[Samba] dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)
Kris Lou
klou at themusiclink.net
Tue Jan 15 18:47:53 UTC 2019
Just to clarify, your hook allows dehydrated to lookup DNS to an internal
Samba (or Bind_DLZ) server for DNS-01 verification in certificate
generation?
Kris Lou
klou at themusiclink.net
On Tue, Jan 15, 2019 at 2:13 AM Jakob Lenfers via samba <
samba at lists.samba.org> wrote:
> Am 14.01.19 um 11:29 schrieb Rowland Penny via samba:
>
> > Whilst it is quite correct to say that the REALM isn't the same as a
> > DNS domain, there is a correlation between them. The REALM must be the
> > DNS domain in uppercase, so this:
> > [...]
>
> I'll let you discuss this with Louis, I'm barely following anymore and
> try to add everything when you're done ;)
>
> > If you do as Louis suggests, you could actually remove samba.sh.conf
> > and move into the main script.
>
> At least the username of the service should be configurable. And Samba
> could be DNS Master for additional domains. (So actually I should make
> it in an array. But I don't have time, I'll wait for the first to need
> this ;))
>
> I would like to move it to dehydrated.conf as pdns_api does
> (https://github.com/silkeh/pdns_api.sh/), but I'm honestly unable to
> find it in the script even though I use it and it works just fine for me.
>
> > I take it this is for Windows clients securely updating their records
> > in AD ?
>
> I use it to create letsencrypt signed certs, so that my services don't
> complain about the certificate of the LDAP. But if one would use Samba
> as their master DNS server, I guess it might be useful to create general
> certificates for services. At least I prefer the DNS based
> authentication over HTTP. (Works with internal services as well...)
>
> Best,
> Jakob
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list