[Samba] dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)

L.P.H. van Belle belle at bazuin.nl
Mon Jan 14 09:49:43 UTC 2019


Hai, 

Thank you for sharing this very apriciated. 

If i may, a few small suggestion, to make is little bit better to read/understand. 

In this line: 
samba-tool domain exportkeytab --principal=dehydrated-service at YOUR.DOMAIN /home/dehydrated/etc/dehydrated-service.keytab 
 @YOUR.DOMAIN could you change this to : @YOUR.REALM 

Because of this. ( per example ) 
DNS domain = primary.dnsdomain.tld and for REALM = YOUR.REALM. ( 2 different things here dont mix them. )

YOUR.REALM is not the same as primary.dnsdomain.tld. 
REALM domain = PRIMARY.DNSDOMAIN.TLD  or better translated as : YOUR.REALM ( to keep some confusion away and in CAPS ) 

Even when (dnsdomain) primary.dnsdomain.tld has the same REALM DOMAIN PRIMARY.DNSDOMAIN.TLD ( == YOUR.REALM ) 
These are not the same things. 

I suggest : 
SAMBA_PRINCIPAL=dehydrated-service at YOUR.REALM
SAMBA_DOMAIN=primary.dnsdomain.tld  
SAMBA_DNSSERVER=dc.${SAMBA_DOMAIN}

Since its running on the DC your updateing. 
You should be able to use : 
SAMBA_DOMAIN=$(hostname -d)
SAMBA_DNSSERVER=$(hostname -f)


Keep REALM always in CAPS. Show the difference between the primary.dnsdomain.tld and REALMs. 
And tip, 

SAMBA_TICKETCACHE=/home/dehydrated/tmp/ticket-cache  
Create that one on ramdisk. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Jakob Lenfers via samba
> Verzonden: maandag 14 januari 2019 9:49
> Aan: Rowland Penny; samba at lists.samba.org
> Onderwerp: [Samba] dehydrated hook for LetsEncrypt certs and 
> samba dns (was: samba-tool auth in scripts)
> 
> Am 11.01.19 um 11:17 schrieb Jakob Lenfers via samba:
> 
> > Yes, that worked. Thanks both of you!
> 
> If anybody wants to use LetsEncrypt with Samba-DNS and dehydrated, you
> can check out my hook script:
> https://gitlab.bremen-social-sciences.de/it/dehydrated-samba-hook
> 
> Best,
> Jakob
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 




More information about the samba mailing list