First version

rohhie 2022-10-08 13:34:28 +09:00
parent 631e5da180
commit 70277cd596
16 changed files with 1149 additions and 1 deletions

3
.env Normal file
View File

@ -0,0 +1,3 @@
PRIMARYIP=192.168.110.4
SECONDARYIP=192.168.110.34
RESTOREDIP=192.168.110.10

3
.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
backup*.gz
*.bz2
samba/docker-compose.yml

8
Dockerfile Normal file
View File

@ -0,0 +1,8 @@
FROM custom/samba:0.0.1
USER root
ENV LANG=en_US.UTF-8 \
LANGUAGE=en_US:en \
LC_ALL=en_US.UTF-8
ADD entrypoint.sh /
ENTRYPOINT ["/entrypoint.sh"]
COPY ./packages /root/packages

View File

@ -1,6 +1,6 @@
MIT License
Copyright (c) <year> <copyright holders>
Copyright (c) 2022 rohhie@rohhie.net
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

172
README.md
View File

@ -1,2 +1,174 @@
# Samba-ad-dc-with-docker
## 概要
Samba ad dcをDockerで気軽に利用する。
## 構築方法
### ダウンロード
このリポジトリからソースをダウンロードする。
```
git clone https://gitea.rohhie.net/rohhie/Samba-ad-dc-with-docker.git
```
phpLDAPadminを使用する場合は、バージョン1.2.3をダウンロードする。
```
wget https://github.com/leenooks/phpLDAPadmin/archive/refs/tags/1.2.3.tar.gz -O packages/phpLDAPadmin-1.2.3.tar.gz
```
### ベースとなるイメージを作成する
Samba ad dcイメージのベースとなるイメージを作成する。
スクリプトの修正等でコンテナを作り直す際に、最低限のダウンロードで済ませるため。
```
cd samba
./mkbaseimage
```
### 目的のdocker-compose.ymlを作成する
プライマリーDC、セカンダリーDC、リストアドDCの3種類を用意しているので、いずれかをコピーする。
ここではプライマリーDCについて説明する。
```
cp docker-compose.yml.primary docker-compose.yml
```
### ホストのIPアドレスを設定する
.envにプライマリーDC、セカンダリーDC、リストアドDCのコンテナを動作させるホストのIPアドレスを設定する。
ホームラボのホストが指定してあるので、適宜変更する。
セカンダリーDC、リストアドDCを使わない場合は、未設定で問題はない。
### 動作条件を設定する
docker-compose.ymlで動作条件を設定する。
#### environment:
| 変数名 | 設定内容 |
|---------------|-------------------------------------------------------------|
| SMB_REALM | 管理するレルムの名前 |
| SMB_DOMAIN | レルムのドメイン名 |
| SMB_ADMINPASS | administratorのパスワード |
| SMB_HOSTIP | コンテナを動作させるホストのIPアドレス |
| SMB_RPC_PORTS | RPCで使用するポート範囲 |
| SMB_PURPOSE | "primary"として、プライマリーDCとする |
| SMB_USEBIND9 | DNSの選択 "false":内蔵 "true":BIND9 |
| RSY_SECONDARY | セカンダリーのIPアドレス<br>SMB_PURPOSEが"true"の場合に有効 |
| RSY_PASS | セカンダリーからrsyncする際のパスワード |
※SMB_PURPOSEは、"secondary"と"restore"を指定可能だが、それぞれ別にymlを用意してあるので、それを使うこと。
#### ports:
IPアドレスを指定してポートをマッピングしている。
ここには、コンテナを動作させるホストのIPアドレスを設定する。
#### dns:
Samba ad dcが名前解決でフォワードするDNSのIPアドレスを設定する。
ホームラボのDNSを指定してあるので、適宜変更する。
### 証明書類を準備する
ドメインで使用する証明書類をsamba/packages/cert に配置する。
証明書の名前は以下の通り固定。変更する場合は、config-primary.shを変更すること。
| ファイル |内容 |
|------------|-----------------------------------------------------------|
| ca.crt |認証局の証明書。 |
| server.crt |Samba ad dcの証明書。ca.crtの認証局が署名したものを想定。 |
| server.key |Samba ad dcの秘密鍵。パスワードは外しておく。 |
| ca.crl |ca.crtの認証局が発行するcertificate revocation list(CRL)。 |
※ca.crlの設置は必須ではない。
これらのファイルを設置すれば、LDAPとLDAPSが使えるようになる。
なければ、LDAPが使える。
### ファイアウォールの設定
コンテナからホストへのアクセスを許可する。
コンテナのIPアドレスはdocker-compose.ymlで指定したもの。
変更した場合には、fromのIPアドレスを書き換えること。
また、toはコンテナを動作させるホストのIPアドレスを指定する。
```
sudo ufw allow from 172.26.0.101 to 192.168.110.4 comment "From container"
```
### コンテナを起動
コンテナを構築して起動する。
```
sudo docker compose up -d --build
```
### Apacheの設定(必須ではない)
phpLDAPadminとLDAP Account Managerのポート8081にリバースプロキシ設定する設定の例。
コンテナを動かすホストにApacheをインストールしている。
証明書と秘密鍵は、環境にあったものを準備して設定。
/etc/apache2/sites-available/myservice.conf
```
<VirtualHost *:443>
ServerAdmin webmaster@hogeserver.hogeddns.jp
ServerName addc.hogeserver.hogeddns.jp
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ProxyPreserveHost On
ProxyPass /phpldapadmin http://localhost:8081/phpldapadmin
ProxyPassReverse /phpldapadmin http://localhost:8081/phpldapadmin
ProxyPass /lam http://localhost:8081/lam
ProxyPassReverse /lam http://localhost:8081/lam
# SSL
SSLEngine on
SSLCertificateFile /etc/ssl/private/wild.hoge.crt
SSLCertificateKeyFile /etc/ssl/private/wild.hoge.key
</VirtualHost>
```
この設定を反映する。
```
sudo a2ensite myservice
sudo a2enmod proxy_http ssl
sudo systemctl restart apache2
```
なお、リバースプロキシ設定せずに、8081ポートに直接アクセスすることもできる。
## 使用方法
コンテナの中で自由にコマンドが実行できる。
```
sudo docker exec -it samba bash --login
```
phpLDAPadminにはブラウザでアクセスできる。ドメイン部分は環境に合わせる。
https://addc.hogeserver.hogeddns.jp/phpldapadmin
LDAP Account Managerも同様。
https://addc.hogeserver.hogeddns.jp/lam
## その他
細かな設定手順や使い方、セカンダリーDCやリストアドDCを動作させる手順は、メインサイト参照。
https://rohhie.net/samba-ad-dc-with-docker/
## ライセンス
MIT

33
baseimage/Dockerfile Normal file
View File

@ -0,0 +1,33 @@
FROM ubuntu:jammy
USER root
ENV DEBIAN_FRONTEND=noninteractive
RUN apt update && \
apt upgrade -y && \
apt install -y \
apache2 \
bind9 \
dnsutils \
iproute2 \
iputils-ping \
krb5-user \
ldap-account-manager \
ldap-utils \
ldb-tools \
libnss-winbind \
libpam-winbind \
locales \
phpldapadmin \
rsync \
samba \
smbclient \
tzdata \
vim \
winbind && \
echo "deb https://ppa.launchpadcontent.net/ondrej/php/ubuntu/ jammy main" > /etc/apt/sources.list.d/ondrej-ubuntu-php-jammy.list && \
echo "# deb-src https://ppa.launchpadcontent.net/ondrej/php/ubuntu/ jammy main" >> /etc/apt/sources.list.d/ondrej-ubuntu-php-jammy.list && \
gpg --keyserver hkps://keyserver.ubuntu.com --recv-key 4F4EA0AAE5267A6C && \
gpg -a --export 4F4EA0AAE5267A6C | gpg --dearmour -o /etc/apt/trusted.gpg.d/ondrej.gpg && \
apt update && \
apt install -y \
php7.3 php7.3-ldap php7.3-xml php7.3-imagick php7.3-mbstring php7.3-gmp php7.3-zip && \
locale-gen en_US.UTF-8

View File

@ -0,0 +1,73 @@
version: "3.9"
services:
samba:
build: ./
image: custom/samba:1.0.0
container_name: samba
restart: unless-stopped
environment:
TZ: Asia/Tokyo
SMB_REALM: HOGESERVER.HOGEDDNS.JP
SMB_DOMAIN: HOGEDOMAIN
SMB_ADMINPASS: p@ssword123
SMB_HOSTIP: ${PRIMARYIP}
SMB_RPC_PORTS: 49152-49200
SMB_PURPOSE: "primary"
SMB_USEBIND9: "false"
#RSY_SECONDARY: ${SECONDARYIP}
#RSY_PASS: p@ssword234
volumes:
- samba_etc:/etc/samba
- samba_lib:/var/lib/samba
- bind_etc:/etc/bind
- bind_lib:/var/lib/bind
- lam:/var/lib/ldap-account-manager
networks:
samba:
ipv4_address: 172.26.0.101
ports:
- ${PRIMARYIP}:53:53 #DNS
- ${PRIMARYIP}:53:53/udp #DNS
- ${PRIMARYIP}:135:135 #End Point Mapper(WINS)
- ${PRIMARYIP}:137:137/udp #NetBIOS Name Service
- ${PRIMARYIP}:138:138/udp #NetBIOS Datagram
- ${PRIMARYIP}:139:139 #NetBIOS Session
- ${PRIMARYIP}:445:445 #SMB over TCP
- ${PRIMARYIP}:389:389 #LDAP
- ${PRIMARYIP}:389:389/udp #LDAP
- ${PRIMARYIP}:636:636 #LDAPS
- ${PRIMARYIP}:88:88 #Kerberos
- ${PRIMARYIP}:88:88/udp #Kerberos
- ${PRIMARYIP}:464:464 #Kerberos kpasswd
- ${PRIMARYIP}:464:464/udp #Kerberos kpasswd
- ${PRIMARYIP}:3268:3268 #Global Catalog
- ${PRIMARYIP}:3269:3269 #Global Catalog SSL
#RPC The same value as SMB_RPC_PORTS.
- ${PRIMARYIP}:49152-49200:49152-49200
- 873:873 #rsync
- 8081:80 #phpLDAPadmin & LDAP Account Manager
hostname: addc
dns:
- 192.168.110.1
dns_search:
- hogeserver.hogeddns.jp
privileged: true
devices:
- /dev/net/tun
cap_add:
- NET_ADMIN
networks:
samba:
ipam:
config:
- subnet: 172.26.0.0/16
gateway: 172.26.0.1
volumes:
samba_etc:
samba_lib:
bind_etc:
bind_lib:
lam:

View File

@ -0,0 +1,71 @@
version: "3.9"
services:
samba:
#image: ubuntu:jammy
build: ./
image: custom/samba:1.0.0
container_name: samba
restart: unless-stopped
environment:
TZ: Asia/Tokyo
SMB_REALM: HOGESERVER.HOGEDDNS.JP
SMB_DOMAIN: HOGEDOMAIN
SMB_ADMINPASS: p@ssword123
SMB_HOSTIP: ${RESTOREDIP}
SMB_RPC_PORTS: 49152-49200
SMB_PURPOSE: "restore"
volumes:
- samba_etc:/etc/samba
- samba_lib:/var/lib/samba
- bind_etc:/etc/bind
- bind_lib:/var/lib/bind
- lam:/var/lib/ldap-account-manager
networks:
samba:
ipv4_address: 172.26.0.103
ports:
- ${RESTOREDIP}:53:53 #DNS
- ${RESTOREDIP}:53:53/udp #DNS
- ${RESTOREDIP}:135:135 #End Point Mapper(WINS)
- ${RESTOREDIP}:137:137/udp #NetBIOS Name Service
- ${RESTOREDIP}:138:138/udp #NetBIOS Datagram
- ${RESTOREDIP}:139:139 #NetBIOS Session
- ${RESTOREDIP}:445:445 #SMB over TCP
- ${RESTOREDIP}:389:389 #LDAP
- ${RESTOREDIP}:389:389/udp #LDAP
- ${RESTOREDIP}:636:636 #LDAPS
- ${RESTOREDIP}:88:88 #Kerberos
- ${RESTOREDIP}:88:88/udp #Kerberos
- ${RESTOREDIP}:464:464 #Kerberos kpasswd
- ${RESTOREDIP}:464:464/udp #Kerberos kpasswd
- ${RESTOREDIP}:3268:3268 #Global Catalog
- ${RESTOREDIP}:3269:3269 #Global Catalog SSL
#RPC The same value as SMB_RPC_PORTS.
- ${RESTOREDIP}:49152-49200:49152-49200
- 873:873 #rsync
- 8081:80 #phpLDAPadmin & LDAP Account Manager
hostname: addcr
dns:
- 192.168.110.1
dns_search:
- hogeserver.hogeddns.jp
privileged: true
devices:
- /dev/net/tun
cap_add:
- NET_ADMIN
networks:
samba:
ipam:
config:
- subnet: 172.26.0.0/16
gateway: 172.26.0.1
volumes:
samba_etc:
samba_lib:
bind_etc:
bind_lib:
lam:

View File

@ -0,0 +1,75 @@
version: "3.9"
services:
samba:
build: ./
image: custom/samba:1.0.0
container_name: samba
restart: unless-stopped
environment:
TZ: Asia/Tokyo
SMB_REALM: HOGESERVER.HOGEDDNS.JP
SMB_DOMAIN: HOGEDOMAIN
SMB_ADMINPASS: p@ssword123
SMB_HOSTIP: ${SECONDARYIP}
SMB_RPC_PORTS: 49152-49200
SMB_PURPOSE: "secondary"
SMB_USEBIND9: "false"
RSY_PRIMARY: ${PRIMARYIP}
RSY_PASS: p@ssword234
volumes:
- samba_etc:/etc/samba
- samba_lib:/var/lib/samba
- bind_etc:/etc/bind
- bind_lib:/var/lib/bind
- lam:/var/lib/ldap-account-manager
networks:
samba:
ipv4_address: 172.26.0.102
ports:
- ${SECONDARYIP}:53:53 #DNS
- ${SECONDARYIP}:53:53/udp #DNS
- ${SECONDARYIP}:135:135 #End Point Mapper(WINS)
- ${SECONDARYIP}:137:137/udp #NetBIOS Name Service
- ${SECONDARYIP}:138:138/udp #NetBIOS Datagram
- ${SECONDARYIP}:139:139 #NetBIOS Session
- ${SECONDARYIP}:445:445 #SMB over TCP
- ${SECONDARYIP}:389:389 #LDAP
- ${SECONDARYIP}:389:389/udp #LDAP
- ${SECONDARYIP}:636:636 #LDAPS
- ${SECONDARYIP}:88:88 #Kerberos
- ${SECONDARYIP}:88:88/udp #Kerberos
- ${SECONDARYIP}:464:464 #Kerberos kpasswd
- ${SECONDARYIP}:464:464/udp #Kerberos kpasswd
- ${SECONDARYIP}:3268:3268 #Global Catalog
- ${SECONDARYIP}:3269:3269 #Global Catalog SSL
#RPC The same value as SMB_RPC_PORTS.
- ${SECONDARYIP}:49152-49200:49152-49200
- 8081:80 #phpLDAPadmin & LDAP Account Manager
hostname: addc2
dns:
- ${PRIMARYIP} #Used for domain to join
#- 192.168.110.1 #Used for normal operation
dns_search:
- hogeserver.hogeddns.jp
privileged: true
devices:
- /dev/net/tun
cap_add:
- NET_ADMIN
networks:
samba:
ipam:
config:
- subnet: 172.26.0.0/16
gateway: 172.26.0.1
volumes:
samba_etc:
samba_lib:
bind_etc:
bind_lib:
lam:
# private:
# sysvol:

53
entrypoint.sh Executable file
View File

@ -0,0 +1,53 @@
#!/bin/bash
echo "Start Samba container with parameter : $@"
trap sig_term SIGTERM
sig_term() {
echo "CATCH SIGTERM"
pkill -SIGTERM ^samba$
/usr/sbin/apachectl stop
case $SMB_PURPOSE in
"primary")
pkill -SIGTERM ^rsync$
;;
"secondary")
pkill -SIGTERM ^cron$
;;
esac
if [ $SMB_USEBIND9 = "true" ]; then
/usr/sbin/rndc stop
fi
wait
exit 0
}
# Make configuration
case $SMB_PURPOSE in
"primary") /root/packages/config-primary.sh;;
"secondary") /root/packages/config-secondary.sh;;
"restore") /root/packages/config-restore.sh;;
*) echo "Purporse do not match. : "$SMB_PURPOSE
esac
# Execute paramater.
exec "$@"
# Start services.
/usr/sbin/samba --interactive --no-process-group &
/usr/sbin/apachectl start
case $SMB_PURPOSE in
"primary")
/usr/bin/rsync --daemon --no-detach &
;;
"secondary")
/usr/sbin/cron
;;
esac
if [ $SMB_USEBIND9 = "true" ]; then
/usr/sbin/named -u bind
fi
# Infinity roop.
while : ; do sleep 1 ; done

3
mkbaseimage.sh Executable file
View File

@ -0,0 +1,3 @@
#!/bin/bash
cd $(dirname ${0})
sudo docker build -t custom/samba:0.0.1 -f $PWD/baseimage/Dockerfile .

46
packages/backup.sh Executable file
View File

@ -0,0 +1,46 @@
#!/bin/bash
# Stop the samba process.
pkill -SIGTERM ^samba$
while
pgrep ^samba$
[ $? -eq 0 ]
do
echo "wait..."
sleep 1
done
# Create backup files.
TMP_TARGET=/root/packages/backup-$(hostname)-$(date +'%Y-%m-%d-%H-%M-%S').tar
# Samba
# Configuration.
cd /
tar -cvf $TMP_TARGET etc/samba --xattrs
# Private directory.
cd /var/
tar -uvf $TMP_TARGET lib/samba/private --xattrs --warning=no-file-ignored
# SysVol directory.
cd ./lib/samba/
find ./sysvol -exec bash -c 'TMP=$(samba-tool ntacl get "{}" --as-sddl); echo "samba-tool ntacl set \"$TMP\" \"{}\""' \; > NTACL
cd ../../
tar -uvf $TMP_TARGET lib/samba/sysvol lib/samba/NTACL lib/samba/bind-dns --xattrs
rm NTACL
# Bind
# Configuration.
cd /
tar -uvf $TMP_TARGET etc/bind --xattrs
# Lib directory
cd /var/
tar -uvf $TMP_TARGET lib/bind --xattrs
# Compress.
gzip $TMP_TARGET
# Finish.
/usr/sbin/samba --interactive --no-process-group &
echo "Backed up."

194
packages/config-primary.sh Executable file
View File

@ -0,0 +1,194 @@
#!/bin/bash
echo "Primary domain controller settings."
#----------------------------------------------------------------------
# New volumes.
#----------------------------------------------------------------------
if [ -z "$(ls /var/lib/samba/private)" ]; then
echo "New volumes."
# Make provision parameters.
SMB_TMP_PARAM="
--use-rfc2307
--realm=$SMB_REALM
--domain=$SMB_DOMAIN
--server-role=dc
--adminpass=$SMB_ADMINPASS
--option=\"dns forwarder = 127.0.0.11\"
--option=\"dns update command = /usr/sbin/samba_dnsupdate --current-ip $SMB_HOSTIP\"
--option=\"template homedir = /home/%D/%U\"
--option=\"template shell = /bin/bash\"
--option=\"winbind enum users = yes\"
--option=\"winbind enum groups = yes\"
--option=\"idmap config $SMB_DOMAIN:unix_nss_info = yes\"
--option=\"idmap config $SMB_DOMAIN:unix_primary_group = yes\"
--option=\"rpc server dynamic port range = $SMB_RPC_PORTS\"
--host-ip=$SMB_HOSTIP
"
if [ $SMB_USEBIND9 = "true" ]; then
SMB_TMP_PARAM+=" --dns-backend=BIND9_DLZ"
else
SMB_TMP_PARAM+=" --dns-backend=SAMBA_INTERNAL"
fi
# LDAPS settings.
mkdir /var/lib/samba/private/tls/
TMP_LDAPS=0
cp -a /root/packages/cert/ca.crt /usr/local/share/ca-certificates/ && \
update-ca-certificates && \
TMP_LDAPS=$(($TMP_LDAPS | 0x01)) && \
SMB_TMP_PARAM+=" --option=\"tls cafile = /usr/local/share/ca-certificates/ca.crt\""
cp -a /root/packages/cert/server.crt /var/lib/samba/private/tls/ && \
TMP_LDAPS=$(($TMP_LDAPS | 0x02)) && \
SMB_TMP_PARAM+=" --option=\"tls certfile = /var/lib/samba/private/tls/server.crt\""
cp -a /root/packages/cert/server.key /var/lib/samba/private/tls/ && \
TMP_LDAPS=$(($TMP_LDAPS | 0x04)) && \
chmod 600 /var/lib/samba/private/tls/server.key && \
SMB_TMP_PARAM+=" --option=\"tls keyfile = /var/lib/samba/private/tls/server.key\""
cp -a /root/packages/cert/ca.crl /var/lib/samba/private/tls/ && \
TMP_LDAPS=$(($TMP_LDAPS | 0x08)) && \
SMB_TMP_PARAM+=" --option=\"tls crlfile = /var/lib/samba/private/tls/ca.crl\""
if [ $(($TMP_LDAPS & 0x07)) -eq 7 ]; then
echo "Enable LDAPS."
SMB_TMP_PARAM+=" --option=\"tls enabled = true\"
--option=\"tls verify peer = as_strict_as_possible\"
"
else
echo "Disable Strong Auth."
SMB_TMP_PARAM+="
--option=\"ldap server require strong auth = no\"
"
fi
set -f
SMB_TMP_PARAM=$(echo $SMB_TMP_PARAM)
#echo "provision parameters: $SMB_TMP_PARAM"
set +f
# Domain service settings.
mv --backup=numbered /etc/samba/smb.conf /etc/samba/smb.conf.bak
eval samba-tool domain provision "$SMB_TMP_PARAM"
if [ $? -ne 0 ]; then exit 0; fi
# Stop needlessly complicated passwords.
samba-tool domain passwordsettings set \
--complexity=off \
--history-length=0 \
--min-pwd-length=8 \
--min-pwd-age=0 \
--max-pwd-age=0
fi
#----------------------------------------------------------------------
# Volumes is left.
#----------------------------------------------------------------------
if [ ! -e /root/packages/configured ]; then
echo "New container."
# Register CA certificates.
cp -a /root/packages/cert/ca.crt /usr/local/share/ca-certificates/ && \
update-ca-certificates
# Authentication sttings.
sed -i "s/^\(passwd: \+\)[a-z ]\+$/\1compat winbind/" /etc/nsswitch.conf
sed -i "s/^\(group: \+\)[a-z ]\+$/\1compat winbind/" /etc/nsswitch.conf
# Copy krb5.conf
mv --backup=numbered /etc/krb5.conf /etc/krb5.conf.bak
cp /var/lib/samba/private/krb5.conf /etc/
# Make rsync configuration.
cat <<EOF > /etc/rsyncd.conf
[SysVol]
path = /var/lib/samba/sysvol/
comment = Samba Sysvol Share
uid = root
gid = root
hosts allow = $RSY_SECONDARY
hosts deny = *
read only = yes
auth users = sysvol-replication
secrets file = /etc/rsyncd.secret
EOF
cat <<EOF > /etc/rsyncd.secret
sysvol-replication:$RSY_PASS
EOF
chmod 600 /etc/rsyncd.secret
# Suppress apache warning.
echo "ServerName localhost" | tee /etc/apache2/conf-available/fqdn.conf
a2enconf fqdn
# Setup phpLdapAdmin.
if [ -e /root/packages/phpLDAPadmin-1.2.3.tar.gz ]; then
a2dismod php8.1
a2enmod php7.3
tar zxf /root/packages/phpLDAPadmin-1.2.3.tar.gz -C /var/www/
mv /var/www/phpLDAPadmin-1.2.3 /var/www/phpldapadmin
cp /etc/phpldapadmin/apache.conf /etc/phpldapadmin/apache.conf.bak
sed -i "s@/usr/share/phpldapadmin/htdocs@/var/www/phpldapadmin@g" /etc/phpldapadmin/apache.conf
cp /var/www/phpldapadmin/config/config.php.example /var/www/phpldapadmin//config/config.php
if [ $(grep "tls verify peer = as_strict_as_possible" /etc/samba/smb.conf -c) -ne 0 ]; then
sed -i "$ i\$servers->setValue('server','host','ldaps://$(hostname).${SMB_REALM,,}');" /var/www/phpldapadmin/config/config.php
else
sed -i "$ i\$servers->setValue('server','host','ldap://$(hostname).${SMB_REALM,,}');" /var/www/phpldapadmin/config/config.php
fi
sed -i "$ i\$servers->setValue('login','bind_id','administrator@${SMB_REALM,,}');" /var/www/phpldapadmin/config/config.php
sed -i "$ i\$config->custom->appearance['hide_template_warning'] = true;" /var/www/phpldapadmin/config/config.php
sed -i "s/\$servers->setValue('server','name','My LDAP Server');/\$servers->setValue('server','name','$SMB_DOMAIN');/" /var/www/phpldapadmin/config/config.php
# Customize phpLDAPadmin
# for PHP7.0
sed -i "s/password_hash/password_hash_custom/g" /var/www/phpldapadmin/lib/*
sed -i '2567d; 2568d; 2569i \\t\tforeach ($dn as $key => $rdn) {\n\t\t\t$a[$key] = preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return '\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $rdn\'');\n\t\t}' /var/www/phpldapadmin/lib/functions.php
sed -i '2574c \\t\treturn preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return'\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $dn);' /var/www/phpldapadmin/lib/functions.php
sed -i '1119d; 1120d; 1121i \\t\t\tforeach ($dn as $key => $rdn) {\n\t\t\t\t$a[$key] = preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return '\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $rdn\'');\n\t\t\t}' /var/www/phpldapadmin/lib/ds_ldap.php
sed -i '1126c \\t\t\treturn preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return'\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $dn);' /var/www/phpldapadmin/lib/ds_ldap.php
# for PHP7.3
sed -i '54c function my_autoload($className) {' /var/www/phpldapadmin/lib/functions.php
sed -i '777c spl_autoload_register("my_autoload");' /var/www/phpldapadmin/lib/functions.php
sed -i '1083c \\t\t$CACHE[$sortby] = __create_function('\''$a, $b'\'',$code);' /var/www/phpldapadmin/lib/functions.php
sed -i '1091a function __create_function($arg, $body) {\n\tstatic $cache = array();\n\tstatic $maxCacheSize = 64;\n\tstatic $sorter;\n\n\tif ($sorter === NULL) {\n\t\t$sorter = function($a, $b) {\n\t\t\tif ($a->hits == $b->hits) {\n\t\t\t\treturn 0;\n\t\t\t}\n\n\t\t\treturn ($a->hits < $b->hits) ? 1 : -1;\n\t\t};\n\t}\n\n\t$crc = crc32($arg . "\\\\x00" . $body);\n\n\tif (isset($cache[$crc])) {\n\t\t++$cache[$crc][1];\n\t\treturn $cache[$crc][0];\n\t}\n\n\tif (sizeof($cache) >= $maxCacheSize) {\n\t\tuasort($cache, $sorter);\n\t\tarray_pop($cache);\n\t}\n\n\t$cache[$crc] = array($cb = eval('\''return function('\''.$arg.'\''){'\''.$body.'\''};'\''), 0);\n\treturn $cb;\n}\n' /var/www/phpldapadmin/lib/functions.php
fi
# Mark as configured.
touch /root/packages/configured
fi
#----------------------------------------------------------------------
# Container and Volumes is left.
#----------------------------------------------------------------------
echo "Setting to do every time"
# Resolver settings.
cp /etc/resolv.conf /root/packages/resolv.conf
sed -i "s/nameserver 127.0.0.11/nameserver 127.0.0.1/" /root/packages/resolv.conf
cat /root/packages/resolv.conf > /etc/resolv.conf
# Switch DNS backend.
if [ $SMB_USEBIND9 = "true" ]; then
if [ ! -e /var/lib/samba/bind-dns/named.conf ]; then
samba_upgradedns --dns-backend=BIND9_DLZ
fi
# Make bind9 configuration.
if [ $(grep "bind-dns" /etc/bind/named.conf -c) -eq 0 ]; then
cp -a /etc/bind/named.conf /etc/bind/named.conf.bak
sed -i "\$a include \"/var/lib/samba/bind-dns/named.conf\";" /etc/bind/named.conf
cp -a /etc/bind/named.conf.options /etc/bind/named.conf.options.bak
sed -i "/listen-on-v6/a\\\n\tforwarders { 127.0.0.11; };\n\tallow-query { any; };\n\tallow-transfer { none; };\n\ttkey-gssapi-keytab \"/var/lib/samba/bind-dns/dns.keytab\";\n\tminimal-responses yes;" /etc/bind/named.conf.options
cp -a /etc/bind/named.conf.local /etc/bind/named.conf.local.bak
sed -i "s@^//include@include@" /etc/bind/named.conf.local
fi
if [[ $(grep -c "server services" /etc/samba/smb.conf) -eq 0 ]]; then
sed -i "9a\\\tserver services = -dns" /etc/samba/smb.conf
fi
else
if [ -e /var/lib/samba/bind-dns/named.conf ]; then
samba_upgradedns --dns-backend=SAMBA_INTERNAL
sed -i "/server services/d" /etc/samba/smb.conf
fi
fi

120
packages/config-restore.sh Executable file
View File

@ -0,0 +1,120 @@
#!/bin/bash
echo "Restore domain controller settings."
#----------------------------------------------------------------------
# New volumes.
#----------------------------------------------------------------------
if [ -z "$(ls /var/lib/samba/private)" ]; then
echo "New volumes."
if [ $(ls /root/packages/samba-backup-* | wc -w) -ne 1 ]; then
echo "There must be one backup file."
exit 0
fi
samba-tool domain backup restore \
--backup-file=$(ls /root/packages/samba-backup-*) \
--newservername=$(hostname) \
--targetdir=/root/packages/restore \
--host-ip=$SMB_HOSTIP
mv /root/packages/restore/etc/* /etc/samba/
rmdir /root/packages/restore/etc
mv /root/packages/restore/private/* /var/lib/samba/private/
rmdir /root/packages/restore/private
mv /root/packages/restore/state/sysvol /var/lib/samba/
mv /root/packages/restore/state/bind-dns /var/lib/samba/
mv /root/packages/restore/state/*.tdb /var/lib/samba/
rmdir /root/packages/restore/state
rm /root/packages/restore/gencache.tdb
rm /root/packages/restore/backup.txt
rmdir /root/packages/restore
sed -i "/binddns dir/d" /etc/samba/smb.conf
sed -i "/cache directory/d" /etc/samba/smb.conf
sed -i "/lock directory/d" /etc/samba/smb.conf
sed -i "/private dir/d" /etc/samba/smb.conf
sed -i "/state directory/d" /etc/samba/smb.conf
sed -i "s/--current-ip [0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}/--current-ip $SMB_HOSTIP/" /etc/samba/smb.conf
sed -i "s@/root/packages/restore/state/sysvol@/var/lib/samba/sysvol@g" /etc/samba/smb.conf
# Change the DNS back end to internal.
if [ -e /var/lib/samba/bind-dns/named.conf ]; then
samba_upgradedns --dns-backend=samba_internal
sed -i "/server services/d" /etc/samba/smb.conf
fi
fi
#----------------------------------------------------------------------
# Volumes is left.
#----------------------------------------------------------------------
if [ ! -e /root/packages/configured ]; then
echo "New container."
# Register CA certificates.
cp -a /root/packages/cert/ca.crt /usr/local/share/ca-certificates/ && \
update-ca-certificates
# Authentication sttings.
sed -i "s/^\(passwd: \+\)[a-z ]\+$/\1compat winbind/" /etc/nsswitch.conf
sed -i "s/^\(group: \+\)[a-z ]\+$/\1compat winbind/" /etc/nsswitch.conf
# Copy krb5.conf
mv --backup=numbered /etc/krb5.conf /etc/krb5.conf.bak
cp /var/lib/samba/private/krb5.conf /etc/
# Suppress apache warning.
echo "ServerName localhost" | tee /etc/apache2/conf-available/fqdn.conf
a2enconf fqdn
# Setup phpLdapAdmin.
if [ -e /root/packages/phpLDAPadmin-1.2.3.tar.gz ]; then
a2dismod php8.1
a2enmod php7.3
if [ $(grep "ldap server require strong auth" /etc/samba/smb.conf -c) -ne 0 ]; then
sed -i "/ldap server require strong auth/d" /etc/samba/smb.conf
fi
sed -i "/\[global\]/a \\\tldap server require strong auth = no" /etc/samba/smb.conf
tar zxf /root/packages/phpLDAPadmin-1.2.3.tar.gz -C /var/www/
mv /var/www/phpLDAPadmin-1.2.3 /var/www/phpldapadmin
cp /etc/phpldapadmin/apache.conf /etc/phpldapadmin/apache.conf.bak
sed -i "s@/usr/share/phpldapadmin/htdocs@/var/www/phpldapadmin@g" /etc/phpldapadmin/apache.conf
cp /var/www/phpldapadmin/config/config.php.example /var/www/phpldapadmin//config/config.php
sed -i "$ i\$servers->setValue('server','host','ldap://127.0.0.1');" /var/www/phpldapadmin/config/config.php
sed -i "$ i\$servers->setValue('login','bind_id','administrator@${SMB_REALM,,}');" /var/www/phpldapadmin/config/config.php
sed -i "$ i\$config->custom->appearance['hide_template_warning'] = true;" /var/www/phpldapadmin/config/config.php
sed -i "s/\$servers->setValue('server','name','My LDAP Server');/\$servers->setValue('server','name','$SMB_DOMAIN');/" /var/www/phpldapadmin/config/config.php
# Customize phpLDAPadmin
# for PHP7.0
sed -i "s/password_hash/password_hash_custom/g" /var/www/phpldapadmin/lib/*
sed -i '2567d; 2568d; 2569i \\t\tforeach ($dn as $key => $rdn) {\n\t\t\t$a[$key] = preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return '\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $rdn\'');\n\t\t}' /var/www/phpldapadmin/lib/functions.php
sed -i '2574c \\t\treturn preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return'\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $dn);' /var/www/phpldapadmin/lib/functions.php
sed -i '1119d; 1120d; 1121i \\t\t\tforeach ($dn as $key => $rdn) {\n\t\t\t\t$a[$key] = preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return '\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $rdn\'');\n\t\t\t}' /var/www/phpldapadmin/lib/ds_ldap.php
sed -i '1126c \\t\t\treturn preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return'\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $dn);' /var/www/phpldapadmin/lib/ds_ldap.php
# for PHP7.3
sed -i '54c function my_autoload($className) {' /var/www/phpldapadmin/lib/functions.php
sed -i '777c spl_autoload_register("my_autoload");' /var/www/phpldapadmin/lib/functions.php
sed -i '1083c \\t\t$CACHE[$sortby] = __create_function('\''$a, $b'\'',$code);' /var/www/phpldapadmin/lib/functions.php
sed -i '1091a function __create_function($arg, $body) {\n\tstatic $cache = array();\n\tstatic $maxCacheSize = 64;\n\tstatic $sorter;\n\n\tif ($sorter === NULL) {\n\t\t$sorter = function($a, $b) {\n\t\t\tif ($a->hits == $b->hits) {\n\t\t\t\treturn 0;\n\t\t\t}\n\n\t\t\treturn ($a->hits < $b->hits) ? 1 : -1;\n\t\t};\n\t}\n\n\t$crc = crc32($arg . "\\\\x00" . $body);\n\n\tif (isset($cache[$crc])) {\n\t\t++$cache[$crc][1];\n\t\treturn $cache[$crc][0];\n\t}\n\n\tif (sizeof($cache) >= $maxCacheSize) {\n\t\tuasort($cache, $sorter);\n\t\tarray_pop($cache);\n\t}\n\n\t$cache[$crc] = array($cb = eval('\''return function('\''.$arg.'\''){'\''.$body.'\''};'\''), 0);\n\treturn $cb;\n}\n' /var/www/phpldapadmin/lib/functions.php
fi
# Mark as configured.
touch /root/packages/configured
fi
#----------------------------------------------------------------------
# Container and Volumes is left.
#----------------------------------------------------------------------
echo "Setting to do every time"
# Resolver settings.
cp /etc/resolv.conf /root/packages/resolv.conf
sed -i "s/nameserver 127.0.0.11/nameserver 127.0.0.1/" /root/packages/resolv.conf
cat /root/packages/resolv.conf > /etc/resolv.conf

203
packages/config-secondary.sh Executable file
View File

@ -0,0 +1,203 @@
#!/bin/bash
echo "Secondary domain controller settings."
#----------------------------------------------------------------------
# New volumes.
#----------------------------------------------------------------------
if [ -z "$(ls /var/lib/samba/private)" ]; then
echo "New volumes."
# Make join parameters.
SMB_TMP_PARAM="
--username=administrator
--password=$SMB_ADMINPASS
--realm=$SMB_REALM
--option=\"dns forwarder = 127.0.0.11\"
--option=\"dns update command = /usr/sbin/samba_dnsupdate --current-ip $SMB_HOSTIP\"
--option=\"rpc server dynamic port range = $SMB_RPC_PORTS\"
--option=\"template homedir = /home/%D/%U\"
--option=\"template shell = /bin/bash\"
--option=\"winbind enum users = yes\"
--option=\"winbind enum groups = yes\"
--option=\"idmap config $SMB_DOMAIN:unix_nss_info = yes\"
--option=\"idmap config $SMB_DOMAIN:unix_primary_group = yes\"
--option=\"idmap_ldb:use rfc2307 = yes\"
"
if [ $SMB_USEBIND9 = "true" ]; then
SMB_TMP_PARAM+=" --dns-backend=BIND9_DLZ"
else
SMB_TMP_PARAM+=" --dns-backend=SAMBA_INTERNAL"
fi
# LDAPS settings.
mkdir /var/lib/samba/private/tls/
TMP_LDAPS=0
cp -a /root/packages/cert/ca.crt /usr/local/share/ca-certificates/ && \
update-ca-certificates && \
TMP_LDAPS=$(($TMP_LDAPS | 0x01)) && \
SMB_TMP_PARAM+=" --option=\"tls cafile = /usr/local/share/ca-certificates/ca.crt\""
cp -a /root/packages/cert/server.crt /var/lib/samba/private/tls/ && \
TMP_LDAPS=$(($TMP_LDAPS | 0x02)) && \
SMB_TMP_PARAM+=" --option=\"tls certfile = /var/lib/samba/private/tls/server.crt\""
cp -a /root/packages/cert/server.key /var/lib/samba/private/tls/ && \
TMP_LDAPS=$(($TMP_LDAPS | 0x04)) && \
chmod 600 /var/lib/samba/private/tls/server.key && \
SMB_TMP_PARAM+=" --option=\"tls keyfile = /var/lib/samba/private/tls/server.key\""
cp -a /root/packages/cert/ca.crl /var/lib/samba/private/tls/ && \
TMP_LDAPS=$(($TMP_LDAPS | 0x08)) && \
SMB_TMP_PARAM+=" --option=\"tls crlfile = /var/lib/samba/private/tls/ca.crl\""
if [ $(($TMP_LDAPS & 0x07)) -eq 7 ]; then
echo "Enable LDAPS."
SMB_TMP_PARAM+=" --option=\"tls enabled = true\"
--option=\"tls verify peer = as_strict_as_possible\"
"
else
echo "Disable Strong Auth."
SMB_TMP_PARAM+="
--option=\"ldap server require strong auth = no\"
"
fi
set -f
SMB_TMP_PARAM=$(echo $SMB_TMP_PARAM)
#echo "join parameters: $SMB_TMP_PARAM"
set +f
# Join domain settings.
mv --backup=numbered /etc/samba/smb.conf /etc/samba/smb.conf.bak
eval samba-tool domain join $SMB_REALM DC "$SMB_TMP_PARAM"
if [ $? -ne 0 ]; then exit 0; fi
# Deletion of IP addresses in the container registered in Primary DNS
MYHOSTIP=$(grep $(hostname) /etc/hosts | sed "s/^\(.*\)\s.*/\1/")
MYHOSTNM=$(hostname)
samba-tool dns update $SMB_REALM \
$SMB_REALM $MYHOSTNM \
A $MYHOSTIP $SMB_HOSTIP \
--username Administrator --password $SMB_ADMINPASS
# Delete myhostip after 30 sec.
/bin/bash -c "sleep 30;
samba-tool dns delete localhost \
$SMB_REALM $MYHOSTNM \
A $MYHOSTIP \
--username Administrator --password $SMB_ADMINPASS
" &
fi
#----------------------------------------------------------------------
# Volumes is left.
#----------------------------------------------------------------------
if [ ! -e /root/packages/configured ]; then
echo "New container."
# Register CA certificates.
cp -a /root/packages/cert/ca.crt /usr/local/share/ca-certificates/ && \
update-ca-certificates
# Authentication sttings.
sed -i "s/^\(passwd: \+\)[a-z ]\+$/\1compat winbind/" /etc/nsswitch.conf
sed -i "s/^\(group: \+\)[a-z ]\+$/\1compat winbind/" /etc/nsswitch.conf
# Create krb5.conf
mv --backup=numbered /etc/krb5.conf /etc/krb5.conf.bak
cat <<EOF > /etc/krb5.conf
[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = true
default_realm = $SMB_REALM
EOF
# Make rsync configuration.
cat <<EOF > /etc/rsyncd.secret.sysvol-replication
$RSY_PASS
EOF
chmod 600 /etc/rsyncd.secret.sysvol-replication
# Reset sysvol.
echo "Reset sysvol."
rsync -XAavx \
--delete-after \
--password-file=/etc/rsyncd.secret.sysvol-replication \
--contimeout=10 \
rsync://sysvol-replication@$RSY_PRIMARY/SysVol \
/var/lib/samba/sysvol/
samba-tool ntacl sysvolreset
# Replicate sysvol every 5 minutes.
echo "*/5 * * * * root rsync -XAavx --delete-after --password-file=/etc/rsyncd.secret.sysvol-replication rsync://sysvol-replication@$RSY_PRIMARY/SysVol /var/lib/samba/sysvol/" >> /etc/crontab
# Suppress apache warning.
echo "ServerName localhost" | tee /etc/apache2/conf-available/fqdn.conf
a2enconf fqdn
# Setup phpLdapAdmin.
if [ -e /root/packages/phpLDAPadmin-1.2.3.tar.gz ]; then
a2dismod php8.1
a2enmod php7.3
tar zxf /root/packages/phpLDAPadmin-1.2.3.tar.gz -C /var/www/
mv /var/www/phpLDAPadmin-1.2.3 /var/www/phpldapadmin
cp /etc/phpldapadmin/apache.conf /etc/phpldapadmin/apache.conf.bak
sed -i "s@/usr/share/phpldapadmin/htdocs@/var/www/phpldapadmin@g" /etc/phpldapadmin/apache.conf
cp /var/www/phpldapadmin/config/config.php.example /var/www/phpldapadmin//config/config.php
if [ $(grep "tls verify peer = as_strict_as_possible" /etc/samba/smb.conf -c) -ne 0 ]; then
sed -i "$ i\$servers->setValue('server','host','ldaps://$(hostname).${SMB_REALM,,}');" /var/www/phpldapadmin/config/config.php
else
sed -i "$ i\$servers->setValue('server','host','ldap://$(hostname).${SMB_REALM,,}');" /var/www/phpldapadmin/config/config.php
fi
sed -i "$ i\$servers->setValue('login','bind_id','administrator@${SMB_REALM,,}');" /var/www/phpldapadmin/config/config.php
sed -i "$ i\$config->custom->appearance['hide_template_warning'] = true;" /var/www/phpldapadmin/config/config.php
sed -i "s/\$servers->setValue('server','name','My LDAP Server');/\$servers->setValue('server','name','$SMB_DOMAIN');/" /var/www/phpldapadmin/config/config.php
# Customize phpLDAPadmin
# for PHP7.0
sed -i "s/password_hash/password_hash_custom/g" /var/www/phpldapadmin/lib/*
sed -i '2567d; 2568d; 2569i \\t\tforeach ($dn as $key => $rdn) {\n\t\t\t$a[$key] = preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return '\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $rdn\'');\n\t\t}' /var/www/phpldapadmin/lib/functions.php
sed -i '2574c \\t\treturn preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return'\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $dn);' /var/www/phpldapadmin/lib/functions.php
sed -i '1119d; 1120d; 1121i \\t\t\tforeach ($dn as $key => $rdn) {\n\t\t\t\t$a[$key] = preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return '\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $rdn\'');\n\t\t\t}' /var/www/phpldapadmin/lib/ds_ldap.php
sed -i '1126c \\t\t\treturn preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return'\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $dn);' /var/www/phpldapadmin/lib/ds_ldap.php
# for PHP7.3
sed -i '54c function my_autoload($className) {' /var/www/phpldapadmin/lib/functions.php
sed -i '777c spl_autoload_register("my_autoload");' /var/www/phpldapadmin/lib/functions.php
sed -i '1083c \\t\t$CACHE[$sortby] = __create_function('\''$a, $b'\'',$code);' /var/www/phpldapadmin/lib/functions.php
sed -i '1091a function __create_function($arg, $body) {\n\tstatic $cache = array();\n\tstatic $maxCacheSize = 64;\n\tstatic $sorter;\n\n\tif ($sorter === NULL) {\n\t\t$sorter = function($a, $b) {\n\t\t\tif ($a->hits == $b->hits) {\n\t\t\t\treturn 0;\n\t\t\t}\n\n\t\t\treturn ($a->hits < $b->hits) ? 1 : -1;\n\t\t};\n\t}\n\n\t$crc = crc32($arg . "\\\\x00" . $body);\n\n\tif (isset($cache[$crc])) {\n\t\t++$cache[$crc][1];\n\t\treturn $cache[$crc][0];\n\t}\n\n\tif (sizeof($cache) >= $maxCacheSize) {\n\t\tuasort($cache, $sorter);\n\t\tarray_pop($cache);\n\t}\n\n\t$cache[$crc] = array($cb = eval('\''return function('\''.$arg.'\''){'\''.$body.'\''};'\''), 0);\n\treturn $cb;\n}\n' /var/www/phpldapadmin/lib/functions.php
fi
# Mark as configured.
touch /root/packages/configured
fi
#----------------------------------------------------------------------
# Container and Volumes is left.
#----------------------------------------------------------------------
echo "Setting to do every time"
# Resolver settings.
cp /etc/resolv.conf /root/packages/resolv.conf
sed -i "s/nameserver 127.0.0.11/nameserver 127.0.0.1/" /root/packages/resolv.conf
cat /root/packages/resolv.conf > /etc/resolv.conf
# Switch DNS backend.
if [ $SMB_USEBIND9 = "true" ]; then
if [ ! -e /var/lib/samba/bind-dns/named.conf ]; then
samba_upgradedns --dns-backend=BIND9_DLZ
fi
# Make bind9 configuration.
if [ $(grep "bind-dns" /etc/bind/named.conf -c) -eq 0 ]; then
cp -a /etc/bind/named.conf /etc/bind/named.conf.bak
sed -i "\$a include \"/var/lib/samba/bind-dns/named.conf\";" /etc/bind/named.conf
cp -a /etc/bind/named.conf.options /etc/bind/named.conf.options.bak
sed -i "/listen-on-v6/a\\\n\tforwarders { 127.0.0.11; };\n\tallow-query { any; };\n\tallow-transfer { none; };\n\ttkey-gssapi-keytab \"/var/lib/samba/bind-dns/dns.keytab\";\n\tminimal-responses yes;" /etc/bind/named.conf.options
cp -a /etc/bind/named.conf.local /etc/bind/named.conf.local.bak
sed -i "s@^//include@include@" /etc/bind/named.conf.local
fi
if [[ $(grep -c "server services" /etc/samba/smb.conf) -eq 0 ]]; then
sed -i "9a\\\tserver services = -dns" /etc/samba/smb.conf
fi
else
if [ -e /var/lib/samba/bind-dns/named.conf ]; then
samba_upgradedns --dns-backend=SAMBA_INTERNAL
sed -i "/server services/d" /etc/samba/smb.conf
fi
fi

91
packages/restore.sh Executable file
View File

@ -0,0 +1,91 @@
#!/bin/bash
WORKDIR=${PWD}
# Check parameters.
if [ $# = 0 ]; then
echo "Usage: restore.sh [path to backup file] [--execute]
--execute Execute a restore.
If this parameter is not present, a dry run is performed."
exit 0
fi
if [ ! -e $1 ]; then
echo "File to be restored not found: $1"
exit -1
fi
# Extract file.
if [ -d ./restore ]; then
echo "The directory \"restore\" exists. Aborted."
exit 0
fi
mkdir ./restore
tar -zxvf $1 -C ./restore
if [ $? -ne 0 ]; then
echo "Failed to extract file."
exit -1
fi
#
if [ -z $2 ]; then
# Restore acl.
cd restore/lib/samba/
bash ./NTACL
echo "Finished dry run."
elif [ $2 = "--execute" ]; then
# Stop the samba process.
pkill -SIGTERM ^samba$
while
pgrep ^samba$
[ $? -eq 0 ]
do
echo "wait..."
sleep 1
done
# Samba
# Restore files.
rm -rf /etc/samba/*
mv restore/etc/samba/* /etc/samba/
rm -rf /var/lib/samba/private/*
mv restore/lib/samba/private/* /var/lib/samba/private/
rm -rf /var/lib/samba/bind-dns
mv restore/lib/samba/bind-dns /var/lib/samba/
rm -rf /var/lib/samba/sysvol/*
mv restore/lib/samba/sysvol/* /var/lib/samba/sysvol/
# Bind
# Restore files.
rm -rf /etc/bind/*
mv restore/etc/bind/* /etc/bind/
rm -rf /var/lib/bind/*
mv restore/lib/bind/* /var/lib/bind/
# Delete working files.
rm -rf ./restore
# Restore acl.
cd /var/lib/samba
bash $WORKDIR/restore/lib/samba/NTACL
cd $WORKDIR
# Do sysvol reset.
net cache flush
samba-tool ntacl sysvolreset
# Start the samba process.
/usr/sbin/samba --interactive --no-process-group &
if [ $SMB_USEBIND9 = "true" ]; then
/usr/sbin/rndc stop
/usr/sbin/named -u bind
fi
echo "Restored."
fi