From c01b7e34be61df50a5026617a88e8c4ecac64468 Mon Sep 17 00:00:00 2001 From: rohhie Date: Sat, 8 Oct 2022 15:47:42 +0900 Subject: [PATCH] First version --- .env | 3 + .gitignore | 7 ++ Dockerfile | 8 ++ LICENSE | 2 +- README.md | 173 +++++++++++++++++++++++++++++ baseimage/Dockerfile | 33 ++++++ docker-compose.yml.primary | 73 +++++++++++++ docker-compose.yml.restore | 71 ++++++++++++ docker-compose.yml.secondary | 75 +++++++++++++ entrypoint.sh | 53 +++++++++ mkbaseimage.sh | 3 + packages/backup.sh | 46 ++++++++ packages/cert/README.md | 18 ++++ packages/config-primary.sh | 194 +++++++++++++++++++++++++++++++++ packages/config-restore.sh | 120 +++++++++++++++++++++ packages/config-secondary.sh | 203 +++++++++++++++++++++++++++++++++++ packages/restore.sh | 91 ++++++++++++++++ 17 files changed, 1172 insertions(+), 1 deletion(-) create mode 100644 .env create mode 100644 .gitignore create mode 100644 Dockerfile create mode 100644 baseimage/Dockerfile create mode 100644 docker-compose.yml.primary create mode 100644 docker-compose.yml.restore create mode 100644 docker-compose.yml.secondary create mode 100755 entrypoint.sh create mode 100755 mkbaseimage.sh create mode 100755 packages/backup.sh create mode 100644 packages/cert/README.md create mode 100755 packages/config-primary.sh create mode 100755 packages/config-restore.sh create mode 100755 packages/config-secondary.sh create mode 100755 packages/restore.sh diff --git a/.env b/.env new file mode 100644 index 0000000..19d3af3 --- /dev/null +++ b/.env @@ -0,0 +1,3 @@ +PRIMARYIP=192.168.110.4 +SECONDARYIP=192.168.110.34 +RESTOREDIP=192.168.110.10 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e30ac8e --- /dev/null +++ b/.gitignore @@ -0,0 +1,7 @@ +docker-compose.yml +*.gz +*.bz2 +ca.crt +server.crt +server.key +ca.crl diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..6d69d3b --- /dev/null +++ b/Dockerfile @@ -0,0 +1,8 @@ +FROM custom/samba:0.0.1 +USER root +ENV LANG=en_US.UTF-8 \ + LANGUAGE=en_US:en \ + LC_ALL=en_US.UTF-8 +ADD entrypoint.sh / +ENTRYPOINT ["/entrypoint.sh"] +COPY ./packages /root/packages diff --git a/LICENSE b/LICENSE index 2071b23..cdc6638 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) +Copyright (c) 2022 rohhie@rohhie.net Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: diff --git a/README.md b/README.md index 402f325..0e7752f 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,175 @@ # Samba-ad-dc-with-docker +## 概要 + +Samba ad dcをDockerで気軽に利用する。 + +## 構築方法 + +### ダウンロード + +このリポジトリからソースをダウンロードする。 + +``` +git clone https://gitea.rohhie.net/rohhie/Samba-ad-dc-with-docker.git +mv Samba-ad-dc-with-docker samba +``` + +phpLDAPadminを使用する場合は、バージョン1.2.3をダウンロードする。 + +``` +wget https://github.com/leenooks/phpLDAPadmin/archive/refs/tags/1.2.3.tar.gz -O packages/phpLDAPadmin-1.2.3.tar.gz +``` + +### ベースとなるイメージを作成する + +Samba ad dcイメージのベースとなるイメージを作成する。 +スクリプトの修正等でコンテナを作り直す際に、最低限のダウンロードで済ませるため。 + +``` +./mkbaseimage.sh +``` + +### 目的のdocker-compose.ymlを作成する + +プライマリーDC、セカンダリーDC、リストアドDCの3種類を用意しているので、いずれかをコピーする。 +ここではプライマリーDCについて説明する。 + +``` +cp docker-compose.yml.primary docker-compose.yml +``` + +### ホストのIPアドレスを設定する + +.envにプライマリーDC、セカンダリーDC、リストアドDCのコンテナを動作させるホストのIPアドレスを設定する。 +ホームラボのホストが指定してあるので、適宜変更する。 +セカンダリーDC、リストアドDCを使わない場合は、未設定で問題はない。 + +### 動作条件を設定する + +docker-compose.ymlで動作条件を設定する。 + +#### environment: +| 変数名 | 設定内容 | +|---------------|----------------------------------------------------------------| +| SMB_REALM | 管理するレルムの名前 | +| SMB_DOMAIN | レルムのドメイン名 | +| SMB_ADMINPASS | administratorのパスワード | +| SMB_HOSTIP | コンテナを動作させるホストのIPアドレス | +| SMB_RPC_PORTS | RPCで使用するポート範囲 | +| SMB_PURPOSE | "primary"として、プライマリーDCとする | +| SMB_USEBIND9 | DNSの選択 "false":内蔵 "true":BIND9 | +| RSY_SECONDARY | セカンダリーのIPアドレス
SMB_PURPOSEが"primary"の場合に有効 | +| RSY_PASS | セカンダリーからrsyncする際のパスワード | + +※SMB_PURPOSEは、"secondary"と"restore"を指定可能だが、それぞれ別にymlを用意してあるので、それを使うこと。 + +#### ports: + +IPアドレスを指定してポートをマッピングしている。 +コンテナを動作させるホストのIPアドレスを設定する。 + +#### dns: + +Samba ad dcが名前解決でフォワードするDNSのIPアドレスを設定する。 +ホームラボのDNSを指定してあるので、適宜変更する。 + +### 証明書類を準備する + +ドメインで使用する証明書類をpackages/cert に配置する。 +証明書の名前は以下の通り固定。変更する場合は、config-*.shを変更すること。 + +| ファイル |内容 | +|------------|-----------------------------------------------------------| +| ca.crt |認証局の証明書。 | +| server.crt |Samba ad dcの証明書。ca.crtの認証局が署名したものを想定。 | +| server.key |Samba ad dcの秘密鍵。パスワードは外しておく。 | +| ca.crl |ca.crtの認証局が発行するcertificate revocation list(CRL)。 | + +※ca.crlの設置は必須ではない。 + +これらのファイルを設置すれば、LDAPとLDAPSが使えるようになる。 +なければ、LDAPが使える。 + +### ファイアウォールの設定 + +コンテナからホストへのアクセスを許可する。 + +コンテナのIPアドレスはdocker-compose.ymlで指定したもの。 +変更した場合には、fromのIPアドレスを書き換えること。 +また、toはコンテナを動作させるホストのIPアドレスを指定する。 + +``` +sudo ufw allow from 172.26.0.101 to 192.168.110.4 comment "From container" +``` + +### コンテナを起動 + +コンテナを構築して起動する。 + +``` +sudo docker compose up -d --build +``` + +### Apacheの設定(必須ではない) + +phpLDAPadminとLDAP Account Managerのポート8081にリバースプロキシ設定する設定の例。 +コンテナを動かすホストにApacheをインストールしている。 +証明書と秘密鍵は、環境にあったものを準備して設定。 + +/etc/apache2/sites-available/myservice.conf +``` + + ServerAdmin webmaster@hogeserver.hogeddns.jp + ServerName addc.hogeserver.hogeddns.jp + DocumentRoot /var/www/html + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + ProxyPreserveHost On + ProxyPass /phpldapadmin http://localhost:8081/phpldapadmin + ProxyPassReverse /phpldapadmin http://localhost:8081/phpldapadmin + ProxyPass /lam http://localhost:8081/lam + ProxyPassReverse /lam http://localhost:8081/lam + + # SSL + SSLEngine on + SSLCertificateFile /etc/ssl/private/wild.hoge.crt + SSLCertificateKeyFile /etc/ssl/private/wild.hoge.key + +``` + +この設定を反映する。 + +``` +sudo a2ensite myservice +sudo a2enmod proxy_http ssl +sudo systemctl restart apache2 +``` + +なお、リバースプロキシ設定せずに、8081ポートに直接アクセスすることもできる。 + + +## 使用方法 + +コンテナの中で自由にコマンドが実行できる。 +``` +sudo docker exec -it samba bash --login +``` + +phpLDAPadminにはブラウザでアクセスできる。ドメイン部分は環境に合わせる。 +https://addc.hogeserver.hogeddns.jp/phpldapadmin + +LDAP Account Managerも同様。 +https://addc.hogeserver.hogeddns.jp/lam + + +## その他 + +細かな設定手順や使い方、セカンダリーDCやリストアドDCを動作させる手順は、メインサイト参照。 +https://rohhie.net/samba-ad-dc-with-docker/ + +## ライセンス +MIT + diff --git a/baseimage/Dockerfile b/baseimage/Dockerfile new file mode 100644 index 0000000..714cee2 --- /dev/null +++ b/baseimage/Dockerfile @@ -0,0 +1,33 @@ +FROM ubuntu:jammy +USER root +ENV DEBIAN_FRONTEND=noninteractive +RUN apt update && \ + apt upgrade -y && \ + apt install -y \ + apache2 \ + bind9 \ + dnsutils \ + iproute2 \ + iputils-ping \ + krb5-user \ + ldap-account-manager \ + ldap-utils \ + ldb-tools \ + libnss-winbind \ + libpam-winbind \ + locales \ + phpldapadmin \ + rsync \ + samba \ + smbclient \ + tzdata \ + vim \ + winbind && \ + echo "deb https://ppa.launchpadcontent.net/ondrej/php/ubuntu/ jammy main" > /etc/apt/sources.list.d/ondrej-ubuntu-php-jammy.list && \ + echo "# deb-src https://ppa.launchpadcontent.net/ondrej/php/ubuntu/ jammy main" >> /etc/apt/sources.list.d/ondrej-ubuntu-php-jammy.list && \ + gpg --keyserver hkps://keyserver.ubuntu.com --recv-key 4F4EA0AAE5267A6C && \ + gpg -a --export 4F4EA0AAE5267A6C | gpg --dearmour -o /etc/apt/trusted.gpg.d/ondrej.gpg && \ + apt update && \ + apt install -y \ + php7.3 php7.3-ldap php7.3-xml php7.3-imagick php7.3-mbstring php7.3-gmp php7.3-zip && \ + locale-gen en_US.UTF-8 diff --git a/docker-compose.yml.primary b/docker-compose.yml.primary new file mode 100644 index 0000000..1fe562f --- /dev/null +++ b/docker-compose.yml.primary @@ -0,0 +1,73 @@ +version: "3.9" +services: + + samba: + build: ./ + image: custom/samba:1.0.0 + container_name: samba + restart: unless-stopped + environment: + TZ: Asia/Tokyo + SMB_REALM: HOGESERVER.HOGEDDNS.JP + SMB_DOMAIN: HOGEDOMAIN + SMB_ADMINPASS: p@ssword123 + SMB_HOSTIP: ${PRIMARYIP} + SMB_RPC_PORTS: 49152-49200 + SMB_PURPOSE: "primary" + SMB_USEBIND9: "false" + #RSY_SECONDARY: ${SECONDARYIP} + #RSY_PASS: p@ssword234 + volumes: + - samba_etc:/etc/samba + - samba_lib:/var/lib/samba + - bind_etc:/etc/bind + - bind_lib:/var/lib/bind + - lam:/var/lib/ldap-account-manager + networks: + samba: + ipv4_address: 172.26.0.101 + ports: + - ${PRIMARYIP}:53:53 #DNS + - ${PRIMARYIP}:53:53/udp #DNS + - ${PRIMARYIP}:135:135 #End Point Mapper(WINS) + - ${PRIMARYIP}:137:137/udp #NetBIOS Name Service + - ${PRIMARYIP}:138:138/udp #NetBIOS Datagram + - ${PRIMARYIP}:139:139 #NetBIOS Session + - ${PRIMARYIP}:445:445 #SMB over TCP + - ${PRIMARYIP}:389:389 #LDAP + - ${PRIMARYIP}:389:389/udp #LDAP + - ${PRIMARYIP}:636:636 #LDAPS + - ${PRIMARYIP}:88:88 #Kerberos + - ${PRIMARYIP}:88:88/udp #Kerberos + - ${PRIMARYIP}:464:464 #Kerberos kpasswd + - ${PRIMARYIP}:464:464/udp #Kerberos kpasswd + - ${PRIMARYIP}:3268:3268 #Global Catalog + - ${PRIMARYIP}:3269:3269 #Global Catalog SSL + #RPC The same value as SMB_RPC_PORTS. + - ${PRIMARYIP}:49152-49200:49152-49200 + - 873:873 #rsync + - 8081:80 #phpLDAPadmin & LDAP Account Manager + hostname: addc + dns: + - 192.168.110.1 + dns_search: + - hogeserver.hogeddns.jp + privileged: true + devices: + - /dev/net/tun + cap_add: + - NET_ADMIN + +networks: + samba: + ipam: + config: + - subnet: 172.26.0.0/16 + gateway: 172.26.0.1 + +volumes: + samba_etc: + samba_lib: + bind_etc: + bind_lib: + lam: diff --git a/docker-compose.yml.restore b/docker-compose.yml.restore new file mode 100644 index 0000000..e5a608b --- /dev/null +++ b/docker-compose.yml.restore @@ -0,0 +1,71 @@ +version: "3.9" +services: + + samba: + #image: ubuntu:jammy + build: ./ + image: custom/samba:1.0.0 + container_name: samba + restart: unless-stopped + environment: + TZ: Asia/Tokyo + SMB_REALM: HOGESERVER.HOGEDDNS.JP + SMB_DOMAIN: HOGEDOMAIN + SMB_ADMINPASS: p@ssword123 + SMB_HOSTIP: ${RESTOREDIP} + SMB_RPC_PORTS: 49152-49200 + SMB_PURPOSE: "restore" + volumes: + - samba_etc:/etc/samba + - samba_lib:/var/lib/samba + - bind_etc:/etc/bind + - bind_lib:/var/lib/bind + - lam:/var/lib/ldap-account-manager + networks: + samba: + ipv4_address: 172.26.0.103 + ports: + - ${RESTOREDIP}:53:53 #DNS + - ${RESTOREDIP}:53:53/udp #DNS + - ${RESTOREDIP}:135:135 #End Point Mapper(WINS) + - ${RESTOREDIP}:137:137/udp #NetBIOS Name Service + - ${RESTOREDIP}:138:138/udp #NetBIOS Datagram + - ${RESTOREDIP}:139:139 #NetBIOS Session + - ${RESTOREDIP}:445:445 #SMB over TCP + - ${RESTOREDIP}:389:389 #LDAP + - ${RESTOREDIP}:389:389/udp #LDAP + - ${RESTOREDIP}:636:636 #LDAPS + - ${RESTOREDIP}:88:88 #Kerberos + - ${RESTOREDIP}:88:88/udp #Kerberos + - ${RESTOREDIP}:464:464 #Kerberos kpasswd + - ${RESTOREDIP}:464:464/udp #Kerberos kpasswd + - ${RESTOREDIP}:3268:3268 #Global Catalog + - ${RESTOREDIP}:3269:3269 #Global Catalog SSL + #RPC The same value as SMB_RPC_PORTS. + - ${RESTOREDIP}:49152-49200:49152-49200 + - 873:873 #rsync + - 8081:80 #phpLDAPadmin & LDAP Account Manager + hostname: addcr + dns: + - 192.168.110.1 + dns_search: + - hogeserver.hogeddns.jp + privileged: true + devices: + - /dev/net/tun + cap_add: + - NET_ADMIN + +networks: + samba: + ipam: + config: + - subnet: 172.26.0.0/16 + gateway: 172.26.0.1 + +volumes: + samba_etc: + samba_lib: + bind_etc: + bind_lib: + lam: diff --git a/docker-compose.yml.secondary b/docker-compose.yml.secondary new file mode 100644 index 0000000..92b12af --- /dev/null +++ b/docker-compose.yml.secondary @@ -0,0 +1,75 @@ +version: "3.9" +services: + + samba: + build: ./ + image: custom/samba:1.0.0 + container_name: samba + restart: unless-stopped + environment: + TZ: Asia/Tokyo + SMB_REALM: HOGESERVER.HOGEDDNS.JP + SMB_DOMAIN: HOGEDOMAIN + SMB_ADMINPASS: p@ssword123 + SMB_HOSTIP: ${SECONDARYIP} + SMB_RPC_PORTS: 49152-49200 + SMB_PURPOSE: "secondary" + SMB_USEBIND9: "false" + RSY_PRIMARY: ${PRIMARYIP} + RSY_PASS: p@ssword234 + volumes: + - samba_etc:/etc/samba + - samba_lib:/var/lib/samba + - bind_etc:/etc/bind + - bind_lib:/var/lib/bind + - lam:/var/lib/ldap-account-manager + networks: + samba: + ipv4_address: 172.26.0.102 + ports: + - ${SECONDARYIP}:53:53 #DNS + - ${SECONDARYIP}:53:53/udp #DNS + - ${SECONDARYIP}:135:135 #End Point Mapper(WINS) + - ${SECONDARYIP}:137:137/udp #NetBIOS Name Service + - ${SECONDARYIP}:138:138/udp #NetBIOS Datagram + - ${SECONDARYIP}:139:139 #NetBIOS Session + - ${SECONDARYIP}:445:445 #SMB over TCP + - ${SECONDARYIP}:389:389 #LDAP + - ${SECONDARYIP}:389:389/udp #LDAP + - ${SECONDARYIP}:636:636 #LDAPS + - ${SECONDARYIP}:88:88 #Kerberos + - ${SECONDARYIP}:88:88/udp #Kerberos + - ${SECONDARYIP}:464:464 #Kerberos kpasswd + - ${SECONDARYIP}:464:464/udp #Kerberos kpasswd + - ${SECONDARYIP}:3268:3268 #Global Catalog + - ${SECONDARYIP}:3269:3269 #Global Catalog SSL + #RPC The same value as SMB_RPC_PORTS. + - ${SECONDARYIP}:49152-49200:49152-49200 + - 8081:80 #phpLDAPadmin & LDAP Account Manager + hostname: addc2 + dns: + - ${PRIMARYIP} #Used for domain to join + #- 192.168.110.1 #Used for normal operation + dns_search: + - hogeserver.hogeddns.jp + privileged: true + devices: + - /dev/net/tun + cap_add: + - NET_ADMIN + +networks: + samba: + ipam: + config: + - subnet: 172.26.0.0/16 + gateway: 172.26.0.1 + +volumes: + samba_etc: + samba_lib: + bind_etc: + bind_lib: + lam: +# private: +# sysvol: diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 0000000..1498d34 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,53 @@ +#!/bin/bash + +echo "Start Samba container with parameter : $@" + +trap sig_term SIGTERM + +sig_term() { + echo "CATCH SIGTERM" + pkill -SIGTERM ^samba$ + /usr/sbin/apachectl stop + case $SMB_PURPOSE in + "primary") + pkill -SIGTERM ^rsync$ + ;; + "secondary") + pkill -SIGTERM ^cron$ + ;; + esac + if [ $SMB_USEBIND9 = "true" ]; then + /usr/sbin/rndc stop + fi + wait + exit 0 +} + +# Make configuration +case $SMB_PURPOSE in + "primary") /root/packages/config-primary.sh;; + "secondary") /root/packages/config-secondary.sh;; + "restore") /root/packages/config-restore.sh;; + *) echo "Purporse do not match. : "$SMB_PURPOSE +esac + +# Execute paramater. +exec "$@" + +# Start services. +/usr/sbin/samba --interactive --no-process-group & +/usr/sbin/apachectl start +case $SMB_PURPOSE in + "primary") + /usr/bin/rsync --daemon --no-detach & + ;; + "secondary") + /usr/sbin/cron + ;; +esac +if [ $SMB_USEBIND9 = "true" ]; then + /usr/sbin/named -u bind +fi + +# Infinity roop. +while : ; do sleep 1 ; done diff --git a/mkbaseimage.sh b/mkbaseimage.sh new file mode 100755 index 0000000..0dac5ad --- /dev/null +++ b/mkbaseimage.sh @@ -0,0 +1,3 @@ +#!/bin/bash +cd $(dirname ${0}) +sudo docker build -t custom/samba:0.0.1 -f $PWD/baseimage/Dockerfile . diff --git a/packages/backup.sh b/packages/backup.sh new file mode 100755 index 0000000..bf296dd --- /dev/null +++ b/packages/backup.sh @@ -0,0 +1,46 @@ +#!/bin/bash + +# Stop the samba process. +pkill -SIGTERM ^samba$ +while + pgrep ^samba$ + [ $? -eq 0 ] +do + echo "wait..." + sleep 1 +done + +# Create backup files. +TMP_TARGET=/root/packages/backup-$(hostname)-$(date +'%Y-%m-%d-%H-%M-%S').tar + +# Samba +# Configuration. +cd / +tar -cvf $TMP_TARGET etc/samba --xattrs + +# Private directory. +cd /var/ +tar -uvf $TMP_TARGET lib/samba/private --xattrs --warning=no-file-ignored + +# SysVol directory. +cd ./lib/samba/ +find ./sysvol -exec bash -c 'TMP=$(samba-tool ntacl get "{}" --as-sddl); echo "samba-tool ntacl set \"$TMP\" \"{}\""' \; > NTACL +cd ../../ +tar -uvf $TMP_TARGET lib/samba/sysvol lib/samba/NTACL lib/samba/bind-dns --xattrs +rm NTACL + +# Bind +# Configuration. +cd / +tar -uvf $TMP_TARGET etc/bind --xattrs + +# Lib directory +cd /var/ +tar -uvf $TMP_TARGET lib/bind --xattrs + +# Compress. +gzip $TMP_TARGET + +# Finish. +/usr/sbin/samba --interactive --no-process-group & +echo "Backed up." diff --git a/packages/cert/README.md b/packages/cert/README.md new file mode 100644 index 0000000..fb8cafb --- /dev/null +++ b/packages/cert/README.md @@ -0,0 +1,18 @@ +# Certificate directory + +### 証明書類を準備する + +ドメインで使用する証明書類をpackages/cert に配置する。 +証明書の名前は以下の通り固定。変更する場合は、packages/config-*.shを変更すること。 +| ファイル |内容 | +|------------|-----------------------------------------------------------| +| ca.crt |認証局の証明書。 | +| server.crt |Samba ad dcの証明書。ca.crtの認証局が署名したものを想定。 | +| server.key |Samba ad dcの秘密鍵。パスワードは外しておく。 | +| ca.crl |ca.crtの認証局が発行するcertificate revocation list(CRL)。 | + +※ca.crlの設置は必須ではない。 + +これらのファイルを設置すれば、LDAPとLDAPSが使えるようになる。 +なければ、LDAPが使える。 + diff --git a/packages/config-primary.sh b/packages/config-primary.sh new file mode 100755 index 0000000..c1600c6 --- /dev/null +++ b/packages/config-primary.sh @@ -0,0 +1,194 @@ +#!/bin/bash +echo "Primary domain controller settings." + +#---------------------------------------------------------------------- +# New volumes. +#---------------------------------------------------------------------- +if [ -z "$(ls /var/lib/samba/private)" ]; then + echo "New volumes." + + # Make provision parameters. + SMB_TMP_PARAM=" + --use-rfc2307 + --realm=$SMB_REALM + --domain=$SMB_DOMAIN + --server-role=dc + --adminpass=$SMB_ADMINPASS + --option=\"dns forwarder = 127.0.0.11\" + --option=\"dns update command = /usr/sbin/samba_dnsupdate --current-ip $SMB_HOSTIP\" + --option=\"template homedir = /home/%D/%U\" + --option=\"template shell = /bin/bash\" + --option=\"winbind enum users = yes\" + --option=\"winbind enum groups = yes\" + --option=\"idmap config $SMB_DOMAIN:unix_nss_info = yes\" + --option=\"idmap config $SMB_DOMAIN:unix_primary_group = yes\" + --option=\"rpc server dynamic port range = $SMB_RPC_PORTS\" + --host-ip=$SMB_HOSTIP + " + if [ $SMB_USEBIND9 = "true" ]; then + SMB_TMP_PARAM+=" --dns-backend=BIND9_DLZ" + else + SMB_TMP_PARAM+=" --dns-backend=SAMBA_INTERNAL" + fi + + # LDAPS settings. + mkdir /var/lib/samba/private/tls/ + TMP_LDAPS=0 + cp -a /root/packages/cert/ca.crt /usr/local/share/ca-certificates/ && \ + update-ca-certificates && \ + TMP_LDAPS=$(($TMP_LDAPS | 0x01)) && \ + SMB_TMP_PARAM+=" --option=\"tls cafile = /usr/local/share/ca-certificates/ca.crt\"" + cp -a /root/packages/cert/server.crt /var/lib/samba/private/tls/ && \ + TMP_LDAPS=$(($TMP_LDAPS | 0x02)) && \ + SMB_TMP_PARAM+=" --option=\"tls certfile = /var/lib/samba/private/tls/server.crt\"" + cp -a /root/packages/cert/server.key /var/lib/samba/private/tls/ && \ + TMP_LDAPS=$(($TMP_LDAPS | 0x04)) && \ + chmod 600 /var/lib/samba/private/tls/server.key && \ + SMB_TMP_PARAM+=" --option=\"tls keyfile = /var/lib/samba/private/tls/server.key\"" + cp -a /root/packages/cert/ca.crl /var/lib/samba/private/tls/ && \ + TMP_LDAPS=$(($TMP_LDAPS | 0x08)) && \ + SMB_TMP_PARAM+=" --option=\"tls crlfile = /var/lib/samba/private/tls/ca.crl\"" + + if [ $(($TMP_LDAPS & 0x07)) -eq 7 ]; then + echo "Enable LDAPS." + SMB_TMP_PARAM+=" --option=\"tls enabled = true\" + --option=\"tls verify peer = as_strict_as_possible\" + " + else + echo "Disable Strong Auth." + SMB_TMP_PARAM+=" + --option=\"ldap server require strong auth = no\" + " + fi + + set -f + SMB_TMP_PARAM=$(echo $SMB_TMP_PARAM) + #echo "provision parameters: $SMB_TMP_PARAM" + set +f + + # Domain service settings. + mv --backup=numbered /etc/samba/smb.conf /etc/samba/smb.conf.bak + eval samba-tool domain provision "$SMB_TMP_PARAM" + if [ $? -ne 0 ]; then exit 0; fi + + # Stop needlessly complicated passwords. + samba-tool domain passwordsettings set \ + --complexity=off \ + --history-length=0 \ + --min-pwd-length=8 \ + --min-pwd-age=0 \ + --max-pwd-age=0 + +fi + +#---------------------------------------------------------------------- +# Volumes is left. +#---------------------------------------------------------------------- +if [ ! -e /root/packages/configured ]; then + echo "New container." + + # Register CA certificates. + cp -a /root/packages/cert/ca.crt /usr/local/share/ca-certificates/ && \ + update-ca-certificates + + # Authentication sttings. + sed -i "s/^\(passwd: \+\)[a-z ]\+$/\1compat winbind/" /etc/nsswitch.conf + sed -i "s/^\(group: \+\)[a-z ]\+$/\1compat winbind/" /etc/nsswitch.conf + + # Copy krb5.conf + mv --backup=numbered /etc/krb5.conf /etc/krb5.conf.bak + cp /var/lib/samba/private/krb5.conf /etc/ + + # Make rsync configuration. +cat < /etc/rsyncd.conf +[SysVol] +path = /var/lib/samba/sysvol/ +comment = Samba Sysvol Share +uid = root +gid = root +hosts allow = $RSY_SECONDARY +hosts deny = * +read only = yes +auth users = sysvol-replication +secrets file = /etc/rsyncd.secret +EOF + +cat < /etc/rsyncd.secret +sysvol-replication:$RSY_PASS +EOF + chmod 600 /etc/rsyncd.secret + + # Suppress apache warning. + echo "ServerName localhost" | tee /etc/apache2/conf-available/fqdn.conf + a2enconf fqdn + + # Setup phpLdapAdmin. + if [ -e /root/packages/phpLDAPadmin-1.2.3.tar.gz ]; then + a2dismod php8.1 + a2enmod php7.3 + + tar zxf /root/packages/phpLDAPadmin-1.2.3.tar.gz -C /var/www/ + mv /var/www/phpLDAPadmin-1.2.3 /var/www/phpldapadmin + cp /etc/phpldapadmin/apache.conf /etc/phpldapadmin/apache.conf.bak + sed -i "s@/usr/share/phpldapadmin/htdocs@/var/www/phpldapadmin@g" /etc/phpldapadmin/apache.conf + cp /var/www/phpldapadmin/config/config.php.example /var/www/phpldapadmin//config/config.php + if [ $(grep "tls verify peer = as_strict_as_possible" /etc/samba/smb.conf -c) -ne 0 ]; then + sed -i "$ i\$servers->setValue('server','host','ldaps://$(hostname).${SMB_REALM,,}');" /var/www/phpldapadmin/config/config.php + else + sed -i "$ i\$servers->setValue('server','host','ldap://$(hostname).${SMB_REALM,,}');" /var/www/phpldapadmin/config/config.php + fi + sed -i "$ i\$servers->setValue('login','bind_id','administrator@${SMB_REALM,,}');" /var/www/phpldapadmin/config/config.php + sed -i "$ i\$config->custom->appearance['hide_template_warning'] = true;" /var/www/phpldapadmin/config/config.php + sed -i "s/\$servers->setValue('server','name','My LDAP Server');/\$servers->setValue('server','name','$SMB_DOMAIN');/" /var/www/phpldapadmin/config/config.php + + # Customize phpLDAPadmin + # for PHP7.0 + sed -i "s/password_hash/password_hash_custom/g" /var/www/phpldapadmin/lib/* + sed -i '2567d; 2568d; 2569i \\t\tforeach ($dn as $key => $rdn) {\n\t\t\t$a[$key] = preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return '\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $rdn\'');\n\t\t}' /var/www/phpldapadmin/lib/functions.php + sed -i '2574c \\t\treturn preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return'\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $dn);' /var/www/phpldapadmin/lib/functions.php + sed -i '1119d; 1120d; 1121i \\t\t\tforeach ($dn as $key => $rdn) {\n\t\t\t\t$a[$key] = preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return '\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $rdn\'');\n\t\t\t}' /var/www/phpldapadmin/lib/ds_ldap.php + sed -i '1126c \\t\t\treturn preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return'\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $dn);' /var/www/phpldapadmin/lib/ds_ldap.php + # for PHP7.3 + sed -i '54c function my_autoload($className) {' /var/www/phpldapadmin/lib/functions.php + sed -i '777c spl_autoload_register("my_autoload");' /var/www/phpldapadmin/lib/functions.php + sed -i '1083c \\t\t$CACHE[$sortby] = __create_function('\''$a, $b'\'',$code);' /var/www/phpldapadmin/lib/functions.php + sed -i '1091a function __create_function($arg, $body) {\n\tstatic $cache = array();\n\tstatic $maxCacheSize = 64;\n\tstatic $sorter;\n\n\tif ($sorter === NULL) {\n\t\t$sorter = function($a, $b) {\n\t\t\tif ($a->hits == $b->hits) {\n\t\t\t\treturn 0;\n\t\t\t}\n\n\t\t\treturn ($a->hits < $b->hits) ? 1 : -1;\n\t\t};\n\t}\n\n\t$crc = crc32($arg . "\\\\x00" . $body);\n\n\tif (isset($cache[$crc])) {\n\t\t++$cache[$crc][1];\n\t\treturn $cache[$crc][0];\n\t}\n\n\tif (sizeof($cache) >= $maxCacheSize) {\n\t\tuasort($cache, $sorter);\n\t\tarray_pop($cache);\n\t}\n\n\t$cache[$crc] = array($cb = eval('\''return function('\''.$arg.'\''){'\''.$body.'\''};'\''), 0);\n\treturn $cb;\n}\n' /var/www/phpldapadmin/lib/functions.php + fi + + # Mark as configured. + touch /root/packages/configured +fi + +#---------------------------------------------------------------------- +# Container and Volumes is left. +#---------------------------------------------------------------------- +echo "Setting to do every time" + +# Resolver settings. +cp /etc/resolv.conf /root/packages/resolv.conf +sed -i "s/nameserver 127.0.0.11/nameserver 127.0.0.1/" /root/packages/resolv.conf +cat /root/packages/resolv.conf > /etc/resolv.conf + +# Switch DNS backend. +if [ $SMB_USEBIND9 = "true" ]; then + if [ ! -e /var/lib/samba/bind-dns/named.conf ]; then + samba_upgradedns --dns-backend=BIND9_DLZ + fi + # Make bind9 configuration. + if [ $(grep "bind-dns" /etc/bind/named.conf -c) -eq 0 ]; then + cp -a /etc/bind/named.conf /etc/bind/named.conf.bak + sed -i "\$a include \"/var/lib/samba/bind-dns/named.conf\";" /etc/bind/named.conf + cp -a /etc/bind/named.conf.options /etc/bind/named.conf.options.bak + sed -i "/listen-on-v6/a\\\n\tforwarders { 127.0.0.11; };\n\tallow-query { any; };\n\tallow-transfer { none; };\n\ttkey-gssapi-keytab \"/var/lib/samba/bind-dns/dns.keytab\";\n\tminimal-responses yes;" /etc/bind/named.conf.options + cp -a /etc/bind/named.conf.local /etc/bind/named.conf.local.bak + sed -i "s@^//include@include@" /etc/bind/named.conf.local + fi + if [[ $(grep -c "server services" /etc/samba/smb.conf) -eq 0 ]]; then + sed -i "9a\\\tserver services = -dns" /etc/samba/smb.conf + fi +else + if [ -e /var/lib/samba/bind-dns/named.conf ]; then + samba_upgradedns --dns-backend=SAMBA_INTERNAL + sed -i "/server services/d" /etc/samba/smb.conf + fi +fi diff --git a/packages/config-restore.sh b/packages/config-restore.sh new file mode 100755 index 0000000..2fc3484 --- /dev/null +++ b/packages/config-restore.sh @@ -0,0 +1,120 @@ +#!/bin/bash +echo "Restore domain controller settings." + +#---------------------------------------------------------------------- +# New volumes. +#---------------------------------------------------------------------- +if [ -z "$(ls /var/lib/samba/private)" ]; then + echo "New volumes." + + if [ $(ls /root/packages/samba-backup-* | wc -w) -ne 1 ]; then + echo "There must be one backup file." + exit 0 + fi + + samba-tool domain backup restore \ + --backup-file=$(ls /root/packages/samba-backup-*) \ + --newservername=$(hostname) \ + --targetdir=/root/packages/restore \ + --host-ip=$SMB_HOSTIP + + mv /root/packages/restore/etc/* /etc/samba/ + rmdir /root/packages/restore/etc + + mv /root/packages/restore/private/* /var/lib/samba/private/ + rmdir /root/packages/restore/private + + mv /root/packages/restore/state/sysvol /var/lib/samba/ + + mv /root/packages/restore/state/bind-dns /var/lib/samba/ + + mv /root/packages/restore/state/*.tdb /var/lib/samba/ + rmdir /root/packages/restore/state + + rm /root/packages/restore/gencache.tdb + rm /root/packages/restore/backup.txt + rmdir /root/packages/restore + + sed -i "/binddns dir/d" /etc/samba/smb.conf + sed -i "/cache directory/d" /etc/samba/smb.conf + sed -i "/lock directory/d" /etc/samba/smb.conf + sed -i "/private dir/d" /etc/samba/smb.conf + sed -i "/state directory/d" /etc/samba/smb.conf + sed -i "s/--current-ip [0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}/--current-ip $SMB_HOSTIP/" /etc/samba/smb.conf + sed -i "s@/root/packages/restore/state/sysvol@/var/lib/samba/sysvol@g" /etc/samba/smb.conf + + # Change the DNS back end to internal. + if [ -e /var/lib/samba/bind-dns/named.conf ]; then + samba_upgradedns --dns-backend=samba_internal + sed -i "/server services/d" /etc/samba/smb.conf + fi +fi + +#---------------------------------------------------------------------- +# Volumes is left. +#---------------------------------------------------------------------- +if [ ! -e /root/packages/configured ]; then + echo "New container." + + # Register CA certificates. + cp -a /root/packages/cert/ca.crt /usr/local/share/ca-certificates/ && \ + update-ca-certificates + + # Authentication sttings. + sed -i "s/^\(passwd: \+\)[a-z ]\+$/\1compat winbind/" /etc/nsswitch.conf + sed -i "s/^\(group: \+\)[a-z ]\+$/\1compat winbind/" /etc/nsswitch.conf + + # Copy krb5.conf + mv --backup=numbered /etc/krb5.conf /etc/krb5.conf.bak + cp /var/lib/samba/private/krb5.conf /etc/ + + # Suppress apache warning. + echo "ServerName localhost" | tee /etc/apache2/conf-available/fqdn.conf + a2enconf fqdn + + # Setup phpLdapAdmin. + if [ -e /root/packages/phpLDAPadmin-1.2.3.tar.gz ]; then + a2dismod php8.1 + a2enmod php7.3 + if [ $(grep "ldap server require strong auth" /etc/samba/smb.conf -c) -ne 0 ]; then + sed -i "/ldap server require strong auth/d" /etc/samba/smb.conf + fi + sed -i "/\[global\]/a \\\tldap server require strong auth = no" /etc/samba/smb.conf + + tar zxf /root/packages/phpLDAPadmin-1.2.3.tar.gz -C /var/www/ + mv /var/www/phpLDAPadmin-1.2.3 /var/www/phpldapadmin + cp /etc/phpldapadmin/apache.conf /etc/phpldapadmin/apache.conf.bak + sed -i "s@/usr/share/phpldapadmin/htdocs@/var/www/phpldapadmin@g" /etc/phpldapadmin/apache.conf + cp /var/www/phpldapadmin/config/config.php.example /var/www/phpldapadmin//config/config.php + sed -i "$ i\$servers->setValue('server','host','ldap://127.0.0.1');" /var/www/phpldapadmin/config/config.php + sed -i "$ i\$servers->setValue('login','bind_id','administrator@${SMB_REALM,,}');" /var/www/phpldapadmin/config/config.php + sed -i "$ i\$config->custom->appearance['hide_template_warning'] = true;" /var/www/phpldapadmin/config/config.php + sed -i "s/\$servers->setValue('server','name','My LDAP Server');/\$servers->setValue('server','name','$SMB_DOMAIN');/" /var/www/phpldapadmin/config/config.php + + # Customize phpLDAPadmin + # for PHP7.0 + sed -i "s/password_hash/password_hash_custom/g" /var/www/phpldapadmin/lib/* + sed -i '2567d; 2568d; 2569i \\t\tforeach ($dn as $key => $rdn) {\n\t\t\t$a[$key] = preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return '\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $rdn\'');\n\t\t}' /var/www/phpldapadmin/lib/functions.php + sed -i '2574c \\t\treturn preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return'\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $dn);' /var/www/phpldapadmin/lib/functions.php + sed -i '1119d; 1120d; 1121i \\t\t\tforeach ($dn as $key => $rdn) {\n\t\t\t\t$a[$key] = preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return '\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $rdn\'');\n\t\t\t}' /var/www/phpldapadmin/lib/ds_ldap.php + sed -i '1126c \\t\t\treturn preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return'\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $dn);' /var/www/phpldapadmin/lib/ds_ldap.php + # for PHP7.3 + sed -i '54c function my_autoload($className) {' /var/www/phpldapadmin/lib/functions.php + sed -i '777c spl_autoload_register("my_autoload");' /var/www/phpldapadmin/lib/functions.php + sed -i '1083c \\t\t$CACHE[$sortby] = __create_function('\''$a, $b'\'',$code);' /var/www/phpldapadmin/lib/functions.php + sed -i '1091a function __create_function($arg, $body) {\n\tstatic $cache = array();\n\tstatic $maxCacheSize = 64;\n\tstatic $sorter;\n\n\tif ($sorter === NULL) {\n\t\t$sorter = function($a, $b) {\n\t\t\tif ($a->hits == $b->hits) {\n\t\t\t\treturn 0;\n\t\t\t}\n\n\t\t\treturn ($a->hits < $b->hits) ? 1 : -1;\n\t\t};\n\t}\n\n\t$crc = crc32($arg . "\\\\x00" . $body);\n\n\tif (isset($cache[$crc])) {\n\t\t++$cache[$crc][1];\n\t\treturn $cache[$crc][0];\n\t}\n\n\tif (sizeof($cache) >= $maxCacheSize) {\n\t\tuasort($cache, $sorter);\n\t\tarray_pop($cache);\n\t}\n\n\t$cache[$crc] = array($cb = eval('\''return function('\''.$arg.'\''){'\''.$body.'\''};'\''), 0);\n\treturn $cb;\n}\n' /var/www/phpldapadmin/lib/functions.php + fi + + # Mark as configured. + touch /root/packages/configured +fi + +#---------------------------------------------------------------------- +# Container and Volumes is left. +#---------------------------------------------------------------------- +echo "Setting to do every time" + +# Resolver settings. +cp /etc/resolv.conf /root/packages/resolv.conf +sed -i "s/nameserver 127.0.0.11/nameserver 127.0.0.1/" /root/packages/resolv.conf +cat /root/packages/resolv.conf > /etc/resolv.conf diff --git a/packages/config-secondary.sh b/packages/config-secondary.sh new file mode 100755 index 0000000..cd65fe7 --- /dev/null +++ b/packages/config-secondary.sh @@ -0,0 +1,203 @@ +#!/bin/bash +echo "Secondary domain controller settings." + +#---------------------------------------------------------------------- +# New volumes. +#---------------------------------------------------------------------- +if [ -z "$(ls /var/lib/samba/private)" ]; then + echo "New volumes." + + # Make join parameters. + SMB_TMP_PARAM=" + --username=administrator + --password=$SMB_ADMINPASS + --realm=$SMB_REALM + --option=\"dns forwarder = 127.0.0.11\" + --option=\"dns update command = /usr/sbin/samba_dnsupdate --current-ip $SMB_HOSTIP\" + --option=\"rpc server dynamic port range = $SMB_RPC_PORTS\" + --option=\"template homedir = /home/%D/%U\" + --option=\"template shell = /bin/bash\" + --option=\"winbind enum users = yes\" + --option=\"winbind enum groups = yes\" + --option=\"idmap config $SMB_DOMAIN:unix_nss_info = yes\" + --option=\"idmap config $SMB_DOMAIN:unix_primary_group = yes\" + --option=\"idmap_ldb:use rfc2307 = yes\" + " + if [ $SMB_USEBIND9 = "true" ]; then + SMB_TMP_PARAM+=" --dns-backend=BIND9_DLZ" + else + SMB_TMP_PARAM+=" --dns-backend=SAMBA_INTERNAL" + fi + + # LDAPS settings. + mkdir /var/lib/samba/private/tls/ + TMP_LDAPS=0 + cp -a /root/packages/cert/ca.crt /usr/local/share/ca-certificates/ && \ + update-ca-certificates && \ + TMP_LDAPS=$(($TMP_LDAPS | 0x01)) && \ + SMB_TMP_PARAM+=" --option=\"tls cafile = /usr/local/share/ca-certificates/ca.crt\"" + cp -a /root/packages/cert/server.crt /var/lib/samba/private/tls/ && \ + TMP_LDAPS=$(($TMP_LDAPS | 0x02)) && \ + SMB_TMP_PARAM+=" --option=\"tls certfile = /var/lib/samba/private/tls/server.crt\"" + cp -a /root/packages/cert/server.key /var/lib/samba/private/tls/ && \ + TMP_LDAPS=$(($TMP_LDAPS | 0x04)) && \ + chmod 600 /var/lib/samba/private/tls/server.key && \ + SMB_TMP_PARAM+=" --option=\"tls keyfile = /var/lib/samba/private/tls/server.key\"" + cp -a /root/packages/cert/ca.crl /var/lib/samba/private/tls/ && \ + TMP_LDAPS=$(($TMP_LDAPS | 0x08)) && \ + SMB_TMP_PARAM+=" --option=\"tls crlfile = /var/lib/samba/private/tls/ca.crl\"" + + if [ $(($TMP_LDAPS & 0x07)) -eq 7 ]; then + echo "Enable LDAPS." + SMB_TMP_PARAM+=" --option=\"tls enabled = true\" + --option=\"tls verify peer = as_strict_as_possible\" + " + else + echo "Disable Strong Auth." + SMB_TMP_PARAM+=" + --option=\"ldap server require strong auth = no\" + " + fi + + set -f + SMB_TMP_PARAM=$(echo $SMB_TMP_PARAM) + #echo "join parameters: $SMB_TMP_PARAM" + set +f + + # Join domain settings. + mv --backup=numbered /etc/samba/smb.conf /etc/samba/smb.conf.bak + eval samba-tool domain join $SMB_REALM DC "$SMB_TMP_PARAM" + if [ $? -ne 0 ]; then exit 0; fi + + # Deletion of IP addresses in the container registered in Primary DNS + MYHOSTIP=$(grep $(hostname) /etc/hosts | sed "s/^\(.*\)\s.*/\1/") + MYHOSTNM=$(hostname) + samba-tool dns update $SMB_REALM \ + $SMB_REALM $MYHOSTNM \ + A $MYHOSTIP $SMB_HOSTIP \ + --username Administrator --password $SMB_ADMINPASS + # Delete myhostip after 30 sec. + /bin/bash -c "sleep 30; + samba-tool dns delete localhost \ + $SMB_REALM $MYHOSTNM \ + A $MYHOSTIP \ + --username Administrator --password $SMB_ADMINPASS + " & +fi + +#---------------------------------------------------------------------- +# Volumes is left. +#---------------------------------------------------------------------- +if [ ! -e /root/packages/configured ]; then + echo "New container." + + # Register CA certificates. + cp -a /root/packages/cert/ca.crt /usr/local/share/ca-certificates/ && \ + update-ca-certificates + + # Authentication sttings. + sed -i "s/^\(passwd: \+\)[a-z ]\+$/\1compat winbind/" /etc/nsswitch.conf + sed -i "s/^\(group: \+\)[a-z ]\+$/\1compat winbind/" /etc/nsswitch.conf + + # Create krb5.conf + mv --backup=numbered /etc/krb5.conf /etc/krb5.conf.bak +cat < /etc/krb5.conf +[libdefaults] + dns_lookup_realm = false + dns_lookup_kdc = true + default_realm = $SMB_REALM +EOF + + # Make rsync configuration. +cat < /etc/rsyncd.secret.sysvol-replication +$RSY_PASS +EOF + chmod 600 /etc/rsyncd.secret.sysvol-replication + + # Reset sysvol. + echo "Reset sysvol." + rsync -XAavx \ + --delete-after \ + --password-file=/etc/rsyncd.secret.sysvol-replication \ + --contimeout=10 \ + rsync://sysvol-replication@$RSY_PRIMARY/SysVol \ + /var/lib/samba/sysvol/ + samba-tool ntacl sysvolreset + + # Replicate sysvol every 5 minutes. + echo "*/5 * * * * root rsync -XAavx --delete-after --password-file=/etc/rsyncd.secret.sysvol-replication rsync://sysvol-replication@$RSY_PRIMARY/SysVol /var/lib/samba/sysvol/" >> /etc/crontab + + # Suppress apache warning. + echo "ServerName localhost" | tee /etc/apache2/conf-available/fqdn.conf + a2enconf fqdn + + # Setup phpLdapAdmin. + if [ -e /root/packages/phpLDAPadmin-1.2.3.tar.gz ]; then + a2dismod php8.1 + a2enmod php7.3 + + tar zxf /root/packages/phpLDAPadmin-1.2.3.tar.gz -C /var/www/ + mv /var/www/phpLDAPadmin-1.2.3 /var/www/phpldapadmin + cp /etc/phpldapadmin/apache.conf /etc/phpldapadmin/apache.conf.bak + sed -i "s@/usr/share/phpldapadmin/htdocs@/var/www/phpldapadmin@g" /etc/phpldapadmin/apache.conf + cp /var/www/phpldapadmin/config/config.php.example /var/www/phpldapadmin//config/config.php + if [ $(grep "tls verify peer = as_strict_as_possible" /etc/samba/smb.conf -c) -ne 0 ]; then + sed -i "$ i\$servers->setValue('server','host','ldaps://$(hostname).${SMB_REALM,,}');" /var/www/phpldapadmin/config/config.php + else + sed -i "$ i\$servers->setValue('server','host','ldap://$(hostname).${SMB_REALM,,}');" /var/www/phpldapadmin/config/config.php + fi + sed -i "$ i\$servers->setValue('login','bind_id','administrator@${SMB_REALM,,}');" /var/www/phpldapadmin/config/config.php + sed -i "$ i\$config->custom->appearance['hide_template_warning'] = true;" /var/www/phpldapadmin/config/config.php + sed -i "s/\$servers->setValue('server','name','My LDAP Server');/\$servers->setValue('server','name','$SMB_DOMAIN');/" /var/www/phpldapadmin/config/config.php + + # Customize phpLDAPadmin + # for PHP7.0 + sed -i "s/password_hash/password_hash_custom/g" /var/www/phpldapadmin/lib/* + sed -i '2567d; 2568d; 2569i \\t\tforeach ($dn as $key => $rdn) {\n\t\t\t$a[$key] = preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return '\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $rdn\'');\n\t\t}' /var/www/phpldapadmin/lib/functions.php + sed -i '2574c \\t\treturn preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return'\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $dn);' /var/www/phpldapadmin/lib/functions.php + sed -i '1119d; 1120d; 1121i \\t\t\tforeach ($dn as $key => $rdn) {\n\t\t\t\t$a[$key] = preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return '\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $rdn\'');\n\t\t\t}' /var/www/phpldapadmin/lib/ds_ldap.php + sed -i '1126c \\t\t\treturn preg_replace_callback('\''/\\\\\\([0-9A-Fa-f]{2})/'\'', function ($m) { return'\'\''.chr(hexdec('\''\\\\1'\'')).'\'\''; }, $dn);' /var/www/phpldapadmin/lib/ds_ldap.php + # for PHP7.3 + sed -i '54c function my_autoload($className) {' /var/www/phpldapadmin/lib/functions.php + sed -i '777c spl_autoload_register("my_autoload");' /var/www/phpldapadmin/lib/functions.php + sed -i '1083c \\t\t$CACHE[$sortby] = __create_function('\''$a, $b'\'',$code);' /var/www/phpldapadmin/lib/functions.php + sed -i '1091a function __create_function($arg, $body) {\n\tstatic $cache = array();\n\tstatic $maxCacheSize = 64;\n\tstatic $sorter;\n\n\tif ($sorter === NULL) {\n\t\t$sorter = function($a, $b) {\n\t\t\tif ($a->hits == $b->hits) {\n\t\t\t\treturn 0;\n\t\t\t}\n\n\t\t\treturn ($a->hits < $b->hits) ? 1 : -1;\n\t\t};\n\t}\n\n\t$crc = crc32($arg . "\\\\x00" . $body);\n\n\tif (isset($cache[$crc])) {\n\t\t++$cache[$crc][1];\n\t\treturn $cache[$crc][0];\n\t}\n\n\tif (sizeof($cache) >= $maxCacheSize) {\n\t\tuasort($cache, $sorter);\n\t\tarray_pop($cache);\n\t}\n\n\t$cache[$crc] = array($cb = eval('\''return function('\''.$arg.'\''){'\''.$body.'\''};'\''), 0);\n\treturn $cb;\n}\n' /var/www/phpldapadmin/lib/functions.php + fi + + # Mark as configured. + touch /root/packages/configured +fi + +#---------------------------------------------------------------------- +# Container and Volumes is left. +#---------------------------------------------------------------------- +echo "Setting to do every time" + +# Resolver settings. +cp /etc/resolv.conf /root/packages/resolv.conf +sed -i "s/nameserver 127.0.0.11/nameserver 127.0.0.1/" /root/packages/resolv.conf +cat /root/packages/resolv.conf > /etc/resolv.conf + +# Switch DNS backend. +if [ $SMB_USEBIND9 = "true" ]; then + if [ ! -e /var/lib/samba/bind-dns/named.conf ]; then + samba_upgradedns --dns-backend=BIND9_DLZ + fi + # Make bind9 configuration. + if [ $(grep "bind-dns" /etc/bind/named.conf -c) -eq 0 ]; then + cp -a /etc/bind/named.conf /etc/bind/named.conf.bak + sed -i "\$a include \"/var/lib/samba/bind-dns/named.conf\";" /etc/bind/named.conf + cp -a /etc/bind/named.conf.options /etc/bind/named.conf.options.bak + sed -i "/listen-on-v6/a\\\n\tforwarders { 127.0.0.11; };\n\tallow-query { any; };\n\tallow-transfer { none; };\n\ttkey-gssapi-keytab \"/var/lib/samba/bind-dns/dns.keytab\";\n\tminimal-responses yes;" /etc/bind/named.conf.options + cp -a /etc/bind/named.conf.local /etc/bind/named.conf.local.bak + sed -i "s@^//include@include@" /etc/bind/named.conf.local + fi + if [[ $(grep -c "server services" /etc/samba/smb.conf) -eq 0 ]]; then + sed -i "9a\\\tserver services = -dns" /etc/samba/smb.conf + fi +else + if [ -e /var/lib/samba/bind-dns/named.conf ]; then + samba_upgradedns --dns-backend=SAMBA_INTERNAL + sed -i "/server services/d" /etc/samba/smb.conf + fi +fi diff --git a/packages/restore.sh b/packages/restore.sh new file mode 100755 index 0000000..269b7d1 --- /dev/null +++ b/packages/restore.sh @@ -0,0 +1,91 @@ +#!/bin/bash + +WORKDIR=${PWD} + +# Check parameters. +if [ $# = 0 ]; then +echo "Usage: restore.sh [path to backup file] [--execute] + --execute Execute a restore. + If this parameter is not present, a dry run is performed." + exit 0 +fi +if [ ! -e $1 ]; then + echo "File to be restored not found: $1" + exit -1 +fi + +# Extract file. +if [ -d ./restore ]; then + echo "The directory \"restore\" exists. Aborted." + exit 0 +fi +mkdir ./restore +tar -zxvf $1 -C ./restore +if [ $? -ne 0 ]; then + echo "Failed to extract file." + exit -1 +fi + +# +if [ -z $2 ]; then + # Restore acl. + cd restore/lib/samba/ + bash ./NTACL + + echo "Finished dry run." + +elif [ $2 = "--execute" ]; then + # Stop the samba process. + pkill -SIGTERM ^samba$ + while + pgrep ^samba$ + [ $? -eq 0 ] + do + echo "wait..." + sleep 1 + done + + # Samba + # Restore files. + rm -rf /etc/samba/* + mv restore/etc/samba/* /etc/samba/ + + rm -rf /var/lib/samba/private/* + mv restore/lib/samba/private/* /var/lib/samba/private/ + + rm -rf /var/lib/samba/bind-dns + mv restore/lib/samba/bind-dns /var/lib/samba/ + + rm -rf /var/lib/samba/sysvol/* + mv restore/lib/samba/sysvol/* /var/lib/samba/sysvol/ + + # Bind + # Restore files. + rm -rf /etc/bind/* + mv restore/etc/bind/* /etc/bind/ + + rm -rf /var/lib/bind/* + mv restore/lib/bind/* /var/lib/bind/ + + # Delete working files. + rm -rf ./restore + + # Restore acl. + cd /var/lib/samba + bash $WORKDIR/restore/lib/samba/NTACL + cd $WORKDIR + + # Do sysvol reset. + net cache flush + samba-tool ntacl sysvolreset + + # Start the samba process. + /usr/sbin/samba --interactive --no-process-group & + if [ $SMB_USEBIND9 = "true" ]; then + /usr/sbin/rndc stop + /usr/sbin/named -u bind + fi + + echo "Restored." + +fi