Mirrors/zamba-lxc-toolbox
1
0
Fork 0
mirror of https://github.com/bashclub/zamba-lxc-toolbox synced 2026-02-18 15:36:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix zmb-ad

Browse Source
This commit is contained in:
Thorsten Spille
2026-01-17 22:37:14 +00:00
parent dcceeb5a63
commit 823bcaca58
3 changed files with 44 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/zmb-ad-join/constants-service.conf
View File

@@ -26,18 +26,6 @@ LXC_NESTING="1"
# enable keyctl feature # enable keyctl feature
LXC_KEYCTL="0" LXC_KEYCTL="0"
# add optional features to samba ad dc
# CURRENTLY SUPPORTED:
# wsdd = add windows service discovery
# splitdns = add nginx to redirect to website www.domain.tld in splitdns setup
# bind9dlz = Set ZMB_DNS_BACKEND to BIND9_DLZ
# Example:
# OPTIONAL_FEATURES=(wsdd)
# OPTIONAL_FEATURES=(wsdd splitdns)
OPTIONAL_FEATURES=()
# Sets the minimum amount of RAM the service needs for operation # Sets the minimum amount of RAM the service needs for operation
LXC_MEM_MIN=1024 LXC_MEM_MIN=1024

98
src/zmb-ad-join/install-service.sh
View File

@@ -5,35 +5,19 @@
# (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de> # (C) 2021 Script design and prototype by Markus Helmke <m.helmke@nettwarker.de>
# (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de> # (C) 2021 Script rework and documentation by Thorsten Spille <thorsten@spille-edv.de>
set -euo pipefail
source /root/functions.sh source /root/functions.sh
source /root/zamba.conf source /root/zamba.conf
source /root/constants-service.conf source /root/constants-service.conf
ZMB_DNS_BACKEND="SAMBA_INTERNAL"
for f in ${OPTIONAL_FEATURES[@]}; do
if [[ "$f" == "wsdd" ]]; then
ADDITIONAL_PACKAGES="wsdd2 $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="wsdd2 $ADDITIONAL_SERVICES"
elif [[ "$f" == "splitdns" ]]; then
ADDITIONAL_PACKAGES="nginx-full $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="nginx $ADDITIONAL_SERVICES"
elif [[ "$f" == "bind9dlz" ]]; then
ZMB_DNS_BACKEND="BIND9_DLZ"
ADDITIONAL_PACKAGES="bind9 $ADDITIONAL_PACKAGES"
ADDITIONAL_SERVICES="bind9 $ADDITIONAL_SERVICES"
else
echo "Unsupported optional feature $f"
fi
done
# echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list # echo "deb http://deb.debian.org/debian/ bookworm-backports main contrib" >> /etc/apt/sources.list
# update packages # update packages
apt update apt update
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt -y -qq dist-upgrade
# install required packages # install required packages
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET $ADDITIONAL_PACKAGES ntpsec-ntpdate rpl net-tools dnsutils chrony sipcalc DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" $LXC_TOOLSET ntpsec-ntpdate rpl net-tools dnsutils chrony sipcalc
# DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils # DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -t bookworm-backports -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils DEBIAN_FRONTEND=noninteractive DEBIAN_PRIORITY=critical apt install -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" acl attr samba samba-ad-dc smbclient winbind libpam-winbind libnss-winbind krb5-user samba-dsdb-modules samba-vfs-modules lmdb-utils rsync cifs-utils
@@ -62,57 +46,6 @@ allow $(sipcalc ${LXC_IP} | grep -m1 "Network address" | rev | cut -d' ' -f1 | r
ntpsigndsocket /var/lib/samba/ntp_signd ntpsigndsocket /var/lib/samba/ntp_signd
EOF EOF
if [[ "$ADDITIONAL_PACKAGES" == *"nginx-full"* ]]; then
cat << EOF > /etc/nginx/sites-available/default
server {
listen 80 default_server;
server_name _;
return 301 http://www.$LXC_DOMAIN\$request_uri;
}
EOF
fi
if [[ "$ADDITIONAL_PACKAGES" == *"bind9"* ]]; then
# configure bind dns service
cat << EOF > /etc/default/bind9
#
# run resolvconf?
RESOLVCONF=no
# startup options for the server
OPTIONS="-4 -u bind"
EOF
cat << EOF > /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
dlz "$LXC_DOMAIN" {
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};
EOF
cat << EOF > /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
forwarders {
$LXC_DNS;
};
allow-query { any;};
dnssec-validation no;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
listen-on { any; };
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
minimal-responses yes;
};
EOF
mkdir -p /var/lib/samba/bind-dns/dns
fi
mv /etc/krb5.conf /etc/krb5.conf.bak mv /etc/krb5.conf /etc/krb5.conf.bak
cat > /etc/krb5.conf <<EOF cat > /etc/krb5.conf <<EOF
[libdefaults] [libdefaults]
@@ -124,9 +57,28 @@ cat > /etc/krb5.conf <<EOF
EOF EOF
# stop + disable samba services and remove default config # stop + disable samba services and remove default config
systemctl disable --now smbd nmbd winbind systemd-resolved > /dev/null 2>&1 systemctl disable --now smbd nmbd winbind > /dev/null 2>&1
rm -f /etc/samba/smb.conf rm -f /etc/samba/smb.conf
echo "fixing samba service to wait for lxc being online"
install -d -m 0755 /etc/systemd/system/samba-ad-dc.service.d
cat <<'EOF' > /etc/systemd/system/samba-ad-dc.service.d/wait-net.conf
[Unit]
After=networking.service
Wants=networking.service
[Service]
# Wait up to 30s for eth0 to get an IPv4 address
ExecStartPre=/bin/sh -c 'for i in $(seq 1 30); do ip -4 addr show dev eth0 scope global | grep -q inet && exit 0; sleep 1; done; echo "Network not ready" >&2; exit 1'
Restart=on-failure
RestartSec=3
EOF
systemctl daemon-reload
echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER echo -e "$ZMB_ADMIN_PASS" | kinit -V $ZMB_ADMIN_USER
samba-tool domain join $ZMB_REALM DC --use-kerberos=required --backend-store=mdb samba-tool domain join $ZMB_REALM DC --use-kerberos=required --backend-store=mdb
@@ -160,7 +112,7 @@ ssh-keygen -q -f "$HOME/.ssh/id_rsa" -N "" -b 4096
systemctl unmask samba-ad-dc systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc systemctl enable samba-ad-dc
systemctl restart samba-ad-dc $ADDITIONAL_SERVICES systemctl restart samba-ad-dc
# configure ad backup # configure ad backup
cat << EOF > /usr/local/bin/smb-backup cat << EOF > /usr/local/bin/smb-backup
@@ -168,7 +120,7 @@ cat << EOF > /usr/local/bin/smb-backup
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
rc=0 rc=0
keep=$1 keep=\$1
if \$1 ; then if \$1 ; then
keep=\$1 keep=\$1
fi fi

19
src/zmb-ad/install-service.sh
View File

@@ -49,6 +49,25 @@ systemctl disable --now smbd nmbd winbind > /dev/null 2>&1
rm -f /etc/samba/smb.conf rm -f /etc/samba/smb.conf
rm -f /etc/krb5.conf rm -f /etc/krb5.conf
echo "fixing samba service to wait for lxc being online"
install -d -m 0755 /etc/systemd/system/samba-ad-dc.service.d
cat <<'EOF' > /etc/systemd/system/samba-ad-dc.service.d/wait-net.conf
[Unit]
After=networking.service
Wants=networking.service
[Service]
# Wait up to 30s for eth0 to get an IPv4 address
ExecStartPre=/bin/sh -c 'for i in $(seq 1 30); do ip -4 addr show dev eth0 scope global | grep -q inet && exit 0; sleep 1; done; echo "Network not ready" >&2; exit 1'
Restart=on-failure
RestartSec=3
EOF
systemctl daemon-reload
echo "provisioning domain" echo "provisioning domain"
# provision zamba domain # provision zamba domain
samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=SAMBA_INTERNAL samba-tool domain provision --use-rfc2307 --realm=$ZMB_REALM --domain=$ZMB_DOMAIN --adminpass=$ZMB_ADMIN_PASS --server-role=dc --backend-store=mdb --dns-backend=SAMBA_INTERNAL