ad: add wsdd, migrate debian 11, configure nginx

This commit is contained in:
thorstenspille 2022-01-15 18:45:29 +01:00
parent 24c9b03abe
commit 4f0b47949f
2 changed files with 88 additions and 57 deletions

View File

@ -10,9 +10,6 @@
# Debian Version, which will be installed # Debian Version, which will be installed
LXC_TEMPLATE_VERSION="debian-11-standard" LXC_TEMPLATE_VERSION="debian-11-standard"
# Defines the desired DNS server backend, supported are `SAMBA_INTERNAL` and `BIND9_DLZ` for more advanced usage
ZMB_DNS_BACKEND="SAMBA_INTERNAL"
# Create sharefs mountpoint # Create sharefs mountpoint
LXC_MP="0" LXC_MP="0"
@ -21,3 +18,15 @@ LXC_UNPRIVILEGED="0"
# enable nesting feature # enable nesting feature
LXC_NESTING="1" LXC_NESTING="1"
# add optional features to samba ad dc
# CURRENTLY SUPPORTED:
# wsdd = add windows service discovery
# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
# Example:
# OPTIONAL_FEATURES=(wsdd)
# OPTIONAL_FEATURES=(wsdd splitdns)
OPTIONAL_FEATURES=()

View File

@ -8,47 +8,21 @@
source /root/zamba.conf source /root/zamba.conf
source /root/constants-service.conf source /root/constants-service.conf
if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then ZMB_DNS_BACKEND="SAMBA_INTERNAL"
BINDNINE=bind9
fi
## configure ntp for f in ${OPTIONAL_FEATURES[@]}; do
cat << EOF > /etc/ntp.conf if [[ "$f" == "wsdd" ]]; then
# Local clock. Note that is not the "localhost" address! ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
server 127.127.1.0 ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
fudge 127.127.1.0 stratum 10 apt-key adv --fetch-keys https://pkg.ltec.ch/public/conf/ltec-ag.gpg.key
echo "deb https://pkg.ltec.ch/public/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/wsdd.list
# Where to retrieve the time from elif [[ "$f" == "splitdns" ]]; then
server 0.de.pool.ntp.org iburst prefer ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
server 1.de.pool.ntp.org iburst prefer ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
server 2.de.pool.ntp.org iburst prefer elif [[ "$f" == "bind9dlz" ]]; then
ZMB_DNS_BACKEND="BIND9_DLZ"
driftfile /var/lib/ntp/ntp.drift ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
logfile /var/log/ntp ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
# Access control
# Default restriction: Allow clients only to query the time
restrict default kod nomodify notrap nopeer mssntp
# No restrictions for "localhost"
restrict 127.0.0.1
# Enable the time sources to only provide time to this host
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
tinker panic 0
EOF
# update packages
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
# install required packages
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET acl attr ntpdate nginx-full rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils $BINDNINE
if [[ $ZMB_DNS_BACKEND == "BIND9_DLZ" ]]; then
# configure bind dns service # configure bind dns service
cat << EOF > /etc/default/bind9 cat << EOF > /etc/default/bind9
# #
@ -93,11 +67,59 @@ options {
EOF EOF
mkdir -p /var/lib/samba/bind-dns/dns mkdir -p /var/lib/samba/bind-dns/dns
else
echo "Unsupported optional feature $f"
fi
done
## configure ntp
cat << EOF > /etc/ntp.conf
# Local clock. Note that is not the "localhost" address!
server 127.127.1.0
fudge 127.127.1.0 stratum 10
# Where to retrieve the time from
server 0.de.pool.ntp.org iburst prefer
server 1.de.pool.ntp.org iburst prefer
server 2.de.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/
# Access control
# Default restriction: Allow clients only to query the time
restrict default kod nomodify notrap nopeer mssntp
# No restrictions for "localhost"
restrict 127.0.0.1
# Enable the time sources to only provide time to this host
restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery
tinker panic 0
EOF
# update packages
apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
# install required packages
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES acl attr ntpdate rpl net-tools dnsutils ntp samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
cat << EOF > /etc/nginx/sites-available/default
server {
listen 80;
server_name $LXC_DOMAIN default_server;
return 301 http://www.$LXC_DOMAIN\$request_uri;
}
EOF
fi fi
# stop + disable samba services and remove default config # stop + disable samba services and remove default config
systemctl stop smbd nmbd winbind systemctl disable --now smbd nmbd winbind systemd-resolved
systemctl disable smbd nmbd winbind
rm -f /etc/samba/smb.conf rm -f /etc/samba/smb.conf
rm -f /etc/krb5.conf rm -f /etc/krb5.conf
@ -107,7 +129,7 @@ samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAI
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
systemctl unmask samba-ad-dc systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc $BINDNINE systemctl enable samba-ad-dc $ADDITIONAL_SERVICES
systemctl restart samba-ad-dc $BINDNINE systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
exit 0 exit 0