[Samba] dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)
L.P.H. van Belle
belle at bazuin.nl
Mon Jan 14 12:03:42 UTC 2019
Hai Rowland,
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Rowland Penny via samba
> Verzonden: maandag 14 januari 2019 12:48
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] dehydrated hook for LetsEncrypt certs
> and samba dns (was: samba-tool auth in scripts)
>
> On Mon, 14 Jan 2019 12:13:19 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
>
> > (@Rowland)
> >
> > > Whilst it is quite correct to say that the REALM isn't
> the same as a
> > > DNS domain, there is a correlation between them. The REALM must be
> > > the DNS domain in uppercase, so this:
> > >
> > > SAMBA_PRINCIPAL=dehydrated-service at YOUR.DOMAIN
> >
> > No, you can have your.primayDNSdomain.tld and have REALM =
> > SOMEREALM.TLD Its not obligated to have REALM the same as the
> > DnsDomain.
>
> We are talking a Samba AD DC here and this means the realm must be the
> same as the forest dns domain. As Samba AD doesn't (yet) support
> subdomains, the domain will be the same as the forest domain.
> There is a line here:
>
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active
> _Directory_Domain_Controller
>
> Under 'Preparing the installation'
>
> Select a DNS domain for your AD forest. The name will also be used as
> the AD Kerberos realm.
Hmm, here i have something the for you, i'll pm it to you.
>
> >Its also not obligated to have the realm uppercased, but
> > in my opinion, that should be obligated because programs expect often REALM not realm.
>
> That I totally agree with ;-)
>
> >
> > And becarefull with :
> > SAMBA_PRINCIPAL=dehydrated-service@"$(echo "$(hostname -d)" |\
> > > tr '[:lower:]' '[:upper:]')"
> > Some locales characters setting have problem with this.
> >
> > For uppercasing.
> > Or echo "${VARIABLE^^} ( bash 4.0 and later)
> > Or use : |awk '{print toupper($0)}'
> > # more in these type to characters (abcåäö) , but
> preventing it works
> > for me.
> >
>
> You know, life would be a lot easier if those funny marks over the
> letters didn't exist. ;-)
> I never think about them, because we English do not use them, so point
> taken.
> However, we are talking about a dns domain, so would you use these
> letters ?
No ;-) , but google showed me the echo and awk are the 2 most univeral to use.
>
> > Almost, look at these three.. ( look at the order here also. )
> >
> > # The domain under which the entries will be created, usually
> > $(hostname -d) SAMBA_DNSDOMAIN=your.dnsdomain
> > SAMBA_REALMDOMAIN=${SAMBA_DNSDOMAIN^^}
>
> Wouldn't this have the same problem ?
> Not trying to be argumentative, just trying to understand the problem.
Just avoiding possible problems and keep it clear that dnsdomain != REALM.
>
> >
> > # your Samba-AD-DNS server, usually $(hostname -f)
> > SAMBA_DNSSERVER=dc.${SAMBA_DNSDOMAIN}
> >
> > # User principal name.
> > SAMBA_PRINCIPAL=dehydrated-service@${SAMBA_REALMDOMAIN}
> >
> >
> >
> > > > And tip,
> > > >
> > > > SAMBA_TICKETCACHE=/home/dehydrated/tmp/ticket-cache
> > > > Create that one on ramdisk.
> > >
> > > Why? I delete it directly afterwards, is that a problem?
> > Less io, and much faster then over normal disk.
> >
> > And almost any server these days already have a ramdisk available.
> > Check with : mount | grep tmp
> >
>
> Even Devuan has this.
Almost every server these days.
>
> Rowland
>
>
More information about the samba
mailing list