[Samba] dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)

Mon Jan 14 11:47:54 UTC 2019

On Mon, 14 Jan 2019 12:13:19 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

> (@Rowland) 
> 
> > Whilst it is quite correct to say that the REALM isn't the same as a
> > DNS domain, there is a correlation between them. The REALM must be
> > the DNS domain in uppercase, so this:
> > 
> > SAMBA_PRINCIPAL=dehydrated-service at YOUR.DOMAIN
> 
> No, you can have your.primayDNSdomain.tld and have REALM =
> SOMEREALM.TLD Its not obligated to have REALM the same as the
> DnsDomain. 

We are talking a Samba AD DC here and this means the realm must be the
same as the forest dns domain. As Samba AD doesn't (yet) support
subdomains, the domain will be the same as the forest domain.
There is a line here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

Under 'Preparing the installation'

Select a DNS domain for your AD forest. The name will also be used as
the AD Kerberos realm.

>Its also not obligated to have the realm uppercased, but
> in my opinion, that should be obligated because programs expect often
> REALM not realm.

That I totally agree with ;-)

> 
> And becarefull with : 
> SAMBA_PRINCIPAL=dehydrated-service@"$(echo "$(hostname -d)" |\ 
> > tr '[:lower:]' '[:upper:]')" 
> Some locales characters setting have problem with this. 
> 
> For uppercasing. 
> Or echo "${VARIABLE^^}   ( bash 4.0 and later) 
> Or use :  |awk '{print toupper($0)}' 
> # more in these type to characters (abcåäö) , but preventing it works
> for me.
>

You know, life would be a lot easier if those funny marks over the
letters didn't exist. ;-)
I never think about them, because we English do not use them, so point
taken.
However, we are talking about a dns domain, so would you use these
letters ?

> Almost, look at these three.. ( look at the order here also. ) 
> 
> # The domain under which the entries will be created, usually
> $(hostname -d) SAMBA_DNSDOMAIN=your.dnsdomain
> SAMBA_REALMDOMAIN=${SAMBA_DNSDOMAIN^^}

Wouldn't this have the same problem ?
Not trying to be argumentative, just trying to understand the problem.

> 
> # your Samba-AD-DNS server, usually $(hostname -f)
> SAMBA_DNSSERVER=dc.${SAMBA_DNSDOMAIN}
> 
> # User principal name.
> SAMBA_PRINCIPAL=dehydrated-service@${SAMBA_REALMDOMAIN}
> 
> 
> 
> > > And tip, 
> > > 
> > > SAMBA_TICKETCACHE=/home/dehydrated/tmp/ticket-cache  
> > > Create that one on ramdisk. 
> > 
> > Why? I delete it directly afterwards, is that a problem?
> Less io, and much faster then over normal disk. 
> 
> And almost any server these days already have a ramdisk available. 
> Check with : mount | grep tmp
> 

Even Devuan has this.

Rowland