mirror of
https://github.com/bashclub/zamba-lxc-toolbox.git
synced 2025-01-12 18:30:11 +01:00
set domain admins group in zmb.conf, add zmb-ad-restore container
This commit is contained in:
parent
c3eef2aed6
commit
8cf9c45f79
@ -99,17 +99,21 @@ LXC_TAGS="linux,debian,${service}"
|
|||||||
|
|
||||||
############### Zamba-Server-Section ###############
|
############### Zamba-Server-Section ###############
|
||||||
|
|
||||||
# Defines the REALM for the Active Directory (AD DC, AD member)
|
# Defines the REALM for the Active Directory (needs to be UPPER CASE, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups)
|
||||||
ZMB_REALM="ZMB.ROCKS"
|
ZMB_REALM="ZMB.ROCKS"
|
||||||
# Defines the domain name in your Active Directory or Workgroup (AD DC, AD member, standalone)
|
# Defines the domain name in your Active Directory or Workgroup (needs to be UPPER CASE, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups, zmb-standalone)
|
||||||
ZMB_DOMAIN="ZMB"
|
ZMB_DOMAIN="ZMB"
|
||||||
|
|
||||||
# Defines the name of your domain administrator account (AD DC, AD member, standalone)
|
# Defines the name of your domain administrator account (Some environments are case sensitive, valid on zmb-ad, zmb-ad-join, zmb-member, zmb-cups, zmb-standalone)
|
||||||
ZMB_ADMIN_USER="administrator"
|
ZMB_ADMIN_USER="administrator"
|
||||||
|
|
||||||
# The admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour
|
# The admin password for zamba installation. Please use 'single quatation marks' to avoid unexpected behaviour
|
||||||
# `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail
|
# `zmb-ad` domain administrator has to meet the password complexity policy, if password is too weak, domain provisioning will fail
|
||||||
ZMB_ADMIN_PASS='Start!123'
|
ZMB_ADMIN_PASS='Start!123'
|
||||||
|
|
||||||
|
# Name of the "domain admins" group (depends on your Active Directory language, valid on zmb-cups)
|
||||||
|
ZMB_DOMAIN_ADMINS="domain admins"
|
||||||
|
|
||||||
# Defines the name of your Zamba share
|
# Defines the name of your Zamba share
|
||||||
ZMB_SHARE="share"
|
ZMB_SHARE="share"
|
||||||
|
|
||||||
|
17
install.sh
17
install.sh
@ -102,6 +102,15 @@ source "$config"
|
|||||||
|
|
||||||
source "$PWD/src/$service/constants-service.conf"
|
source "$PWD/src/$service/constants-service.conf"
|
||||||
|
|
||||||
|
if [[ $service == "zmb-ad-restore" ]]; then
|
||||||
|
if find ./ | grep samba-backup*.tar.bz2 ; then
|
||||||
|
sambabackup=$(find $PWD/ | grep samba-backup*.tar.bz2 | tail -1)
|
||||||
|
else
|
||||||
|
echo "No samba backup found in $PWD. Please place a samba online backup into $PWD. Canceling..."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
if [ $LXC_MEM -lt $LXC_MEM_MIN ]; then
|
if [ $LXC_MEM -lt $LXC_MEM_MIN ]; then
|
||||||
LXC_MEM=$LXC_MEM_MIN
|
LXC_MEM=$LXC_MEM_MIN
|
||||||
fi
|
fi
|
||||||
@ -184,6 +193,11 @@ pct push $LXC_NBR "$PWD/src/lxc-base.sh" /root/lxc-base.sh
|
|||||||
pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh
|
pct push $LXC_NBR "$PWD/src/$service/install-service.sh" /root/install-service.sh
|
||||||
pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf
|
pct push $LXC_NBR "$PWD/src/$service/constants-service.conf" /root/constants-service.conf
|
||||||
|
|
||||||
|
if [[ $service == "zmb-ad-restore" ]]; then
|
||||||
|
pct exec $LXC_NBR -- mkdir -p /backup/online
|
||||||
|
pct push $LXC_NBR "$PWD/samba-backup-*.tar.bz2" /backup/online/
|
||||||
|
fi
|
||||||
|
|
||||||
if [ $debug -gt 0 ]; then dbg=-vx; else dbg=""; fi
|
if [ $debug -gt 0 ]; then dbg=-vx; else dbg=""; fi
|
||||||
|
|
||||||
echo "Installing basic container setup..."
|
echo "Installing basic container setup..."
|
||||||
@ -195,6 +209,9 @@ pct shutdown $LXC_NBR
|
|||||||
if [[ $service == "zmb-ad" ]]; then
|
if [[ $service == "zmb-ad" ]]; then
|
||||||
## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
|
## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
|
||||||
pct set $LXC_NBR -nameserver ${LXC_IP%/*}
|
pct set $LXC_NBR -nameserver ${LXC_IP%/*}
|
||||||
|
elif [[ $service == "zmb-ad-restore" ]]; then
|
||||||
|
## set nameserver, ${LXC_IP%/*} extracts the ip address from cidr format
|
||||||
|
pct set $LXC_NBR -nameserver ${LXC_IP%/*}
|
||||||
elif [[ $service == "zmb-ad-join" ]]; then
|
elif [[ $service == "zmb-ad-join" ]]; then
|
||||||
pct set $LXC_NBR -nameserver "${LXC_IP%/*} $LXC_DNS"
|
pct set $LXC_NBR -nameserver "${LXC_IP%/*} $LXC_DNS"
|
||||||
fi
|
fi
|
||||||
|
45
src/zmb-ad-restore/constants-service.conf
Normal file
45
src/zmb-ad-restore/constants-service.conf
Normal file
@ -0,0 +1,45 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Authors:
|
||||||
|
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
|
||||||
|
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
|
||||||
|
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
|
||||||
|
|
||||||
|
# This file contains the project constants on service level
|
||||||
|
|
||||||
|
# Debian Version, which will be installed
|
||||||
|
LXC_TEMPLATE_VERSION="debian-12-standard"
|
||||||
|
|
||||||
|
# Create sharefs mountpoint
|
||||||
|
LXC_MP=0
|
||||||
|
# Defines the mountpoint of the filesystem shared by Zamba inside your LXC container (default: tank)
|
||||||
|
LXC_SHAREFS_MOUNTPOINT="backup"
|
||||||
|
# Defines the recordsize of mp0
|
||||||
|
LXC_MP_RECORDSIZE="16K"
|
||||||
|
|
||||||
|
# Create unprivileged container
|
||||||
|
LXC_UNPRIVILEGED="0"
|
||||||
|
|
||||||
|
# enable nesting feature
|
||||||
|
LXC_NESTING="1"
|
||||||
|
|
||||||
|
# enable keyctl feature
|
||||||
|
LXC_KEYCTL="0"
|
||||||
|
|
||||||
|
# add optional features to samba ad dc
|
||||||
|
|
||||||
|
# CURRENTLY SUPPORTED:
|
||||||
|
# wsdd = add windows service discovery
|
||||||
|
# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
|
||||||
|
# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
|
||||||
|
|
||||||
|
# Example:
|
||||||
|
# OPTIONAL_FEATURES=(wsdd)
|
||||||
|
# OPTIONAL_FEATURES=(wsdd splitdns)
|
||||||
|
OPTIONAL_FEATURES=(wsdd)
|
||||||
|
|
||||||
|
# Sets the minimum amount of RAM the service needs for operation
|
||||||
|
LXC_MEM_MIN=1024
|
||||||
|
|
||||||
|
# service dependent meta tags
|
||||||
|
SERVICE_TAGS="nginx,samba,dns,ntp,dc,ldap,secondary"
|
195
src/zmb-ad-restore/install-service.sh
Normal file
195
src/zmb-ad-restore/install-service.sh
Normal file
@ -0,0 +1,195 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Authors:
|
||||||
|
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
|
||||||
|
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
|
||||||
|
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
|
||||||
|
|
||||||
|
source /root/functions.sh
|
||||||
|
source /root/zamba.conf
|
||||||
|
source /root/constants-service.conf
|
||||||
|
|
||||||
|
ZMB_DNS_BACKEND="SAMBA_INTERNAL"
|
||||||
|
|
||||||
|
for f in ${OPTIONAL_FEATURES[@]}; do
|
||||||
|
if [[ "$f" == "wsdd" ]]; then
|
||||||
|
ADDITIONAL_PACKAGES="wsdd $ADDITIONAL_PACKAGES"
|
||||||
|
ADDITIONAL_SERVICES="wsdd $ADDITIONAL_SERVICES"
|
||||||
|
elif [[ "$f" == "splitdns" ]]; then
|
||||||
|
ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
|
||||||
|
ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
|
||||||
|
elif [[ "$f" == "bind9dlz" ]]; then
|
||||||
|
ZMB_DNS_BACKEND="BIND9_DLZ"
|
||||||
|
ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
|
||||||
|
ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
|
||||||
|
else
|
||||||
|
echo "Unsupported optional feature $f"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
|
||||||
|
|
||||||
|
# update packages
|
||||||
|
apt update
|
||||||
|
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
|
||||||
|
# install required packages
|
||||||
|
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpdate rpl net-tools dnsutils chrony sipcalc
|
||||||
|
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
|
||||||
|
|
||||||
|
mkdir -p /etc/chrony/conf.d
|
||||||
|
mkdir -p /etc/systemd/system/chrony.service.d
|
||||||
|
|
||||||
|
cat << EOF > /etc/default/chrony
|
||||||
|
# This is a configuration file for /etc/init.d/chrony and
|
||||||
|
# /lib/systemd/system/chrony.service; it allows you to pass various options to
|
||||||
|
# the chrony daemon without editing the init script or service file.
|
||||||
|
|
||||||
|
# Options to pass to chrony.
|
||||||
|
DAEMON_OPTS="-x -F 1"
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
|
||||||
|
[Unit]
|
||||||
|
ConditionCapability=
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat << EOF > /etc/chrony/conf.d/samba.conf
|
||||||
|
bindcmdaddress $(sipcalc ${LXC_IP} | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
|
||||||
|
server de.pool.ntp.org iburst
|
||||||
|
server europe.pool.ntp.org iburst
|
||||||
|
allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev)/$(sipcalc ${LXC_IP} | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
|
||||||
|
ntpsigndsocket /var/lib/samba/ntp_signd
|
||||||
|
EOF
|
||||||
|
|
||||||
|
if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
|
||||||
|
cat << EOF > /etc/nginx/sites-available/default
|
||||||
|
server {
|
||||||
|
listen 80 default_server;
|
||||||
|
server_name _;
|
||||||
|
return 301 http://www.$LXC_DOMAIN\$request_uri;
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
|
||||||
|
# configure bind dns service
|
||||||
|
cat << EOF > /etc/default/bind9
|
||||||
|
#
|
||||||
|
# run resolvconf?
|
||||||
|
RESOLVCONF=no
|
||||||
|
|
||||||
|
# startup options for the server
|
||||||
|
OPTIONS="-4 -u bind"
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat << EOF > /etc/bind/named.conf.local
|
||||||
|
//
|
||||||
|
// Do any local configuration here
|
||||||
|
//
|
||||||
|
|
||||||
|
// Consider adding the 1918 zones here, if they are not used in your
|
||||||
|
// organization
|
||||||
|
//include "/etc/bind/zones.rfc1918";
|
||||||
|
dlz "$LXC_DOMAIN" {
|
||||||
|
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
|
||||||
|
};
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat << EOF > /etc/bind/named.conf.options
|
||||||
|
options {
|
||||||
|
directory "/var/cache/bind";
|
||||||
|
|
||||||
|
forwarders {
|
||||||
|
$LXC_DNS;
|
||||||
|
};
|
||||||
|
|
||||||
|
allow-query { any;};
|
||||||
|
dnssec-validation no;
|
||||||
|
|
||||||
|
auth-nxdomain no; # conform to RFC1035
|
||||||
|
listen-on-v6 { any; };
|
||||||
|
listen-on { any; };
|
||||||
|
|
||||||
|
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
|
||||||
|
minimal-responses yes;
|
||||||
|
};
|
||||||
|
EOF
|
||||||
|
|
||||||
|
mkdir -p /var/lib/samba/bind-dns/dns
|
||||||
|
fi
|
||||||
|
|
||||||
|
# stop + disable samba services and remove default config
|
||||||
|
systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
|
||||||
|
rm -f /etc/samba/smb.conf
|
||||||
|
rm -f /etc/krb5.conf
|
||||||
|
|
||||||
|
rm -r /var/lib/samba/*
|
||||||
|
|
||||||
|
backupfile=$(find /backup/online -name samba-backup* | tail -1)
|
||||||
|
samba-tool domain backup restore --backup-file=${backupfile} --newservername=${LXC_HOSTNAME} --targetdir=/var/lib/samba/
|
||||||
|
|
||||||
|
ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
|
||||||
|
|
||||||
|
# disable password expiry for administrator
|
||||||
|
samba-tool user setexpiry Administrator --noexpiry
|
||||||
|
|
||||||
|
systemctl unmask samba-ad-dc
|
||||||
|
systemctl enable samba-ad-dc
|
||||||
|
systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
|
||||||
|
|
||||||
|
# configure ad backup
|
||||||
|
cat << EOF > /usr/local/bin/smb-backup
|
||||||
|
#!/bin/bash
|
||||||
|
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||||
|
|
||||||
|
rc=0
|
||||||
|
keep=\$1
|
||||||
|
|
||||||
|
mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{online,offline}
|
||||||
|
|
||||||
|
prune () {
|
||||||
|
backup_type=\$1
|
||||||
|
if [ \$(find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | wc -l) -gt \$keep ]; then
|
||||||
|
find /${LXC_SHAREFS_MOUNTPOINT}/\$backup_type/*.tar.bz2 | head --lines=-\$keep | xargs -d '\n' rm
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
echo "\$(date) Starting samba-ad-dc online backup"
|
||||||
|
if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/online --server=${LXC_HOSTNAME}.${LXC_DOMAIN} -UAdministrator ; then
|
||||||
|
echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
|
||||||
|
prune online
|
||||||
|
else
|
||||||
|
echo "\$(date) samba-ad-dc online backup failed"
|
||||||
|
rc=\$((\$rc + 1))
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "\$(date) Starting samba-ad-dc offline backup"
|
||||||
|
if samba-tool domain backup offline --targetdir=/${LXC_SHAREFS_MOUNTPOINT}/offline ; then
|
||||||
|
echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
|
||||||
|
prune offline
|
||||||
|
else
|
||||||
|
echo "S(date) samba-ad-dc offline backup failed"
|
||||||
|
rc=\$((\$rc + 1))
|
||||||
|
fi
|
||||||
|
|
||||||
|
exit \$rc
|
||||||
|
EOF
|
||||||
|
chmod +x /usr/local/bin/smb-backup
|
||||||
|
|
||||||
|
cat << EOF > /etc/cron.d/smb-backup
|
||||||
|
23 * * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>&1
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat << EOF > /etc/logrotate.d/smb-backup
|
||||||
|
/var/log/smb-backup.log {
|
||||||
|
weekly
|
||||||
|
rotate 12
|
||||||
|
compress
|
||||||
|
delaycompress
|
||||||
|
missingok
|
||||||
|
notifempty
|
||||||
|
create 644 root root
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
exit 0
|
@ -96,13 +96,13 @@ systemctl restart winbind nmbd
|
|||||||
|
|
||||||
mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{spool,printerdrivers}
|
mkdir -p /${LXC_SHAREFS_MOUNTPOINT}/{spool,printerdrivers}
|
||||||
cp -rv /var/lib/samba/printers/* /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
|
cp -rv /var/lib/samba/printers/* /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
|
||||||
chown -R root:"domain admins" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
|
chown -R root:"${ZMB_DOMAIN_ADMINS}" /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
|
||||||
chmod -R 1777 /${LXC_SHAREFS_MOUNTPOINT}/spool
|
chmod -R 1777 /${LXC_SHAREFS_MOUNTPOINT}/spool
|
||||||
chmod -R 2775 /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
|
chmod -R 2775 /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
|
||||||
setfacl -Rb /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
|
setfacl -Rb /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
|
||||||
setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
|
setfacl -Rm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS}":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
|
||||||
setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"domain admins":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
|
setfacl -Rdm u:${ZMB_ADMIN_USER}:rwx,g:"${ZMB_DOMAIN_ADMINS}":rwx,g:"NT Authority/authenticated users":r-x,o::--- /${LXC_SHAREFS_MOUNTPOINT}/printerdrivers
|
||||||
echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\domain admins" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}"
|
echo -e "${ZMB_ADMIN_PASS}" | net rpc rights grant "${ZMB_DOMAIN}\\${ZMB_DOMAIN_ADMINS}" SePrintOperatorPrivilege -U "${ZMB_DOMAIN}\\${ZMB_ADMIN_USER}"
|
||||||
systemctl disable --now cups-browsed.service
|
systemctl disable --now cups-browsed.service
|
||||||
|
|
||||||
cupsctl --remote-admin
|
cupsctl --remote-admin
|
||||||
|
Loading…
Reference in New Issue
Block a user