From 823bcaca58289cdcb150be79d79accf2d711e51f Mon Sep 17 00:00:00 2001
From: Thorsten Spille <thorsten@bashclub.org>
Date: Sat, 17 Jan 2026 22:37:14 +0000
Subject: [PATCH] fix zmb-ad

---
 src/zmb-ad-join/constants-service.conf | 12 ----
 src/zmb-ad-join/install-service.sh     | 98 +++++++-------------------
 src/zmb-ad/install-service.sh          | 19 +++++
 3 files changed, 44 insertions(+), 85 deletions(-)

diff --git a/src/zmb-ad-join/constants-service.conf b/src/zmb-ad-join/constants-service.conf
index 26ceb7b..e5cd4fe 100644
--- a/src/zmb-ad-join/constants-service.conf
+++ b/src/zmb-ad-join/constants-service.conf
@@ -26,18 +26,6 @@ LXC_NESTING="1"
 # enable keyctl feature
 LXC_KEYCTL="0"
 
-# add optional features to samba ad dc
-
-# CURRENTLY SUPPORTED:
-# wsdd = add windows service discovery
-# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
-# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
-
-# Example:
-# OPTIONAL_FEATURES=(wsdd)
-# OPTIONAL_FEATURES=(wsdd splitdns)
-OPTIONAL_FEATURES=()
-
 # Sets the minimum amount of RAM the service needs for operation
 LXC_MEM_MIN=1024
 
diff --git a/src/zmb-ad-join/install-service.sh b/src/zmb-ad-join/install-service.sh
index 9b9a76d..8d9a3a0 100644
--- a/src/zmb-ad-join/install-service.sh
+++ b/src/zmb-ad-join/install-service.sh
@@ -5,35 +5,19 @@
 # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
 # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
 
+set -euo pipefail
+
 source /root/functions.sh
 source /root/zamba.conf
 source /root/constants-service.conf
 
-ZMB_DNS_BACKEND="SAMBA_INTERNAL"
-
-for f in ${OPTIONAL_FEATURES[@]}; do
-  if [[ "$f" == "wsdd" ]]; then
-      ADDITIONAL_PACKAGES="wsdd2 $ADDITIONAL_PACKAGES"
-      ADDITIONAL_SERVICES="wsdd2 $ADDITIONAL_SERVICES"
-  elif [[ "$f" == "splitdns" ]]; then
-      ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
-      ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
-  elif [[ "$f" == "bind9dlz" ]]; then
-      ZMB_DNS_BACKEND="BIND9_DLZ"
-      ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
-      ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
-  else
-      echo "Unsupported optional feature $f"
-  fi
-done
-
 # echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
 
 # update packages
 apt update
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
 # install required packages
-DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpsec-ntpdate rpl net-tools dnsutils chrony sipcalc
+DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET ntpsec-ntpdate rpl net-tools dnsutils chrony sipcalc
 # DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
 DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
 
@@ -62,57 +46,6 @@ allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | r
 ntpsigndsocket /var/lib/samba/ntp_signd
 EOF
 
-if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
-	  cat << EOF > /etc/nginx/sites-available/default
-server {
-    listen 80 default_server;
-    server_name _;
-    return 301 http://www.$LXC_DOMAIN\$request_uri;
-}
-EOF
-fi
-
-if  [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
-  # configure bind dns service
-  cat << EOF > /etc/default/bind9
-#
-# run resolvconf?
-RESOLVCONF=no
-# startup options for the server
-OPTIONS="-4 -u bind"
-EOF
-
-  cat << EOF > /etc/bind/named.conf.local
-//
-// Do any local configuration here
-//
-// Consider adding the 1918 zones here, if they are not used in your
-// organization
-//include "/etc/bind/zones.rfc1918";
-dlz "$LXC_DOMAIN" {
-  database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
-};
-EOF
-
-  cat << EOF > /etc/bind/named.conf.options
-options {
-  directory "/var/cache/bind";
-  forwarders {
-    $LXC_DNS;
-  };
-  allow-query {  any;};
-  dnssec-validation no;
-  auth-nxdomain no;    # conform to RFC1035
-  listen-on-v6 { any; };
-  listen-on { any; };
-  tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
-  minimal-responses yes;
-};
-EOF
-
-  mkdir -p /var/lib/samba/bind-dns/dns
-fi
-
 mv /etc/krb5.conf /etc/krb5.conf.bak
 cat > /etc/krb5.conf <<EOF
 [libdefaults]
@@ -124,9 +57,28 @@ cat > /etc/krb5.conf <<EOF
 EOF
 
 # stop + disable samba services and remove default config
-systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1
+systemctl disable --now smbd nmbd winbind > /dev/null 2>&1
 rm -f /etc/samba/smb.conf
 
+echo "fixing samba service to wait for lxc being online"
+
+install -d -m 0755 /etc/systemd/system/samba-ad-dc.service.d
+
+cat <<'EOF' > /etc/systemd/system/samba-ad-dc.service.d/wait-net.conf
+[Unit]
+After=networking.service
+Wants=networking.service
+
+[Service]
+# Wait up to 30s for eth0 to get an IPv4 address
+ExecStartPre=/bin/sh -c 'for i in $(seq 1 30); do ip -4 addr show dev eth0 scope global | grep -q inet && exit 0; sleep 1; done; echo "Network not ready" >&2; exit 1'
+
+Restart=on-failure
+RestartSec=3
+EOF
+
+systemctl daemon-reload
+
 echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
 samba-tool domain join $ZMB_REALM DC --use-kerberos=required --backend-store=mdb
 
@@ -160,7 +112,7 @@ ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096
 
 systemctl unmask samba-ad-dc
 systemctl enable samba-ad-dc
-systemctl restart samba-ad-dc $ADDITIONAL_SERVICES
+systemctl restart samba-ad-dc
 
 # configure ad backup
 cat << EOF > /usr/local/bin/smb-backup
@@ -168,7 +120,7 @@ cat << EOF > /usr/local/bin/smb-backup
 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 
 rc=0
-keep=$1
+keep=\$1
 if \$1 ; then
   keep=\$1
 fi
diff --git a/src/zmb-ad/install-service.sh b/src/zmb-ad/install-service.sh
index 6fca4cc..6caab2a 100644
--- a/src/zmb-ad/install-service.sh
+++ b/src/zmb-ad/install-service.sh
@@ -49,6 +49,25 @@ systemctl disable --now smbd nmbd winbind > /dev/null 2>&1
 rm -f /etc/samba/smb.conf
 rm -f /etc/krb5.conf
 
+echo "fixing samba service to wait for lxc being online"
+
+install -d -m 0755 /etc/systemd/system/samba-ad-dc.service.d
+
+cat <<'EOF' > /etc/systemd/system/samba-ad-dc.service.d/wait-net.conf
+[Unit]
+After=networking.service
+Wants=networking.service
+
+[Service]
+# Wait up to 30s for eth0 to get an IPv4 address
+ExecStartPre=/bin/sh -c 'for i in $(seq 1 30); do ip -4 addr show dev eth0 scope global | grep -q inet && exit 0; sleep 1; done; echo "Network not ready" >&2; exit 1'
+
+Restart=on-failure
+RestartSec=3
+EOF
+
+systemctl daemon-reload
+
 echo "provisioning domain"
 # provision zamba domain
 samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=SAMBA_INTERNAL