[Samba] dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)

Mon Jan 14 12:03:42 UTC 2019

Hai Rowland,

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: maandag 14 januari 2019 12:48
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] dehydrated hook for LetsEncrypt certs 
> and samba dns (was: samba-tool auth in scripts)
> 
> On Mon, 14 Jan 2019 12:13:19 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> 
> > (@Rowland) 
> > 
> > > Whilst it is quite correct to say that the REALM isn't 
> the same as a
> > > DNS domain, there is a correlation between them. The REALM must be
> > > the DNS domain in uppercase, so this:
> > > 
> > > SAMBA_PRINCIPAL=dehydrated-service at YOUR.DOMAIN
> > 
> > No, you can have your.primayDNSdomain.tld and have REALM =
> > SOMEREALM.TLD Its not obligated to have REALM the same as the
> > DnsDomain. 
> 
> We are talking a Samba AD DC here and this means the realm must be the
> same as the forest dns domain. As Samba AD doesn't (yet) support
> subdomains, the domain will be the same as the forest domain.
> There is a line here:
> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active
> _Directory_Domain_Controller
> 
> Under 'Preparing the installation'
> 
> Select a DNS domain for your AD forest. The name will also be used as
> the AD Kerberos realm.

Hmm, here i have something the for you, i'll pm it to you. 

> 
> >Its also not obligated to have the realm uppercased, but
> > in my opinion, that should be obligated because programs expect often  REALM not realm.
> 
> That I totally agree with ;-)
>  
> > 
> > And becarefull with : 
> > SAMBA_PRINCIPAL=dehydrated-service@"$(echo "$(hostname -d)" |\ 
> > > tr '[:lower:]' '[:upper:]')" 
> > Some locales characters setting have problem with this. 
> > 
> > For uppercasing. 
> > Or echo "${VARIABLE^^}   ( bash 4.0 and later) 
> > Or use :  |awk '{print toupper($0)}' 
> > # more in these type to characters (abcåäö) , but 
> preventing it works
> > for me.
> >
> 
> You know, life would be a lot easier if those funny marks over the
> letters didn't exist. ;-)
> I never think about them, because we English do not use them, so point
> taken.
> However, we are talking about a dns domain, so would you use these
> letters ?
No ;-) , but google showed me the echo and awk are the 2 most univeral to use.

>  
> > Almost, look at these three.. ( look at the order here also. ) 
> > 
> > # The domain under which the entries will be created, usually
> > $(hostname -d) SAMBA_DNSDOMAIN=your.dnsdomain
> > SAMBA_REALMDOMAIN=${SAMBA_DNSDOMAIN^^}
> 
> Wouldn't this have the same problem ?
> Not trying to be argumentative, just trying to understand the problem.
Just avoiding possible problems and keep it clear that dnsdomain != REALM. 

> 
> > 
> > # your Samba-AD-DNS server, usually $(hostname -f)
> > SAMBA_DNSSERVER=dc.${SAMBA_DNSDOMAIN}
> > 
> > # User principal name.
> > SAMBA_PRINCIPAL=dehydrated-service@${SAMBA_REALMDOMAIN}
> > 
> > 
> > 
> > > > And tip, 
> > > > 
> > > > SAMBA_TICKETCACHE=/home/dehydrated/tmp/ticket-cache  
> > > > Create that one on ramdisk. 
> > > 
> > > Why? I delete it directly afterwards, is that a problem?
> > Less io, and much faster then over normal disk. 
> > 
> > And almost any server these days already have a ramdisk available. 
> > Check with : mount | grep tmp
> > 
> 
> Even Devuan has this.
Almost every server these days. 

> 
> Rowland
>  
> 