[Samba] dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)
Rowland Penny
rpenny at samba.org
Mon Jan 14 10:29:36 UTC 2019
On Mon, 14 Jan 2019 10:49:43 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai,
>
> Thank you for sharing this very apriciated.
>
> If i may, a few small suggestion, to make is little bit better to
> read/understand.
>
> In this line:
> samba-tool domain exportkeytab
> --principal=dehydrated-service at YOUR.DOMAIN /home/dehydrated/etc/dehydrated-service.keytab
> @YOUR.DOMAIN could you change this to : @YOUR.REALM
>
> Because of this. ( per example )
> DNS domain = primary.dnsdomain.tld and for REALM = YOUR.REALM. ( 2
> different things here dont mix them. )
>
> YOUR.REALM is not the same as primary.dnsdomain.tld.
Whilst it is quite correct to say that the REALM isn't the same as a
DNS domain, there is a correlation between them. The REALM must be the
DNS domain in uppercase, so this:
SAMBA_PRINCIPAL=dehydrated-service at YOUR.DOMAIN
Could also be written as this:
SAMBA_PRINCIPAL=dehydrated-service@"$(echo "$(hostname -d)" | tr '[:lower:]' '[:upper:]')"
> REALM domain = PRIMARY.DNSDOMAIN.TLD or better translated as :
> YOUR.REALM ( to keep some confusion away and in CAPS )
If your going to say things, you should use the correct terminology,
just as Louis says.
>
> Even when (dnsdomain) primary.dnsdomain.tld has the same REALM DOMAIN
> PRIMARY.DNSDOMAIN.TLD ( == YOUR.REALM ) These are not the same
> things.
>
> I suggest :
> SAMBA_PRINCIPAL=dehydrated-service at YOUR.REALM
> SAMBA_DOMAIN=primary.dnsdomain.tld
> SAMBA_DNSSERVER=dc.${SAMBA_DOMAIN}
>
> Since its running on the DC your updateing.
> You should be able to use :
> SAMBA_DOMAIN=$(hostname -d)
> SAMBA_DNSSERVER=$(hostname -f)
>
>
> Keep REALM always in CAPS. Show the difference between the
> primary.dnsdomain.tld and REALMs. And tip,
>
> SAMBA_TICKETCACHE=/home/dehydrated/tmp/ticket-cache
> Create that one on ramdisk.
If you do as Louis suggests, you could actually remove samba.sh.conf
and move into the main script.
I take it this is for Windows clients securely updating their records
in AD ?
Rowland
More information about the samba
mailing list