README.md 1.39 KB
Newer Older
Jakob Lenfers's avatar
Jakob Lenfers committed
1 2
# dehydrated-samba-hook

Jakob Lenfers's avatar
Jakob Lenfers committed
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
Hook to create DNS based LetsEncrypt certificates with [dehydrated](https://github.com/lukas2511/dehydrated) and a Samba AD DNS server.

You'll need to create a user with DNS access and a keytab for that user to create kerberos tickets. The following worked for me, adapt paths and users as necessary:
```samba-tool user create dehydrated-service --random-password  --description="User to add DNS entries for certificate creation with dehydrated"
samba-tool user setexpiry dehydrated-service --noexpiry
samba-tool group addmembers DnsAdmins dehydrated-service
samba-tool domain exportkeytab --principal=dehydrated-service@YOUR.DOMAIN /home/dehydrated/etc/dehydrated-service.keytab
chown dehydrated:root /home/dehydrated/etc/dehydrated-service.keytab
chmod 440 /home/dehydrated/etc/dehydrated-service.keytab
```

Set following variable next to the `samba.sh` into `samba.sh.conf`

```# username of the user to change DNS
SAMBA_PRINCIPAL=dehydrated-service@YOUR.DOMAIN
# your Samba-AD-DNS server
SAMBA_DNSSERVER=DC.YOUR.DOMAIN
# the domain under which the entries will be created
SAMBA_DOMAIN=YOUR.DOMAIN
# keytab to create the kerberos tickets
SAMBA_KEYTAB=/home/dehydrated/etc/dehydrated-service.keytab
# ticket cache, will be deleted after the script ran
SAMBA_TICKETCACHE=/home/dehydrated/tmp/ticket-cache
# wait for x seconds after deploying the challange to give the DNS time
SAMBA_DNSWAIT=180
```