zamba-lxc-toolbox/zmb-ad.sh

120 lines
3.3 KiB
Bash
Raw Normal View History

2021-04-12 01:49:55 +02:00
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
2021-04-16 17:24:31 +02:00
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
2021-04-12 01:49:55 +02:00
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
source /root/zamba.conf
2021-04-12 01:49:55 +02:00
2021-04-20 21:51:13 +02:00
sed -i "s|# $LXC_LOCALE|$LXC_LOCALE|" /etc/locale.gen
cat << EOF > /etc/default/locale
LANG="$LXC_LOCALE"
LANGUAGE=$LXC_LOCALE
EOF
locale-gen $LXC_LOCALE
if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then
BINDNINE=bind9
fi
2021-04-12 01:49:55 +02:00
## configure ntp
cat << EOF > /etc/ntp.conf
# Local clock. Note that is not the "localhost" address!
server 127.127.1.0
fudge 127.127.1.0 stratum 10
# Where to retrieve the time from
server 0.de.pool.ntp.org iburst prefer
server 1.de.pool.ntp.org iburst prefer
server 2.de.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
# Access control
# Default restriction: Allow clients only to query the time
restrict default kod nomodify notrap nopeer mssntp
# No restrictions for "localhost"
restrict 127.0.0.1
# Enable the time sources to only provide time to this host
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
tinker panic 0
EOF
# update packages
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
# install required packages
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl attr ntpdate nginx-full rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils $BINDNINE
2021-04-12 01:49:55 +02:00
if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then
# configure bind dns service
cat << EOF > /etc/default/bind9
2021-04-12 01:49:55 +02:00
#
# run resolvconf?
RESOLVCONF=no
# startup options for the server
OPTIONS="-4 -u bind"
EOF
cat << EOF > /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
dlz "$LXC_DOMAIN" {
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};
EOF
cat << EOF > /etc/bind/named.conf.options
2021-04-12 01:49:55 +02:00
options {
directory "/var/cache/bind";
forwarders {
$LXC_DNS;
};
allow-query { any;};
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
listen-on { any; };
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;
};
EOF
mkdir -p /var/lib/samba/bind-dns/dns
fi
2021-04-12 01:49:55 +02:00
2021-04-12 13:59:42 +02:00
# stop + disable samba services and remove default config
systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
rm -f /etc/samba/smb.conf
rm -f /etc/krb5.conf
2021-04-12 01:49:55 +02:00
# provision zamba domain
samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=$ZMB_DNS_BACKEND
2021-04-12 01:49:55 +02:00
2021-04-13 23:40:18 +02:00
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
2021-04-12 01:49:55 +02:00
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc $BINDNINE
systemctl restart samba-ad-dc $BINDNINE
2021-04-12 01:49:55 +02:00
2021-04-16 17:24:31 +02:00
exit 0