From 8cf9c45f79717513870560417743c25c6b2d537c Mon Sep 17 00:00:00 2001 From: Thorsten Spille Date: Thu, 28 Nov 2024 21:27:56 +0100 Subject: [PATCH] set domain admins group in zmb.conf, add zmb-ad-restore container --- conf/zamba.conf.example | 10 +- install.sh | 17 ++ src/zmb-ad-restore/constants-service.conf | 45 +++++ src/zmb-ad-restore/install-service.sh | 195 ++++++++++++++++++++++ src/zmb-cups/install-service.sh | 8 +- 5 files changed, 268 insertions(+), 7 deletions(-) create mode 100644 src/zmb-ad-restore/constants-service.conf create mode 100644 src/zmb-ad-restore/install-service.sh diff --git a/conf/zamba.conf.example b/conf/zamba.conf.example index 714c47d..fa1d436 100644 --- a/conf/zamba.conf.example +++ b/conf/zamba.conf.example @@ -99,17 +99,21 @@ LXC_TAGS="linux,debian,${service}" ############### Zamba-Server-Section ############### -# Defines the REALM for the Active Directory (AD DC, AD member) +# Defines the REALM for the Active Directory (needs to be UPPER CASE, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups) ZMB_REALM="ZMB.ROCKS" -# Defines the domain name in your Active Directory or Workgroup (AD DC, AD member, standalone) +# Defines the domain name in your Active Directory or Workgroup (needs to be UPPER CASE, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups, zmb-standalone) ZMB_DOMAIN="ZMB" -# Defines the name of your domain administrator account (AD DC, AD member, standalone) +# Defines the name of your domain administrator account (Some environments are case sensitive, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups, zmb-standalone) ZMB_ADMIN_USER="administrator" + # The admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour # `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail ZMB_ADMIN_PASS='Start!123' +# Name of the "domain admins" group (depends on your Active Directory language, valid on zmb-cups) +ZMB_DOMAIN_ADMINS="domain admins" + # Defines the name of your Zamba share ZMB_SHARE="share" diff --git a/install.sh b/install.sh index 2bab1d5..53f763b 100755 --- a/install.sh +++ b/install.sh @@ -102,6 +102,15 @@ source "$config" source "$PWD/src/$service/constants-service.conf" +if [[ $service == "zmb-ad-restore" ]]; then + if find ./ | grep samba-backup*.tar.bz2 ; then + sambabackup=$(find $PWD/ | grep samba-backup*.tar.bz2 | tail -1) + else + echo "No samba backup found in $PWD. Please place a samba online backup into $PWD. Canceling..." + exit 1 + fi +fi + if [ $LXC_MEM -lt $LXC_MEM_MIN ]; then LXC_MEM=$LXC_MEM_MIN fi @@ -184,6 +193,11 @@ pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf +if [[ $service == "zmb-ad-restore" ]]; then + pct exec $LXC_NBR -- mkdir -p /backup/online + pct push $LXC_NBR "$PWD/samba-backup-*.tar.bz2" /backup/online/ +fi + if [ $debug -gt 0 ]; then dbg=-vx; else dbg=""; fi echo "Installing basic container setup..." @@ -195,6 +209,9 @@ pct shutdown $LXC_NBR if [[ $service == "zmb-ad" ]]; then ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format pct set $LXC_NBR -nameserver ${LXC_IP%/*} +elif [[ $service == "zmb-ad-restore" ]]; then + ## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format + pct set $LXC_NBR -nameserver ${LXC_IP%/*} elif [[ $service == "zmb-ad-join" ]]; then pct set $LXC_NBR -nameserver "${LXC_IP%/*} $LXC_DNS" fi diff --git a/src/zmb-ad-restore/constants-service.conf b/src/zmb-ad-restore/constants-service.conf new file mode 100644 index 0000000..1042bbc --- /dev/null +++ b/src/zmb-ad-restore/constants-service.conf @@ -0,0 +1,45 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +# This file contains the project constants on service level + +# Debian Version, which will be installed +LXC_TEMPLATE_VERSION="debian-12-standard" + +# Create sharefs mountpoint +LXC_MP=0 +# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank) +LXC_SHAREFS_MOUNTPOINT="backup" +# Defines the recordsize of mp0 +LXC_MP_RECORDSIZE="16K" + +# Create unprivileged container +LXC_UNPRIVILEGED="0" + +# enable nesting feature +LXC_NESTING="1" + +# enable keyctl feature +LXC_KEYCTL="0" + +# add optional features to samba ad dc + +# CURRENTLY SUPPORTED: +# wsdd = add windows service discovery +# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup +# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ + +# Example: +# OPTIONAL_FEATURES=(wsdd) +# OPTIONAL_FEATURES=(wsdd splitdns) +OPTIONAL_FEATURES=(wsdd) + +# Sets the minimum amount of RAM the service needs for operation +LXC_MEM_MIN=1024 + +# service dependent meta tags +SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,secondary" \ No newline at end of file diff --git a/src/zmb-ad-restore/install-service.sh b/src/zmb-ad-restore/install-service.sh new file mode 100644 index 0000000..b3c14c8 --- /dev/null +++ b/src/zmb-ad-restore/install-service.sh @@ -0,0 +1,195 @@ +#!/bin/bash + +# Authors: +# (C) 2021 Idea an concept by Christian Zengel +# (C) 2021 Script design and prototype by Markus Helmke +# (C) 2021 Script rework and documentation by Thorsten Spille + +source /root/functions.sh +source /root/zamba.conf +source /root/constants-service.conf + +ZMB_DNS_BACKEND="SAMBA_INTERNAL" + +for f in ${OPTIONAL_FEATURES[@]}; do + if [[ "$f" == "wsdd" ]]; then + ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES" + ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES" + elif [[ "$f" == "splitdns" ]]; then + ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES" + ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES" + elif [[ "$f" == "bind9dlz" ]]; then + ZMB_DNS_BACKEND="BIND9_DLZ" + ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES" + ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES" + else + echo "Unsupported optional feature $f" + fi +done + +# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list + +# update packages +apt update +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade +# install required packages +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc +DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils + +mkdir -p /etc/chrony/conf.d +mkdir -p /etc/systemd/system/chrony.service.d + +cat << EOF > /etc/default/chrony +# This is a configuration file for /etc/init.d/chrony and +# /lib/systemd/system/chrony.service; it allows you to pass various options to +# the chrony daemon without editing the init script or service file. + +# Options to pass to chrony. +DAEMON_OPTS="-x -F 1" +EOF + +cat << EOF > /etc/systemd/system/chrony.service.d/override.conf +[Unit] +ConditionCapability= +EOF + +cat << EOF > /etc/chrony/conf.d/samba.conf +bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev) +server de.pool.ntp.org iburst +server europe.pool.ntp.org iburst +allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev) +ntpsigndsocket /var/lib/samba/ntp_signd +EOF + +if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then + cat << EOF > /etc/nginx/sites-available/default +server { + listen 80 default_server; + server_name _; + return 301 http://www.$LXC_DOMAIN\$request_uri; +} +EOF +fi + +if [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then + # configure bind dns service + cat << EOF > /etc/default/bind9 +# +# run resolvconf? +RESOLVCONF=no + +# startup options for the server +OPTIONS="-4 -u bind" +EOF + + cat << EOF > /etc/bind/named.conf.local +// +// Do any local configuration here +// + +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; +dlz "$LXC_DOMAIN" { + database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so"; +}; +EOF + + cat << EOF > /etc/bind/named.conf.options +options { + directory "/var/cache/bind"; + + forwarders { + $LXC_DNS; + }; + + allow-query { any;}; + dnssec-validation no; + + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { any; }; + listen-on { any; }; + + tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; + minimal-responses yes; +}; +EOF + + mkdir -p /var/lib/samba/bind-dns/dns +fi + +# stop + disable samba services and remove default config +systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1 +rm -f /etc/samba/smb.conf +rm -f /etc/krb5.conf + +rm -r /var/lib/samba/* + +backupfile=$(find /backup/online -name samba-backup* | tail -1) +samba-tool domain backup restore --backup-file=${backupfile} --newservername=${LXC_HOSTNAME} --targetdir=/var/lib/samba/ + +ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf + +# disable password expiry for administrator +samba-tool user setexpiry Administrator --noexpiry + +systemctl unmask samba-ad-dc +systemctl enable samba-ad-dc +systemctl restart samba-ad-dc $ADDITIONAL_SERVICES + +# configure ad backup +cat << EOF > /usr/local/bin/smb-backup +#!/bin/bash +PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +rc=0 +keep=\$1 + +mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline} + +prune () { + backup_type=\$1 + if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then + find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm + fi +} + +echo "\$(date) Starting samba-ad-dc online backup" +if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then + echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..." + prune online +else + echo "\$(date) samba-ad-dc online backup failed" + rc=\$((\$rc + 1)) +fi + +echo "\$(date) Starting samba-ad-dc offline backup" +if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then + echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..." + prune offline +else + echo "S(date) samba-ad-dc offline backup failed" + rc=\$((\$rc + 1)) +fi + +exit \$rc +EOF +chmod +x /usr/local/bin/smb-backup + +cat << EOF > /etc/cron.d/smb-backup +23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1 +EOF + +cat << EOF > /etc/logrotate.d/smb-backup +/var/log/smb-backup.log { + weekly + rotate 12 + compress + delaycompress + missingok + notifempty + create 644 root root +} +EOF + +exit 0 \ No newline at end of file diff --git a/src/zmb-cups/install-service.sh b/src/zmb-cups/install-service.sh index 726b191..cafb44b 100644 --- a/src/zmb-cups/install-service.sh +++ b/src/zmb-cups/install-service.sh @@ -96,13 +96,13 @@ systemctl restart winbind nmbd mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{spool,printerdrivers} cp -rv /var/lib/samba/printers/* /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers -chown -R root:"domain admins" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers +chown -R root:"${ZMB_DOMAIN_ADMINS}" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers chmod -R 1777 /${LXC_SHAREFS_MOUNTPOINT}/spool chmod -R 2775 /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers setfacl -Rb /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers -setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers -setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers -echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\domain admins" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}" +setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS}":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers +setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS}":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers +echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\${ZMB_DOMAIN_ADMINS}" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}" systemctl disable --now cups-browsed.service cupsctl --remote-admin