samba - Jan 2019 - dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)

(@Rowland) 
> Whilst it is quite correct to say that the REALM isn't the same as a
> DNS domain, there is a correlation between them. The REALM must be the
> DNS domain in uppercase, so this:
> 
> SAMBA_PRINCIPAL=dehydrated-service at YOUR.DOMAIN
No, you can have your.primayDNSdomain.tld and have REALM = SOMEREALM.TLD 
Its not obligated to have REALM the same as the DnsDomain.
Its also not obligated to have the realm uppercased, but in my opinion, that
should be obligated because programs expect often REALM not realm.

And becarefull with : 
SAMBA_PRINCIPAL=dehydrated-service@"$(echo "$(hostname -d)" |\
> tr '[:lower:]' '[:upper:]')" 
Some locales characters setting have problem with this. 

For uppercasing. 
Or echo "${VARIABLE^^}   ( bash 4.0 and later) 
Or use :  |awk '{print toupper($0)}' 
# more in these type to characters (abcåäö) , but preventing it works for me.

Almost, look at these three.. ( look at the order here also. ) 

# The domain under which the entries will be created, usually $(hostname -d)
SAMBA_DNSDOMAIN=your.dnsdomain
SAMBA_REALMDOMAIN=${SAMBA_DNSDOMAIN^^}

# your Samba-AD-DNS server, usually $(hostname -f)
SAMBA_DNSSERVER=dc.${SAMBA_DNSDOMAIN}

# User principal name.
SAMBA_PRINCIPAL=dehydrated-service@${SAMBA_REALMDOMAIN}


> > And tip, 
> > 
> > SAMBA_TICKETCACHE=/home/dehydrated/tmp/ticket-cache  
> > Create that one on ramdisk. 
> 
> Why? I delete it directly afterwards, is that a problem?
Less io, and much faster then over normal disk. 

And almost any server these days already have a ramdisk available. 
Check with : mount | grep tmp


Greetz, 

Louis

On Mon, 14 Jan 2019 12:13:19 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> (@Rowland) 
> 
> > Whilst it is quite correct to say that the REALM isn't the same as
a
> > DNS domain, there is a correlation between them. The REALM must be
> > the DNS domain in uppercase, so this:
> > 
> > SAMBA_PRINCIPAL=dehydrated-service at YOUR.DOMAIN
> 
> No, you can have your.primayDNSdomain.tld and have REALM > SOMEREALM.TLD
Its not obligated to have REALM the same as the
> DnsDomain. 
We are talking a Samba AD DC here and this means the realm must be the
same as the forest dns domain. As Samba AD doesn't (yet) support
subdomains, the domain will be the same as the forest domain.
There is a line here:

https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller

Under 'Preparing the installation'

Select a DNS domain for your AD forest. The name will also be used as
the AD Kerberos realm.
>Its also not obligated to have the realm uppercased, but
> in my opinion, that should be obligated because programs expect often
> REALM not realm.
That I totally agree with ;-)
 
> 
> And becarefull with : 
> SAMBA_PRINCIPAL=dehydrated-service@"$(echo "$(hostname -d)"
|\
> > tr '[:lower:]' '[:upper:]')" 
> Some locales characters setting have problem with this. 
> 
> For uppercasing. 
> Or echo "${VARIABLE^^}   ( bash 4.0 and later) 
> Or use :  |awk '{print toupper($0)}' 
> # more in these type to characters (abcåäö) , but preventing it works
> for me.
>
You know, life would be a lot easier if those funny marks over the
letters didn't exist. ;-)
I never think about them, because we English do not use them, so point
taken.
However, we are talking about a dns domain, so would you use these
letters ?
 
> Almost, look at these three.. ( look at the order here also. ) 
> 
> # The domain under which the entries will be created, usually
> $(hostname -d) SAMBA_DNSDOMAIN=your.dnsdomain
> SAMBA_REALMDOMAIN=${SAMBA_DNSDOMAIN^^}
Wouldn't this have the same problem ?
Not trying to be argumentative, just trying to understand the problem.
> 
> # your Samba-AD-DNS server, usually $(hostname -f)
> SAMBA_DNSSERVER=dc.${SAMBA_DNSDOMAIN}
> 
> # User principal name.
> SAMBA_PRINCIPAL=dehydrated-service@${SAMBA_REALMDOMAIN}
> 
> 
> 
> > > And tip, 
> > > 
> > > SAMBA_TICKETCACHE=/home/dehydrated/tmp/ticket-cache  
> > > Create that one on ramdisk. 
> > 
> > Why? I delete it directly afterwards, is that a problem?
> Less io, and much faster then over normal disk. 
> 
> And almost any server these days already have a ramdisk available. 
> Check with : mount | grep tmp
> 
Even Devuan has this.

Rowland

Hai Rowland,
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: maandag 14 januari 2019 12:48
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] dehydrated hook for LetsEncrypt certs 
> and samba dns (was: samba-tool auth in scripts)
> 
> On Mon, 14 Jan 2019 12:13:19 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
> 
> > (@Rowland) 
> > 
> > > Whilst it is quite correct to say that the REALM isn't 
> the same as a
> > > DNS domain, there is a correlation between them. The REALM must
be
> > > the DNS domain in uppercase, so this:
> > > 
> > > SAMBA_PRINCIPAL=dehydrated-service at YOUR.DOMAIN
> > 
> > No, you can have your.primayDNSdomain.tld and have REALM > >
SOMEREALM.TLD Its not obligated to have REALM the same as the
> > DnsDomain. 
> 
> We are talking a Samba AD DC here and this means the realm must be the
> same as the forest dns domain. As Samba AD doesn't (yet) support
> subdomains, the domain will be the same as the forest domain.
> There is a line here:
> 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active
> _Directory_Domain_Controller
> 
> Under 'Preparing the installation'
> 
> Select a DNS domain for your AD forest. The name will also be used as
> the AD Kerberos realm.
Hmm, here i have something the for you, i'll pm it to you. 
> 
> >Its also not obligated to have the realm uppercased, but
> > in my opinion, that should be obligated because programs expect often 
REALM not realm.
> 
> That I totally agree with ;-)
>  
> > 
> > And becarefull with : 
> > SAMBA_PRINCIPAL=dehydrated-service@"$(echo "$(hostname
-d)" |\
> > > tr '[:lower:]' '[:upper:]')" 
> > Some locales characters setting have problem with this. 
> > 
> > For uppercasing. 
> > Or echo "${VARIABLE^^}   ( bash 4.0 and later) 
> > Or use :  |awk '{print toupper($0)}' 
> > # more in these type to characters (abcåäö) , but 
> preventing it works
> > for me.
> >
> 
> You know, life would be a lot easier if those funny marks over the
> letters didn't exist. ;-)
> I never think about them, because we English do not use them, so point
> taken.
> However, we are talking about a dns domain, so would you use these
> letters ?
No ;-) , but google showed me the echo and awk are the 2 most univeral to use.
>  
> > Almost, look at these three.. ( look at the order here also. ) 
> > 
> > # The domain under which the entries will be created, usually
> > $(hostname -d) SAMBA_DNSDOMAIN=your.dnsdomain
> > SAMBA_REALMDOMAIN=${SAMBA_DNSDOMAIN^^}
> 
> Wouldn't this have the same problem ?
> Not trying to be argumentative, just trying to understand the problem.
Just avoiding possible problems and keep it clear that dnsdomain != REALM. 
> 
> > 
> > # your Samba-AD-DNS server, usually $(hostname -f)
> > SAMBA_DNSSERVER=dc.${SAMBA_DNSDOMAIN}
> > 
> > # User principal name.
> > SAMBA_PRINCIPAL=dehydrated-service@${SAMBA_REALMDOMAIN}
> > 
> > 
> > 
> > > > And tip, 
> > > > 
> > > > SAMBA_TICKETCACHE=/home/dehydrated/tmp/ticket-cache  
> > > > Create that one on ramdisk. 
> > > 
> > > Why? I delete it directly afterwards, is that a problem?
> > Less io, and much faster then over normal disk. 
> > 
> > And almost any server these days already have a ramdisk available. 
> > Check with : mount | grep tmp
> > 
> 
> Even Devuan has this.
Almost every server these days. 
> 
> Rowland
>  
>

On Mon, 14 Jan 2019 13:03:42 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai Rowland,
> > 
> > We are talking a Samba AD DC here and this means the realm must be
> > the same as the forest dns domain. As Samba AD doesn't (yet)
support
> > subdomains, the domain will be the same as the forest domain.
> > There is a line here:
> > 
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active
> > _Directory_Domain_Controller
> > 
> > Under 'Preparing the installation'
> > 
> > Select a DNS domain for your AD forest. The name will also be used
> > as the AD Kerberos realm.
> 
> Hmm, here i have something the for you, i'll pm it to you. 
> 
OK, got it, I will have a look at it.
> > Wouldn't this have the same problem ?
> > Not trying to be argumentative, just trying to understand the
> > problem.
> Just avoiding possible problems and keep it clear that dnsdomain !>
REALM.
> 
Still not really understanding this, I think you are saying that in
Windows AD, the REALM does not have to be the same as the dns domain,
it could be a dns subdomain like 'subdomain.example.com' with a REALM
of 'EXAMPLE.COM' (or visa versa). As I have said, you cannot have a
subdomain yet (and Windows is recommending to not use subdomains), so,
as far as Samba is concerned, the REALM is the dns domain in
uppercase.

Again, just trying to understand.

Rowland

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: maandag 14 januari 2019 13:21
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] dehydrated hook for LetsEncrypt certs 
> and samba dns (was: samba-tool auth in scripts)
> 
> On Mon, 14 Jan 2019 13:03:42 +0100
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
> 
> > Hai Rowland,
> > > 
> > > We are talking a Samba AD DC here and this means the realm must
be
> > > the same as the forest dns domain. As Samba AD doesn't 
> (yet) support
> > > subdomains, the domain will be the same as the forest domain.
> > > There is a line here:
> > > 
> > > https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active
> > > _Directory_Domain_Controller
> > > 
> > > Under 'Preparing the installation'
> > > 
> > > Select a DNS domain for your AD forest. The name will also be
used
> > > as the AD Kerberos realm.
> > 
> > Hmm, here i have something the for you, i'll pm it to you. 
> > 
> 
> OK, got it, I will have a look at it.
> 
> > > Wouldn't this have the same problem ?
> > > Not trying to be argumentative, just trying to understand the
> > > problem.
> > Just avoiding possible problems and keep it clear that dnsdomain !>
> REALM.
> > 
> 
> Still not really understanding this, I think you are saying that in Windows
AD, the REALM does not have to be the same as the dns domain.
No, RFC stats that. 
> it could be a dns subdomain like 'subdomain.example.com' with a
REALM
> of 'EXAMPLE.COM' (or visa versa). As I have said, you cannot have a
> subdomain yet (and Windows is recommending to not use subdomains), so,
> as far as Samba is concerned, the REALM is the dns domain in
> uppercase.
> 
> Again, just trying to understand.
Here this is a bit what stefan Kania was doing with the subdomains. 
https://tools.ietf.org/html/rfc6806.html

https://www.ietf.org/rfc/rfc4120.txt 
If im correct page 97-98 
Chap : 7.2.3.1. 

( quick search for you ) 

Greetz, 

Louis