[Samba] dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)

L.P.H. van Belle belle at bazuin.nl
Mon Jan 14 12:40:26 UTC 2019 

 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: maandag 14 januari 2019 13:21
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] dehydrated hook for LetsEncrypt certs 
> and samba dns (was: samba-tool auth in scripts)
> 
> On Mon, 14 Jan 2019 13:03:42 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> 
> > Hai Rowland,
> > > 
> > > We are talking a Samba AD DC here and this means the realm must be
> > > the same as the forest dns domain. As Samba AD doesn't 
> (yet) support
> > > subdomains, the domain will be the same as the forest domain.
> > > There is a line here:
> > > 
> > > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active
> > > _Directory_Domain_Controller
> > > 
> > > Under 'Preparing the installation'
> > > 
> > > Select a DNS domain for your AD forest. The name will also be used
> > > as the AD Kerberos realm.
> > 
> > Hmm, here i have something the for you, i'll pm it to you. 
> > 
> 
> OK, got it, I will have a look at it.
> 
> > > Wouldn't this have the same problem ?
> > > Not trying to be argumentative, just trying to understand the
> > > problem.
> > Just avoiding possible problems and keep it clear that dnsdomain !=
> > REALM. 
> > 
> 
> Still not really understanding this, I think you are saying that in Windows AD, the REALM does not have to be the same as the dns domain.
No, RFC stats that. 

> it could be a dns subdomain like 'subdomain.example.com' with a REALM
> of 'EXAMPLE.COM' (or visa versa). As I have said, you cannot have a
> subdomain yet (and Windows is recommending to not use subdomains), so,
> as far as Samba is concerned, the REALM is the dns domain in
> uppercase.
> 
> Again, just trying to understand.
Here this is a bit what stefan Kania was doing with the subdomains. 
https://tools.ietf.org/html/rfc6806.html

https://www.ietf.org/rfc/rfc4120.txt 
If im correct page 97-98 
Chap : 7.2.3.1. 

( quick search for you ) 

Greetz, 

Louis

More information about the samba mailing list