[Samba] dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)

Rowland Penny rpenny at samba.org
Mon Jan 14 13:20:53 UTC 2019 

On Mon, 14 Jan 2019 13:40:26 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:

>  
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> > Rowland Penny via samba
> > Verzonden: maandag 14 januari 2019 13:21
> > Aan: samba at lists.samba.org
> > Onderwerp: Re: [Samba] dehydrated hook for LetsEncrypt certs 
> > and samba dns (was: samba-tool auth in scripts)
> > 
> > On Mon, 14 Jan 2019 13:03:42 +0100
> > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> > 
> > > Hai Rowland,
> > > > 
> > > > We are talking a Samba AD DC here and this means the realm must
> > > > be the same as the forest dns domain. As Samba AD doesn't 
> > (yet) support
> > > > subdomains, the domain will be the same as the forest domain.
> > > > There is a line here:
> > > > 
> > > > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active
> > > > _Directory_Domain_Controller
> > > > 
> > > > Under 'Preparing the installation'
> > > > 
> > > > Select a DNS domain for your AD forest. The name will also be
> > > > used as the AD Kerberos realm.
> > > 
> > > Hmm, here i have something the for you, i'll pm it to you. 
> > > 
> > 
> > OK, got it, I will have a look at it.
> > 
> > > > Wouldn't this have the same problem ?
> > > > Not trying to be argumentative, just trying to understand the
> > > > problem.
> > > Just avoiding possible problems and keep it clear that
> > > dnsdomain != REALM. 
> > > 
> > 
> > Still not really understanding this, I think you are saying that in
> > Windows AD, the REALM does not have to be the same as the dns
> > domain.
> No, RFC stats that. 
> 
> > it could be a dns subdomain like 'subdomain.example.com' with a
> > REALM of 'EXAMPLE.COM' (or visa versa). As I have said, you cannot
> > have a subdomain yet (and Windows is recommending to not use
> > subdomains), so, as far as Samba is concerned, the REALM is the dns
> > domain in uppercase.
> > 
> 
> https://www.ietf.org/rfc/rfc4120.txt 
> If im correct page 97-98 
> Chap : 7.2.3.1. 
> 

It says this:

   Kerberos realm names are case sensitive.  Realm names that differ
   only in the case of the characters are not equivalent.

So, from that, the REALM SaMdOm.EXAMPLE.COM would not be the same REALM as the
SAMDOM.EXAMPLE.COM REALM.

It then goes on to say: 

   Domain style realm names MUST look like domain names: they consist of
   components separated by periods (.) and they contain neither colons
   (:) nor slashes (/).  Though domain names themselves are case
   insensitive, in order for realms to match, the case must match as
   well.  When establishing a new realm name based on an internet domain
   name it is recommended by convention that the characters be converted
   to uppercase.

I read this to mean that, whilst you can have a dns domain like 
SaMdOm.example.com, it will be treated as if it was samdom.example.com as far
as DNS is concerned. This is different from the REALM as shown above,
where a case difference matters.

It then seems to go on to say that a new REALM must be based on the dns
domain, but in uppercase.

This means, to me at least, that the REALM is the dns domain in uppercase 
 
Rowland

More information about the samba mailing list