From 4218137e1eb9e4a5206f7d6c1cc4aca6096516fb Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Tue, 8 Jul 2025 08:39:25 -0500
Subject: [PATCH] r/minio-backups-cert: Fix nsupdate kinit for f42

The version of Samba in Fedora 42 has got some really weird bugs.  In
this case, it seems `net ads kerberos kinit -P` no longer works.  It
prints a vague `NT_STATUS_INTERNAL_ERROR` message, with no other
indication of what went wrong.  Fortunately, it's still possible to get
a ticket-granting ticket for the machine account using the host keytab.
---
 roles/minio-backups-cert/files/nsupdate-auth.sh    | 2 +-
 roles/minio-backups-cert/files/nsupdate-cleanup.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/minio-backups-cert/files/nsupdate-auth.sh b/roles/minio-backups-cert/files/nsupdate-auth.sh
index 720bfa2..57aba52 100755
--- a/roles/minio-backups-cert/files/nsupdate-auth.sh
+++ b/roles/minio-backups-cert/files/nsupdate-auth.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 export KRB5CCNAME=/run/certbot.krb5_ccache
-klist -s || net ads kerberos kinit -P || exit
+klist -s || kinit -kt /etc/krb5.keytab "$(hostname -s | tr a-z A-Z)"'$' || exit
 nsupdate -g <<EOF || exit
 zone $(dnsdomainname)
 update add _acme-challenge.${CERTBOT_DOMAIN} 10 TXT ${CERTBOT_VALIDATION}
diff --git a/roles/minio-backups-cert/files/nsupdate-cleanup.sh b/roles/minio-backups-cert/files/nsupdate-cleanup.sh
index be88f1a..ae8eedc 100755
--- a/roles/minio-backups-cert/files/nsupdate-cleanup.sh
+++ b/roles/minio-backups-cert/files/nsupdate-cleanup.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 export KRB5CCNAME=/run/certbot.krb5_ccache
-klist -s || net ads kerberos kinit -P || exit
+klist -s || kinit -kt /etc/krb5.keytab "$(hostname -s | tr a-z A-Z)"'$' || exit
 
 nsupdate -g <<EOF
 update del _acme-challenge.${CERTBOT_DOMAIN} TXT