Web lists-archives.com

Re: [Samba] samba-tool auth in scripts




On Thu, 10 Jan 2019 14:38:11 +0100
"L.P.H. van Belle via samba" <samba@xxxxxxxxxxxxxxx> wrote:

>  
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces@xxxxxxxxxxxxxxx] Namens 
> > Rowland Penny via samba
> > Verzonden: donderdag 10 januari 2019 14:09
> > Aan: samba@xxxxxxxxxxxxxxx
> > Onderwerp: Re: [Samba] samba-tool auth in scripts
> > 
> > On Thu, 10 Jan 2019 11:42:46 +0100
> > Jakob Lenfers <lenfers@xxxxxxxxxxxxxxxx> wrote:
> > 
> > > Am 09.01.19 um 14:01 schrieb Rowland Penny via samba:
> > > 
> > > > Try reading this:
> > > > 
> > > > 
> > https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_
> > records_with_BIND9
> > > > 
> > > > It's for DHCP updating dns records, but it uses a 
> > dedicated user and
> > > > kerberos, so it should help you.
> > > 
> > > Thats exactly what I wanted, thanks. Just a little problem,
> > > "samba-tool [...] -k yes" after manual kinit works fine. If 
> > I want to
> > > use a special ticket cache as in your example, I cannot find an
> > > option in man samba-tool to supply that filename and the following
> > > command therefore fails (asking for password):
> > > 
> > > | # init ticket if necessary
> > > | klist -c ~/tmp/ticket-cache -s || kinit -F -k -t
> > > ~/etc/dehydrated-service.keytab -c ~/tmp/ticket-cache
> > > dehydrated-service@MY.DOMAIN
> > > | # change records
> > > | samba-tool dns add barva.my.domain my.domain jakob-test 
> > TXT "TEEEST"
> > > -k yes
> > > 
> > 
> > You don't ;-)
> > You do what the script should have done (I feel version 0.8.10 will
> > soon make an appearance), export the cache to use <export
> > KRB5CCNAME="/tmp/dhcp-dyndns.cc"> and then use '$KRB5CCNAME'
> > wherever '/tmp/dhcp-dyndns.cc' appears, except for:
> > 
> > kinit -F -k -t /etc/dhcpduser.keytab -c /tmp/dhcp-dyndns.cc
> > "${SETPRINCIPAL}"
> > 
> > Where all you need is:
> > 
> > kinit -F -k -t /etc/dhcpduser.keytab "${SETPRINCIPAL}"
> > 
> > I have updated my dhcp-dyndns.sh script to match the above and it
> > appears to be working without errors. If this continues for 24hrs
> > the wikipage will be updated.
> > 
> > As far as samba-tool is concerned, you will probably have to add
> > -Udehydrated-service to the command.
> 
> 
> Hmm, that will miss the cache file also, maybe this works after the
> kinit:
> 
> su - dehydrated-service -c "samba-tool dns add barva.my.domain
> my.domain jakob-test TXT 'TEEEST' -k yes"
> 
> And dont forget to add this user to DNSAdmins Also. 
> 

If it was run from the command line, yes it wouldn't use the wanted
cache, but in a script you can set the cache to use.

This works for me:

export KRB5CCNAME="/tmp/dhcp-dyndns.cc"; kinit -F -k
-t /etc/dhcpduser.keytab dhcpduser@xxxxxxxxxxxxxxxxxx; samba-tool dns
add dc4.samdom.example.com samdom.example.com devstation TXT 'TEEEST'
-k yes

The above is all one line.

and results in:
Record added successfully

and this in AD:

dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
        wDataLength              : 0x0007 (7)
        wType                    : DNS_TYPE_TXT (16)
        version                  : 0x05 (5)
        rank                     : DNS_RANK_ZONE (240)
        flags                    : 0x0000 (0)
        dwSerial                 : 0x000009cc (2508)
        dwTtlSeconds             : 0x00000384 (900)
        dwReserved               : 0x00000000 (0)
        dwTimeStamp              : 0x00000000 (0)
        data                     : union dnsRecordData(case 16)
        txt                      : "TEEEST"

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba