[Samba] dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)

L.P.H. van Belle belle at bazuin.nl
Mon Jan 14 11:13:19 UTC 2019


(@Rowland) 

> Whilst it is quite correct to say that the REALM isn't the same as a
> DNS domain, there is a correlation between them. The REALM must be the
> DNS domain in uppercase, so this:
> 
> SAMBA_PRINCIPAL=dehydrated-service at YOUR.DOMAIN

No, you can have your.primayDNSdomain.tld and have REALM = SOMEREALM.TLD 
Its not obligated to have REALM the same as the DnsDomain.
Its also not obligated to have the realm uppercased, but in my opinion, that should be obligated because programs expect often REALM not realm. 

And becarefull with : 
SAMBA_PRINCIPAL=dehydrated-service@"$(echo "$(hostname -d)" |\ 
> tr '[:lower:]' '[:upper:]')" 
Some locales characters setting have problem with this. 

For uppercasing. 
Or echo "${VARIABLE^^}   ( bash 4.0 and later) 
Or use :  |awk '{print toupper($0)}' 
# more in these type to characters (abcåäö) , but preventing it works for me.

Almost, look at these three.. ( look at the order here also. ) 

# The domain under which the entries will be created, usually $(hostname -d)
SAMBA_DNSDOMAIN=your.dnsdomain
SAMBA_REALMDOMAIN=${SAMBA_DNSDOMAIN^^}

# your Samba-AD-DNS server, usually $(hostname -f)
SAMBA_DNSSERVER=dc.${SAMBA_DNSDOMAIN}

# User principal name.
SAMBA_PRINCIPAL=dehydrated-service@${SAMBA_REALMDOMAIN}



> > And tip, 
> > 
> > SAMBA_TICKETCACHE=/home/dehydrated/tmp/ticket-cache  
> > Create that one on ramdisk. 
> 
> Why? I delete it directly afterwards, is that a problem?
Less io, and much faster then over normal disk. 

And almost any server these days already have a ramdisk available. 
Check with : mount | grep tmp


Greetz, 

Louis




More information about the samba mailing list