From 38237241f18b32f17f7fbd2f93f4a6dcbb41e7db Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Mon, 12 Apr 2021 01:49:55 +0200 Subject: [PATCH] Added zmb-ad prototype --- zmb-ad.sh | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 zmb-ad.sh diff --git a/zmb-ad.sh b/zmb-ad.sh new file mode 100644 index 0000000..a96703c --- /dev/null +++ b/zmb-ad.sh @@ -0,0 +1,112 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source ./zamba.conf + +# Set Timezone +ln -sf /usr/share/zoneinfo/$LXC_TIMEZONE /etc/localtime + +# configure system language +dpkg-reconfigure locales + +## configure ntp +cat << EOF > /etc/ntp.conf +# Local clock. Note that is not the "localhost" address! +server 127.127.1.0 +fudge 127.127.1.0 stratum 10 + +# Where to retrieve the time from +server 0.de.pool.ntp.org iburst prefer +server 1.de.pool.ntp.org iburst prefer +server 2.de.pool.ntp.org iburst prefer + +driftfile /var/lib/ntp/ntp.drift +logfile /var/log/ntp +ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ + +# Access control +# Default restriction: Allow clients only to query the time +restrict default kod nomodify notrap nopeer mssntp + +# No restrictions for "localhost" +restrict 127.0.0.1 + +# Enable the time sources to only provide time to this host +restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery +restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery +restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery + +tinker panic 0 +EOF + +# update packages +apt update +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade +# install required packages +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y $LXC_TOOLSET acl attr ntpdate nginx-full rpl net-tools dnsutils ntp bind9 samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils + +# stop + disable samba services and remove default config +systemctl stop smbd nmbd winbind +systemctl disable smbd nmbd winbind +rm /etc/samba/smb.conf +rm /etc/krb5.conf + +# configure bind dns service +cat << EOF > /etc/default/bind9 +# +# run resolvconf? +RESOLVCONF=no + +# startup options for the server +OPTIONS="-4 -u bind" +EOF + +cat << EOF > /etc/bind/named.conf.local +// +// Do any local configuration here +// + +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; +dlz "$LXC_DOMAIN" { + database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so"; +}; +EOF + +cat << EOF > /etc/bind/named.conf.options +options { + directory "/var/cache/bind"; + + forwarders { + $LXC_DNS; + }; + + allow-query { any;}; + dnssec-validation no; + + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { any; }; + listen-on { any; }; + + tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; + minimal-responses yes; +}; +EOF + +mkdir -p /var/lib/samba/bind-dns/dns + +# provision zamba domain +samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=BIND9_DLZ + +ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf + +systemctl unmask samba-ad-dc +systemctl enable samba-ad-dc bind9 +systemctl restart samba-ad-dc bind9 + +exit 0 \ No newline at end of file