2021-04-12 01:49:55 +02:00
#!/bin/bash
# Authors:
# (C) 2021 Idea an concept by Christian Zengel <christian@sysops.de>
2021-04-16 17:24:31 +02:00
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
2021-04-12 01:49:55 +02:00
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
2026-01-17 21:54:11 +00:00
set -euo pipefail
2022-05-21 23:40:31 +02:00
source /root/functions.sh
2021-04-12 12:34:42 +00:00
source /root/zamba.conf
2021-05-02 17:10:53 +02:00
source /root/constants-service.conf
2021-04-12 01:49:55 +02:00
2022-01-15 18:45:29 +01:00
# update packages
apt update
DEBIAN_FRONTEND = noninteractive DEBIAN_PRIORITY = critical apt -y -qq dist-upgrade
# install required packages
2026-01-17 21:54:11 +00:00
DEBIAN_FRONTEND = noninteractive DEBIAN_PRIORITY = critical apt install -y -o DPkg::options::= "--force-confdef" -o DPkg::options::= "--force-confold" $LXC_TOOLSET ntpsec-ntpdate rpl net-tools dnsutils chrony sipcalc wsdd2
2024-06-14 09:45:23 +02:00
# DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
2024-07-04 18:22:06 +02:00
DEBIAN_FRONTEND = noninteractive DEBIAN_PRIORITY = critical apt install -y -o DPkg::options::= "--force-confdef" -o DPkg::options::= "--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils
2026-01-17 21:54:11 +00:00
echo "configuring chrony"
2023-11-29 19:45:29 +01:00
mkdir -p /etc/chrony/conf.d
mkdir -p /etc/systemd/system/chrony.service.d
cat << EOF > /etc/default/chrony
# This is a configuration file for /etc/init.d/chrony and
# /lib/systemd/system/chrony.service; it allows you to pass various options to
# the chrony daemon without editing the init script or service file.
# Options to pass to chrony.
DAEMON_OPTS = "-x -F 1"
EOF
cat << EOF > /etc/systemd/system/chrony.service.d/override.conf
[ Unit]
ConditionCapability =
EOF
cat << EOF > /etc/chrony/conf.d/samba.conf
bindcmdaddress $( sipcalc ${ LXC_IP } | grep -m1 "Host address" | rev | cut -d' ' -f1 | rev)
server de.pool.ntp.org iburst
server europe.pool.ntp.org iburst
allow $( sipcalc ${ LXC_IP } | grep -m1 "Network address" | rev | cut -d' ' -f1 | rev) /$( sipcalc ${ LXC_IP } | grep -m1 "Network mask (bits)" | rev | cut -d' ' -f1 | rev)
ntpsigndsocket /var/lib/samba/ntp_signd
EOF
2026-01-17 21:54:11 +00:00
echo "disabling services"
2021-04-12 11:59:42 +00:00
# stop + disable samba services and remove default config
2026-01-17 21:54:11 +00:00
systemctl disable --now smbd nmbd winbind > /dev/null 2>& 1
2021-04-12 11:59:42 +00:00
rm -f /etc/samba/smb.conf
rm -f /etc/krb5.conf
2026-01-17 22:37:14 +00:00
echo "fixing samba service to wait for lxc being online"
install -d -m 0755 /etc/systemd/system/samba-ad-dc.service.d
cat <<'EOF' > /etc/systemd/system/samba-ad-dc.service.d/wait-net.conf
[ Unit]
After = networking.service
Wants = networking.service
[ Service]
# Wait up to 30s for eth0 to get an IPv4 address
ExecStartPre = /bin/sh -c 'for i in $(seq 1 30); do ip -4 addr show dev eth0 scope global | grep -q inet && exit 0; sleep 1; done; echo "Network not ready" >&2; exit 1'
Restart = on-failure
RestartSec = 3
EOF
systemctl daemon-reload
2026-01-17 21:54:11 +00:00
echo "provisioning domain"
2021-04-12 01:49:55 +02:00
# provision zamba domain
2026-01-17 21:54:11 +00:00
samba-tool domain provision --use-rfc2307 --realm= $ZMB_REALM --domain= $ZMB_DOMAIN --adminpass= $ZMB_ADMIN_PASS --server-role= dc --backend-store= mdb --dns-backend= SAMBA_INTERNAL
echo "provosioning finished"
2023-10-07 15:37:08 +02:00
ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
2021-04-12 01:49:55 +02:00
2023-10-29 21:57:37 +01:00
# disable password expiry for administrator
samba-tool user setexpiry Administrator --noexpiry
2021-04-12 01:49:55 +02:00
systemctl unmask samba-ad-dc
2022-01-15 21:04:03 +01:00
systemctl enable samba-ad-dc
2026-01-17 21:54:11 +00:00
systemctl restart samba-ad-dc
2021-04-12 01:49:55 +02:00
2023-10-29 21:57:37 +01:00
# configure ad backup
cat << EOF > /usr/local/bin/smb-backup
#!/bin/bash
PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
rc = 0
2023-10-29 22:58:18 +01:00
keep = \$ 1
2023-10-29 21:57:37 +01:00
mkdir -p /${ LXC_SHAREFS_MOUNTPOINT } /{ online,offline}
prune ( ) {
backup_type = \$ 1
if [ \$ ( find /${ LXC_SHAREFS_MOUNTPOINT } /\$ backup_type/*.tar.bz2 | wc -l) -gt \$ keep ] ; then
find /${ LXC_SHAREFS_MOUNTPOINT } /\$ backup_type/*.tar.bz2 | head --lines= -\$ keep | xargs -d '\n' rm
fi
}
echo "\$(date) Starting samba-ad-dc online backup"
2023-10-30 00:35:42 +01:00
if echo -e '${ZMB_ADMIN_PASS}' | samba-tool domain backup online --targetdir= /${ LXC_SHAREFS_MOUNTPOINT } /online --server= ${ LXC_HOSTNAME } .${ LXC_DOMAIN } -UAdministrator ; then
2023-10-29 21:57:37 +01:00
echo "\$(date) Finished samba-ad-dc online backup. Cleaning up old online backups..."
prune online
else
echo "\$(date) samba-ad-dc online backup failed"
rc = \$ ( ( \$ rc + 1) )
fi
echo "\$(date) Starting samba-ad-dc offline backup"
if samba-tool domain backup offline --targetdir= /${ LXC_SHAREFS_MOUNTPOINT } /offline ; then
echo "\$(date) Finished samba-ad-dc offline backup. Cleaning up old offline backups..."
prune offline
else
echo "S(date) samba-ad-dc offline backup failed"
rc = \$ ( ( \$ rc + 1) )
fi
exit \$ rc
EOF
chmod +x /usr/local/bin/smb-backup
cat << EOF > /etc/cron.d/smb-backup
2025-04-28 12:41:58 +02:00
0 23 * * * root /usr/local/bin/smb-backup 7 >> /var/log/smb-backup.log 2>& 1
2023-10-29 21:57:37 +01:00
EOF
cat << EOF > /etc/logrotate.d/smb-backup
/var/log/smb-backup.log {
weekly
rotate 12
compress
delaycompress
missingok
notifempty
create 644 root root
}
EOF
2022-01-15 18:45:29 +01:00
exit 0
