Am 09.01.19 um 14:01 schrieb Rowland Penny via samba:> Try reading this: > > https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9 > > It's for DHCP updating dns records, but it uses a dedicated user and > kerberos, so it should help you.Thats exactly what I wanted, thanks. Just a little problem, "samba-tool [...] -k yes" after manual kinit works fine. If I want to use a special ticket cache as in your example, I cannot find an option in man samba-tool to supply that filename and the following command therefore fails (asking for password): | # init ticket if necessary | klist -c ~/tmp/ticket-cache -s || kinit -F -k -t ~/etc/dehydrated-service.keytab -c ~/tmp/ticket-cache dehydrated-service at MY.DOMAIN | # change records | samba-tool dns add barva.my.domain my.domain jakob-test TXT "TEEEST" -k yes Thanks again, Jakob
On Thu, 10 Jan 2019 11:42:46 +0100 Jakob Lenfers <lenfers at bigsss-bremen.de> wrote:> Am 09.01.19 um 14:01 schrieb Rowland Penny via samba: > > > Try reading this: > > > > https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9 > > > > It's for DHCP updating dns records, but it uses a dedicated user and > > kerberos, so it should help you. > > Thats exactly what I wanted, thanks. Just a little problem, > "samba-tool [...] -k yes" after manual kinit works fine. If I want to > use a special ticket cache as in your example, I cannot find an > option in man samba-tool to supply that filename and the following > command therefore fails (asking for password): > > | # init ticket if necessary > | klist -c ~/tmp/ticket-cache -s || kinit -F -k -t > ~/etc/dehydrated-service.keytab -c ~/tmp/ticket-cache > dehydrated-service at MY.DOMAIN > | # change records > | samba-tool dns add barva.my.domain my.domain jakob-test TXT "TEEEST" > -k yes >You don't ;-) You do what the script should have done (I feel version 0.8.10 will soon make an appearance), export the cache to use <export KRB5CCNAME="/tmp/dhcp-dyndns.cc"> and then use '$KRB5CCNAME' wherever '/tmp/dhcp-dyndns.cc' appears, except for: kinit -F -k -t /etc/dhcpduser.keytab -c /tmp/dhcp-dyndns.cc "${SETPRINCIPAL}" Where all you need is: kinit -F -k -t /etc/dhcpduser.keytab "${SETPRINCIPAL}" I have updated my dhcp-dyndns.sh script to match the above and it appears to be working without errors. If this continues for 24hrs the wikipage will be updated. As far as samba-tool is concerned, you will probably have to add -Udehydrated-service to the command. Rowland
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: donderdag 10 januari 2019 14:09 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] samba-tool auth in scripts > > On Thu, 10 Jan 2019 11:42:46 +0100 > Jakob Lenfers <lenfers at bigsss-bremen.de> wrote: > > > Am 09.01.19 um 14:01 schrieb Rowland Penny via samba: > > > > > Try reading this: > > > > > > > https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_ > records_with_BIND9 > > > > > > It's for DHCP updating dns records, but it uses a > dedicated user and > > > kerberos, so it should help you. > > > > Thats exactly what I wanted, thanks. Just a little problem, > > "samba-tool [...] -k yes" after manual kinit works fine. If > I want to > > use a special ticket cache as in your example, I cannot find an > > option in man samba-tool to supply that filename and the following > > command therefore fails (asking for password): > > > > | # init ticket if necessary > > | klist -c ~/tmp/ticket-cache -s || kinit -F -k -t > > ~/etc/dehydrated-service.keytab -c ~/tmp/ticket-cache > > dehydrated-service at MY.DOMAIN > > | # change records > > | samba-tool dns add barva.my.domain my.domain jakob-test > TXT "TEEEST" > > -k yes > > > > You don't ;-) > You do what the script should have done (I feel version 0.8.10 will > soon make an appearance), export the cache to use <export > KRB5CCNAME="/tmp/dhcp-dyndns.cc"> and then use '$KRB5CCNAME' wherever > '/tmp/dhcp-dyndns.cc' appears, except for: > > kinit -F -k -t /etc/dhcpduser.keytab -c /tmp/dhcp-dyndns.cc > "${SETPRINCIPAL}" > > Where all you need is: > > kinit -F -k -t /etc/dhcpduser.keytab "${SETPRINCIPAL}" > > I have updated my dhcp-dyndns.sh script to match the above and it > appears to be working without errors. If this continues for 24hrs the > wikipage will be updated. > > As far as samba-tool is concerned, you will probably have to add > -Udehydrated-service to the command.Hmm, that will miss the cache file also, maybe this works after the kinit: su - dehydrated-service -c "samba-tool dns add barva.my.domain my.domain jakob-test TXT 'TEEEST' -k yes" And dont forget to add this user to DNSAdmins Also. Greetz, Louis
On Thu, 10 Jan 2019 14:38:11 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> > > > -----Oorspronkelijk bericht----- > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > > Rowland Penny via samba > > Verzonden: donderdag 10 januari 2019 14:09 > > Aan: samba at lists.samba.org > > Onderwerp: Re: [Samba] samba-tool auth in scripts > > > > On Thu, 10 Jan 2019 11:42:46 +0100 > > Jakob Lenfers <lenfers at bigsss-bremen.de> wrote: > > > > > Am 09.01.19 um 14:01 schrieb Rowland Penny via samba: > > > > > > > Try reading this: > > > > > > > > > > https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_ > > records_with_BIND9 > > > > > > > > It's for DHCP updating dns records, but it uses a > > dedicated user and > > > > kerberos, so it should help you. > > > > > > Thats exactly what I wanted, thanks. Just a little problem, > > > "samba-tool [...] -k yes" after manual kinit works fine. If > > I want to > > > use a special ticket cache as in your example, I cannot find an > > > option in man samba-tool to supply that filename and the following > > > command therefore fails (asking for password): > > > > > > | # init ticket if necessary > > > | klist -c ~/tmp/ticket-cache -s || kinit -F -k -t > > > ~/etc/dehydrated-service.keytab -c ~/tmp/ticket-cache > > > dehydrated-service at MY.DOMAIN > > > | # change records > > > | samba-tool dns add barva.my.domain my.domain jakob-test > > TXT "TEEEST" > > > -k yes > > > > > > > You don't ;-) > > You do what the script should have done (I feel version 0.8.10 will > > soon make an appearance), export the cache to use <export > > KRB5CCNAME="/tmp/dhcp-dyndns.cc"> and then use '$KRB5CCNAME' > > wherever '/tmp/dhcp-dyndns.cc' appears, except for: > > > > kinit -F -k -t /etc/dhcpduser.keytab -c /tmp/dhcp-dyndns.cc > > "${SETPRINCIPAL}" > > > > Where all you need is: > > > > kinit -F -k -t /etc/dhcpduser.keytab "${SETPRINCIPAL}" > > > > I have updated my dhcp-dyndns.sh script to match the above and it > > appears to be working without errors. If this continues for 24hrs > > the wikipage will be updated. > > > > As far as samba-tool is concerned, you will probably have to add > > -Udehydrated-service to the command. > > > Hmm, that will miss the cache file also, maybe this works after the > kinit: > > su - dehydrated-service -c "samba-tool dns add barva.my.domain > my.domain jakob-test TXT 'TEEEST' -k yes" > > And dont forget to add this user to DNSAdmins Also. >If it was run from the command line, yes it wouldn't use the wanted cache, but in a script you can set the cache to use. This works for me: export KRB5CCNAME="/tmp/dhcp-dyndns.cc"; kinit -F -k -t /etc/dhcpduser.keytab dhcpduser at SAMDOM.EXAMPLE.COM; samba-tool dns add dc4.samdom.example.com samdom.example.com devstation TXT 'TEEEST' -k yes The above is all one line. and results in: Record added successfully and this in AD: dnsRecord: NDR: struct dnsp_DnssrvRpcRecord wDataLength : 0x0007 (7) wType : DNS_TYPE_TXT (16) version : 0x05 (5) rank : DNS_RANK_ZONE (240) flags : 0x0000 (0) dwSerial : 0x000009cc (2508) dwTtlSeconds : 0x00000384 (900) dwReserved : 0x00000000 (0) dwTimeStamp : 0x00000000 (0) data : union dnsRecordData(case 16) txt : "TEEEST" Rowland
Am 10.01.19 um 14:09 schrieb Rowland Penny via samba:> You don't ;-) > You do what the script should have done (I feel version 0.8.10 will > soon make an appearance), export the cache to use <export > KRB5CCNAME="/tmp/dhcp-dyndns.cc"> and then use '$KRB5CCNAME' wherever > '/tmp/dhcp-dyndns.cc' appears, except for: > [...]Yes, that worked. Thanks both of you! Best, Jakob
Possibly Parallel Threads
- dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)
- dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)
- dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)
- dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)
- samba-tool auth in scripts