samba - Jan 2019 - dehydrated hook for LetsEncrypt certs and samba dns (was: samba-tool auth in scripts)

On Mon, 14 Jan 2019 10:49:43 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai, 
> 
> Thank you for sharing this very apriciated. 
> 
> If i may, a few small suggestion, to make is little bit better to
> read/understand. 
> 
> In this line: 
> samba-tool domain exportkeytab
> --principal=dehydrated-service at YOUR.DOMAIN
/home/dehydrated/etc/dehydrated-service.keytab
> @YOUR.DOMAIN could you change this to : @YOUR.REALM 
> 
> Because of this. ( per example ) 
> DNS domain = primary.dnsdomain.tld and for REALM = YOUR.REALM. ( 2
> different things here dont mix them. )
> 
> YOUR.REALM is not the same as primary.dnsdomain.tld. 
Whilst it is quite correct to say that the REALM isn't the same as a
DNS domain, there is a correlation between them. The REALM must be the
DNS domain in uppercase, so this:

SAMBA_PRINCIPAL=dehydrated-service at YOUR.DOMAIN

Could also be written as this:

SAMBA_PRINCIPAL=dehydrated-service@"$(echo "$(hostname -d)" | tr
'[:lower:]' '[:upper:]')"

 
> REALM domain = PRIMARY.DNSDOMAIN.TLD  or better translated as :
> YOUR.REALM ( to keep some confusion away and in CAPS )
If your going to say things, you should use the correct terminology,
just as Louis says.
> 
> Even when (dnsdomain) primary.dnsdomain.tld has the same REALM DOMAIN
> PRIMARY.DNSDOMAIN.TLD ( == YOUR.REALM ) These are not the same
> things. 
> 
> I suggest : 
> SAMBA_PRINCIPAL=dehydrated-service at YOUR.REALM
> SAMBA_DOMAIN=primary.dnsdomain.tld  
> SAMBA_DNSSERVER=dc.${SAMBA_DOMAIN}
> 
> Since its running on the DC your updateing. 
> You should be able to use : 
> SAMBA_DOMAIN=$(hostname -d)
> SAMBA_DNSSERVER=$(hostname -f)
> 
> 
> Keep REALM always in CAPS. Show the difference between the
> primary.dnsdomain.tld and REALMs. And tip, 
> 
> SAMBA_TICKETCACHE=/home/dehydrated/tmp/ticket-cache  
> Create that one on ramdisk. 
If you do as Louis suggests, you could actually remove samba.sh.conf
and move into the main script.

I take it this is for Windows clients securely updating their records
in AD ?

Rowland

Am 14.01.19 um 11:29 schrieb Rowland Penny via samba:
> Whilst it is quite correct to say that the REALM isn't the same as a
> DNS domain, there is a correlation between them. The REALM must be the
> DNS domain in uppercase, so this:
> [...]
I'll let you discuss this with Louis, I'm barely following anymore and
try to add everything when you're done ;)
> If you do as Louis suggests, you could actually remove samba.sh.conf
> and move into the main script.
At least the username of the service should be configurable. And Samba
could be DNS Master for additional domains. (So actually I should make
it in an array. But I don't have time, I'll wait for the first to need
this ;))

I would like to move it to dehydrated.conf as pdns_api does
(https://github.com/silkeh/pdns_api.sh/), but I'm honestly unable to
find it in the script even though I use it and it works just fine for me.
> I take it this is for Windows clients securely updating their records
> in AD ?
I use it to create letsencrypt signed certs, so that my services don't
complain about the certificate of the LDAP. But if one would use Samba
as their master DNS server, I guess it might be useful to create general
certificates for services. At least I prefer the DNS based
authentication over HTTP. (Works with internal services as well...)

Best,
Jakob

Just to clarify, your hook allows dehydrated to lookup DNS to an internal
Samba (or Bind_DLZ) server for DNS-01 verification in certificate
generation?

Kris Lou
klou at themusiclink.net


On Tue, Jan 15, 2019 at 2:13 AM Jakob Lenfers via samba <
samba at lists.samba.org> wrote:
> Am 14.01.19 um 11:29 schrieb Rowland Penny via samba:
>
> > Whilst it is quite correct to say that the REALM isn't the same as
a
> > DNS domain, there is a correlation between them. The REALM must be the
> > DNS domain in uppercase, so this:
> > [...]
>
> I'll let you discuss this with Louis, I'm barely following anymore
and
> try to add everything when you're done ;)
>
> > If you do as Louis suggests, you could actually remove samba.sh.conf
> > and move into the main script.
>
> At least the username of the service should be configurable. And Samba
> could be DNS Master for additional domains. (So actually I should make
> it in an array. But I don't have time, I'll wait for the first to
need
> this ;))
>
> I would like to move it to dehydrated.conf as pdns_api does
> (https://github.com/silkeh/pdns_api.sh/), but I'm honestly unable to
> find it in the script even though I use it and it works just fine for me.
>
> > I take it this is for Windows clients securely updating their records
> > in AD ?
>
> I use it to create letsencrypt signed certs, so that my services don't
> complain about the certificate of the LDAP. But if one would use Samba
> as their master DNS server, I guess it might be useful to create general
> certificates for services. At least I prefer the DNS based
> authentication over HTTP. (Works with internal services as well...)
>
> Best,
> Jakob
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba