Am 10.01.19 um 14:09 schrieb Rowland Penny via samba:> You don't ;-) > You do what the script should have done (I feel version 0.8.10 will > soon make an appearance), export the cache to use <export > KRB5CCNAME="/tmp/dhcp-dyndns.cc"> and then use '$KRB5CCNAME' wherever > '/tmp/dhcp-dyndns.cc' appears, except for: > [...]Yes, that worked. Thanks both of you! Best, Jakob
Jakob Lenfers
2019-Jan-14 08:49 UTC
[Samba] dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)
Am 11.01.19 um 11:17 schrieb Jakob Lenfers via samba:> Yes, that worked. Thanks both of you!If anybody wants to use LetsEncrypt with Samba-DNS and dehydrated, you can check out my hook script: https://gitlab.bremen-social-sciences.de/it/dehydrated-samba-hook Best, Jakob
L.P.H. van Belle
2019-Jan-14 09:49 UTC
[Samba] dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)
Hai, Thank you for sharing this very apriciated. If i may, a few small suggestion, to make is little bit better to read/understand. In this line: samba-tool domain exportkeytab --principal=dehydrated-service at YOUR.DOMAIN /home/dehydrated/etc/dehydrated-service.keytab @YOUR.DOMAIN could you change this to : @YOUR.REALM Because of this. ( per example ) DNS domain = primary.dnsdomain.tld and for REALM = YOUR.REALM. ( 2 different things here dont mix them. ) YOUR.REALM is not the same as primary.dnsdomain.tld. REALM domain = PRIMARY.DNSDOMAIN.TLD or better translated as : YOUR.REALM ( to keep some confusion away and in CAPS ) Even when (dnsdomain) primary.dnsdomain.tld has the same REALM DOMAIN PRIMARY.DNSDOMAIN.TLD ( == YOUR.REALM ) These are not the same things. I suggest : SAMBA_PRINCIPAL=dehydrated-service at YOUR.REALM SAMBA_DOMAIN=primary.dnsdomain.tld SAMBA_DNSSERVER=dc.${SAMBA_DOMAIN} Since its running on the DC your updateing. You should be able to use : SAMBA_DOMAIN=$(hostname -d) SAMBA_DNSSERVER=$(hostname -f) Keep REALM always in CAPS. Show the difference between the primary.dnsdomain.tld and REALMs. And tip, SAMBA_TICKETCACHE=/home/dehydrated/tmp/ticket-cache Create that one on ramdisk. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Jakob Lenfers via samba > Verzonden: maandag 14 januari 2019 9:49 > Aan: Rowland Penny; samba at lists.samba.org > Onderwerp: [Samba] dehydrated hook for LetsEncrypt certs and > samba dns (was: samba-tool auth in scripts) > > Am 11.01.19 um 11:17 schrieb Jakob Lenfers via samba: > > > Yes, that worked. Thanks both of you! > > If anybody wants to use LetsEncrypt with Samba-DNS and dehydrated, you > can check out my hook script: > https://gitlab.bremen-social-sciences.de/it/dehydrated-samba-hook > > Best, > Jakob > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2019-Jan-14 10:29 UTC
[Samba] dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)
On Mon, 14 Jan 2019 10:49:43 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Hai, > > Thank you for sharing this very apriciated. > > If i may, a few small suggestion, to make is little bit better to > read/understand. > > In this line: > samba-tool domain exportkeytab > --principal=dehydrated-service at YOUR.DOMAIN /home/dehydrated/etc/dehydrated-service.keytab > @YOUR.DOMAIN could you change this to : @YOUR.REALM > > Because of this. ( per example ) > DNS domain = primary.dnsdomain.tld and for REALM = YOUR.REALM. ( 2 > different things here dont mix them. ) > > YOUR.REALM is not the same as primary.dnsdomain.tld.Whilst it is quite correct to say that the REALM isn't the same as a DNS domain, there is a correlation between them. The REALM must be the DNS domain in uppercase, so this: SAMBA_PRINCIPAL=dehydrated-service at YOUR.DOMAIN Could also be written as this: SAMBA_PRINCIPAL=dehydrated-service@"$(echo "$(hostname -d)" | tr '[:lower:]' '[:upper:]')"> REALM domain = PRIMARY.DNSDOMAIN.TLD or better translated as : > YOUR.REALM ( to keep some confusion away and in CAPS )If your going to say things, you should use the correct terminology, just as Louis says.> > Even when (dnsdomain) primary.dnsdomain.tld has the same REALM DOMAIN > PRIMARY.DNSDOMAIN.TLD ( == YOUR.REALM ) These are not the same > things. > > I suggest : > SAMBA_PRINCIPAL=dehydrated-service at YOUR.REALM > SAMBA_DOMAIN=primary.dnsdomain.tld > SAMBA_DNSSERVER=dc.${SAMBA_DOMAIN} > > Since its running on the DC your updateing. > You should be able to use : > SAMBA_DOMAIN=$(hostname -d) > SAMBA_DNSSERVER=$(hostname -f) > > > Keep REALM always in CAPS. Show the difference between the > primary.dnsdomain.tld and REALMs. And tip, > > SAMBA_TICKETCACHE=/home/dehydrated/tmp/ticket-cache > Create that one on ramdisk.If you do as Louis suggests, you could actually remove samba.sh.conf and move into the main script. I take it this is for Windows clients securely updating their records in AD ? Rowland
Jakob Lenfers
2019-Jan-14 10:30 UTC
[Samba] dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)
Am 14.01.19 um 10:49 schrieb L.P.H. van Belle via samba:> If i may, a few small suggestion, to make is little bit better to read/understand. > [...]Thanks, I'm still new regarding AD lingo. I hope I understood everything correctly and added it as you suggested.> And tip, > > SAMBA_TICKETCACHE=/home/dehydrated/tmp/ticket-cache > Create that one on ramdisk.Why? I delete it directly afterwards, is that a problem? Best, Jakob
L.P.H. van Belle
2019-Jan-14 11:13 UTC
[Samba] dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)
(@Rowland)> Whilst it is quite correct to say that the REALM isn't the same as a > DNS domain, there is a correlation between them. The REALM must be the > DNS domain in uppercase, so this: > > SAMBA_PRINCIPAL=dehydrated-service at YOUR.DOMAINNo, you can have your.primayDNSdomain.tld and have REALM = SOMEREALM.TLD Its not obligated to have REALM the same as the DnsDomain. Its also not obligated to have the realm uppercased, but in my opinion, that should be obligated because programs expect often REALM not realm. And becarefull with : SAMBA_PRINCIPAL=dehydrated-service@"$(echo "$(hostname -d)" |\> tr '[:lower:]' '[:upper:]')"Some locales characters setting have problem with this. For uppercasing. Or echo "${VARIABLE^^} ( bash 4.0 and later) Or use : |awk '{print toupper($0)}' # more in these type to characters (abcåäö) , but preventing it works for me. Almost, look at these three.. ( look at the order here also. ) # The domain under which the entries will be created, usually $(hostname -d) SAMBA_DNSDOMAIN=your.dnsdomain SAMBA_REALMDOMAIN=${SAMBA_DNSDOMAIN^^} # your Samba-AD-DNS server, usually $(hostname -f) SAMBA_DNSSERVER=dc.${SAMBA_DNSDOMAIN} # User principal name. SAMBA_PRINCIPAL=dehydrated-service@${SAMBA_REALMDOMAIN}> > And tip, > > > > SAMBA_TICKETCACHE=/home/dehydrated/tmp/ticket-cache > > Create that one on ramdisk. > > Why? I delete it directly afterwards, is that a problem?Less io, and much faster then over normal disk. And almost any server these days already have a ramdisk available. Check with : mount | grep tmp Greetz, Louis
Reasonably Related Threads
- samba-tool auth in scripts
- dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)
- dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)
- dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)
- dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)