[Samba] dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)

Rowland Penny rpenny at samba.org
Mon Jan 14 10:29:36 UTC 2019 

On Mon, 14 Jan 2019 10:49:43 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> Hai, 
> 
> Thank you for sharing this very apriciated. 
> 
> If i may, a few small suggestion, to make is little bit better to
> read/understand. 
> 
> In this line: 
> samba-tool domain exportkeytab
> --principal=dehydrated-service at YOUR.DOMAIN /home/dehydrated/etc/dehydrated-service.keytab
> @YOUR.DOMAIN could you change this to : @YOUR.REALM 
> 
> Because of this. ( per example ) 
> DNS domain = primary.dnsdomain.tld and for REALM = YOUR.REALM. ( 2
> different things here dont mix them. )
> 
> YOUR.REALM is not the same as primary.dnsdomain.tld. 

Whilst it is quite correct to say that the REALM isn't the same as a
DNS domain, there is a correlation between them. The REALM must be the
DNS domain in uppercase, so this:

SAMBA_PRINCIPAL=dehydrated-service at YOUR.DOMAIN

Could also be written as this:

SAMBA_PRINCIPAL=dehydrated-service@"$(echo "$(hostname -d)" | tr '[:lower:]' '[:upper:]')"

 
> REALM domain = PRIMARY.DNSDOMAIN.TLD  or better translated as :
> YOUR.REALM ( to keep some confusion away and in CAPS )

If your going to say things, you should use the correct terminology,
just as Louis says.

> 
> Even when (dnsdomain) primary.dnsdomain.tld has the same REALM DOMAIN
> PRIMARY.DNSDOMAIN.TLD ( == YOUR.REALM ) These are not the same
> things. 
> 
> I suggest : 
> SAMBA_PRINCIPAL=dehydrated-service at YOUR.REALM
> SAMBA_DOMAIN=primary.dnsdomain.tld  
> SAMBA_DNSSERVER=dc.${SAMBA_DOMAIN}
> 
> Since its running on the DC your updateing. 
> You should be able to use : 
> SAMBA_DOMAIN=$(hostname -d)
> SAMBA_DNSSERVER=$(hostname -f)
> 
> 
> Keep REALM always in CAPS. Show the difference between the
> primary.dnsdomain.tld and REALMs. And tip, 
> 
> SAMBA_TICKETCACHE=/home/dehydrated/tmp/ticket-cache  
> Create that one on ramdisk. 

If you do as Louis suggests, you could actually remove samba.sh.conf
and move into the main script.

I take it this is for Windows clients securely updating their records
in AD ?

Rowland

More information about the samba mailing list