Web lists-archives.com

Re: [Samba] samba-tool auth in scripts




On Thu, 10 Jan 2019 11:42:46 +0100
Jakob Lenfers <lenfers@xxxxxxxxxxxxxxxx> wrote:

> Am 09.01.19 um 14:01 schrieb Rowland Penny via samba:
> 
> > Try reading this:
> > 
> > https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
> > 
> > It's for DHCP updating dns records, but it uses a dedicated user and
> > kerberos, so it should help you.
> 
> Thats exactly what I wanted, thanks. Just a little problem,
> "samba-tool [...] -k yes" after manual kinit works fine. If I want to
> use a special ticket cache as in your example, I cannot find an
> option in man samba-tool to supply that filename and the following
> command therefore fails (asking for password):
> 
> | # init ticket if necessary
> | klist -c ~/tmp/ticket-cache -s || kinit -F -k -t
> ~/etc/dehydrated-service.keytab -c ~/tmp/ticket-cache
> dehydrated-service@MY.DOMAIN
> | # change records
> | samba-tool dns add barva.my.domain my.domain jakob-test TXT "TEEEST"
> -k yes
> 

You don't ;-)
You do what the script should have done (I feel version 0.8.10 will
soon make an appearance), export the cache to use <export
KRB5CCNAME="/tmp/dhcp-dyndns.cc"> and then use '$KRB5CCNAME' wherever
'/tmp/dhcp-dyndns.cc' appears, except for:

kinit -F -k -t /etc/dhcpduser.keytab -c /tmp/dhcp-dyndns.cc
"${SETPRINCIPAL}"

Where all you need is:

kinit -F -k -t /etc/dhcpduser.keytab "${SETPRINCIPAL}"

I have updated my dhcp-dyndns.sh script to match the above and it
appears to be working without errors. If this continues for 24hrs the
wikipage will be updated.

As far as samba-tool is concerned, you will probably have to add
-Udehydrated-service to the command.

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba