Commit d3710cd6 authored by Jakob Lenfers's avatar Jakob Lenfers

Added suggestions from L.P.H. van Belle <belle@bazuin.nl>

parent cfa8ca5b
......@@ -6,7 +6,7 @@ You'll need to create a user with DNS access and a keytab for that user to creat
```samba-tool user create dehydrated-service --random-password --description="User to add DNS entries for certificate creation with dehydrated"
samba-tool user setexpiry dehydrated-service --noexpiry
samba-tool group addmembers DnsAdmins dehydrated-service
samba-tool domain exportkeytab --principal=dehydrated-service@YOUR.DOMAIN /home/dehydrated/etc/dehydrated-service.keytab
samba-tool domain exportkeytab --principal=dehydrated-service@YOUR.REALM /home/dehydrated/etc/dehydrated-service.keytab
chown dehydrated:root /home/dehydrated/etc/dehydrated-service.keytab
chmod 440 /home/dehydrated/etc/dehydrated-service.keytab
```
......@@ -14,11 +14,11 @@ chmod 440 /home/dehydrated/etc/dehydrated-service.keytab
Set following variable next to the `samba.sh` into `samba.sh.conf`
```# username of the user to change DNS
SAMBA_PRINCIPAL=dehydrated-service@YOUR.DOMAIN
# your Samba-AD-DNS server
SAMBA_DNSSERVER=DC.YOUR.DOMAIN
# the domain under which the entries will be created
SAMBA_DOMAIN=YOUR.DOMAIN
SAMBA_PRINCIPAL=dehydrated-service@YOUR.REALM
# your Samba-AD-DNS server, usually $(hostname -f)
SAMBA_DNSSERVER=DC.YOUR.REALM
# the domain under which the entries will be created, usually $(hostname -d)
SAMBA_DNSDOMAIN=YOUR.DNSDOMAIN
# keytab to create the kerberos tickets
SAMBA_KEYTAB=/home/dehydrated/etc/dehydrated-service.keytab
# ticket cache, will be deleted after the script ran
......
......@@ -18,8 +18,8 @@ SAMBA_CONFIG="$SCRIPT_DIR/samba.sh.conf"
[[ -f "${SAMBA_CONFIG}" ]] && . "${SAMBA_CONFIG}"
[[ -n "${SAMBA_PRINCIPAL:-}" ]] || exit_with_error "Set SAMBA_PRINCIPAL in dehydrated.conf or ${SAMBA_CONFIG}"
[[ -n "${SAMBA_DNSSERVER:-}" ]] || exit_with_error "Set SAMBA_DNSSERVER in dehydrated.conf or ${SAMBA_CONFIG}"
[[ -n "${SAMBA_DOMAIN:-}" ]] || exit_with_error "Set SAMBA_DOMAIN in dehydrated.conf or ${SAMBA_CONFIG}"
[[ -n "${SAMBA_DNSSERVER:-}" ]] || SAMBA_DNSSERVER=$(hostname -f)
[[ -n "${SAMBA_DNSDOMAIN:-}" ]] || SAMBA_DNSDOMAIN=$(hostname -d)
[[ -n "${SAMBA_KEYTAB:-}" ]] || exit_with_error "Set SAMBA_KEYTAB in dehydrated.conf or ${SAMBA_CONFIG}"
[[ -n "${SAMBA_TICKETCACHE:-}" ]] || exit_with_error "Set SAMBA_TICKETCACHE in dehydrated.conf or ${SAMBA_CONFIG}"
[[ -n "${SAMBA_DNSWAIT:-}" ]] || SAMBA_DNSWAIT=180
......@@ -30,12 +30,12 @@ export KRB5CCNAME=${SAMBA_TICKETCACHE}
case "$1" in
"deploy_challenge")
kinit --no-forwardable --use-keytab --keytab=${SAMBA_KEYTAB} ${SAMBA_PRINCIPAL} && \
samba-tool dns add ${SAMBA_DNSSERVER} ${SAMBA_DOMAIN} "_acme-challenge.${2%.${SAMBA_DOMAIN}}" TXT "${4}"
samba-tool dns add ${SAMBA_DNSSERVER} ${SAMBA_DNSDOMAIN} "_acme-challenge.${2%.${SAMBA_DNSDOMAIN}}" TXT "${4}"
sleep ${SAMBA_DNSWAIT}
;;
"clean_challenge")
kinit --no-forwardable --use-keytab --keytab=${SAMBA_KEYTAB} ${SAMBA_PRINCIPAL} && \
samba-tool dns delete ${SAMBA_DNSSERVER} ${SAMBA_DOMAIN} "_acme-challenge.${2%.${SAMBA_DOMAIN}}" TXT "${4}"
samba-tool dns delete ${SAMBA_DNSSERVER} ${SAMBA_DNSDOMAIN} "_acme-challenge.${2%.${SAMBA_DNSDOMAIN}}" TXT "${4}"
;;
"deploy_cert")
# do nothing for now
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment