.TLD or better translated as : YOUR.REALM ( to keep some confusion away and in CAPS )
Even when (dnsdomain) primary.dnsdomain.tld has the same REALM DOMAIN PRIMARY.DNSDOMAIN.TLD ( == YOUR.REALM )
These are not the same things.
I suggest :
SAMBA_PRINCIPAL=dehydrated-service at YOUR.REALM
SAMBA_DOMAIN=primary.dnsdomain.tld
SAMBA_DNSSERVER=dc.${SAMBA_DOMAIN}
Since its running on the DC your updateing.
You should be able to use :
SAMBA_DOMAIN=$(hostname -d)
SAMBA_DNSSERVER=$(hostname -f)
Keep REALM always in CAPS. Show the difference between the primary.dnsdomain.tld and REALMs.
And tip,
SAMBA_TICKETCACHE=/home/dehydrated/tmp/ticket-cache
Create that one on ramdisk.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Jakob Lenfers via samba
> Verzonden: maandag 14 januari 2019 9:49
> Aan: Rowland Penny; samba at lists.samba.org
> Onderwerp: [Samba] dehydrated hook for LetsEncrypt certs and
> samba dns (was: samba-tool auth in scripts)
>
> Am 11.01.19 um 11:17 schrieb Jakob Lenfers via samba:
>
> > Yes, that worked. Thanks both of you!
>
> If anybody wants to use LetsEncrypt with Samba-DNS and dehydrated, you
> can check out my hook script:
> https://gitlab.bremen-social-sciences.de/it/dehydrated-samba-hook
>
> Best,
> Jakob
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list