[Samba] dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)

Jakob Lenfers lenfers at bigsss-bremen.de
Tue Jan 15 10:12:02 UTC 2019


Am 14.01.19 um 11:29 schrieb Rowland Penny via samba:

> Whilst it is quite correct to say that the REALM isn't the same as a
> DNS domain, there is a correlation between them. The REALM must be the
> DNS domain in uppercase, so this:
> [...]

I'll let you discuss this with Louis, I'm barely following anymore and
try to add everything when you're done ;)

> If you do as Louis suggests, you could actually remove samba.sh.conf
> and move into the main script.

At least the username of the service should be configurable. And Samba
could be DNS Master for additional domains. (So actually I should make
it in an array. But I don't have time, I'll wait for the first to need
this ;))

I would like to move it to dehydrated.conf as pdns_api does
(https://github.com/silkeh/pdns_api.sh/), but I'm honestly unable to
find it in the script even though I use it and it works just fine for me.

> I take it this is for Windows clients securely updating their records
> in AD ?

I use it to create letsencrypt signed certs, so that my services don't
complain about the certificate of the LDAP. But if one would use Samba
as their master DNS server, I guess it might be useful to create general
certificates for services. At least I prefer the DNS based
authentication over HTTP. (Works with internal services as well...)

Best,
Jakob



More information about the samba mailing list