Hi, I created a script to add DNS entries with samba-tool (for LetsEncrypt, as a dehydrated hook.) Works fine, but I have the password for the dedicated user to do that in the script in the clear. I think I read somewhere something about doing it with kerberos, but I never used kerberos and don't know where to start. Is there any good way to be doing this? Thanks, Jakob
What you can do.. Create base 64 encrypted password. echo "YourS3CreTPassW0rd!"|base64 WW91clMzQ3JlVFBhc3NXMHJkIQo Save this encrypted password in a password file. And use it in any script where you need this password. /path_to/password_file.txt ( contains ) PASSWORD="WW91clMzQ3JlVFBhc3NXMHJkIQo" To be added in you script: source /path_to/password_file.txt DB_PASSWORD="$(echo $PASSWORD|base64 -d)" chmod 700 on the script, 400 on the password file. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Jakob Lenfers via samba > Verzonden: woensdag 9 januari 2019 10:57 > Aan: samba at lists.samba.org > Onderwerp: [Samba] samba-tool auth in scripts > > Hi, > > I created a script to add DNS entries with samba-tool (for > LetsEncrypt, > as a dehydrated hook.) Works fine, but I have the password for the > dedicated user to do that in the script in the clear. I think I read > somewhere something about doing it with kerberos, but I never used > kerberos and don't know where to start. Is there any good way to be > doing this? > > Thanks, > Jakob > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Wed, 9 Jan 2019 10:56:56 +0100 Jakob Lenfers via samba <samba at lists.samba.org> wrote:> Hi, > > I created a script to add DNS entries with samba-tool (for > LetsEncrypt, as a dehydrated hook.) Works fine, but I have the > password for the dedicated user to do that in the script in the > clear. I think I read somewhere something about doing it with > kerberos, but I never used kerberos and don't know where to start. Is > there any good way to be doing this? > > Thanks, > Jakob >Try reading this: https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9 It's for DHCP updating dns records, but it uses a dedicated user and kerberos, so it should help you. Rowland
Am 09.01.19 um 14:01 schrieb Rowland Penny via samba:> Try reading this: > > https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9 > > It's for DHCP updating dns records, but it uses a dedicated user and > kerberos, so it should help you.Thats exactly what I wanted, thanks. Just a little problem, "samba-tool [...] -k yes" after manual kinit works fine. If I want to use a special ticket cache as in your example, I cannot find an option in man samba-tool to supply that filename and the following command therefore fails (asking for password): | # init ticket if necessary | klist -c ~/tmp/ticket-cache -s || kinit -F -k -t ~/etc/dehydrated-service.keytab -c ~/tmp/ticket-cache dehydrated-service at MY.DOMAIN | # change records | samba-tool dns add barva.my.domain my.domain jakob-test TXT "TEEEST" -k yes Thanks again, Jakob