Web lists-archives.com

Re: [Samba] samba-tool auth in scripts




 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> Rowland Penny via samba
> Verzonden: donderdag 10 januari 2019 14:09
> Aan: samba@xxxxxxxxxxxxxxx
> Onderwerp: Re: [Samba] samba-tool auth in scripts
> 
> On Thu, 10 Jan 2019 11:42:46 +0100
> Jakob Lenfers <lenfers@xxxxxxxxxxxxxxxx> wrote:
> 
> > Am 09.01.19 um 14:01 schrieb Rowland Penny via samba:
> > 
> > > Try reading this:
> > > 
> > > 
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_
> records_with_BIND9
> > > 
> > > It's for DHCP updating dns records, but it uses a 
> dedicated user and
> > > kerberos, so it should help you.
> > 
> > Thats exactly what I wanted, thanks. Just a little problem,
> > "samba-tool [...] -k yes" after manual kinit works fine. If 
> I want to
> > use a special ticket cache as in your example, I cannot find an
> > option in man samba-tool to supply that filename and the following
> > command therefore fails (asking for password):
> > 
> > | # init ticket if necessary
> > | klist -c ~/tmp/ticket-cache -s || kinit -F -k -t
> > ~/etc/dehydrated-service.keytab -c ~/tmp/ticket-cache
> > dehydrated-service@MY.DOMAIN
> > | # change records
> > | samba-tool dns add barva.my.domain my.domain jakob-test 
> TXT "TEEEST"
> > -k yes
> > 
> 
> You don't ;-)
> You do what the script should have done (I feel version 0.8.10 will
> soon make an appearance), export the cache to use <export
> KRB5CCNAME="/tmp/dhcp-dyndns.cc"> and then use '$KRB5CCNAME' wherever
> '/tmp/dhcp-dyndns.cc' appears, except for:
> 
> kinit -F -k -t /etc/dhcpduser.keytab -c /tmp/dhcp-dyndns.cc
> "${SETPRINCIPAL}"
> 
> Where all you need is:
> 
> kinit -F -k -t /etc/dhcpduser.keytab "${SETPRINCIPAL}"
> 
> I have updated my dhcp-dyndns.sh script to match the above and it
> appears to be working without errors. If this continues for 24hrs the
> wikipage will be updated.
> 
> As far as samba-tool is concerned, you will probably have to add
> -Udehydrated-service to the command.


Hmm, that will miss the cache file also, maybe this works after the kinit:

su - dehydrated-service -c "samba-tool dns add barva.my.domain my.domain jakob-test TXT 'TEEEST' -k yes"

And dont forget to add this user to DNSAdmins Also. 

Greetz, 

Louis


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba