-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path1-install_samba_ad.sh
More file actions
152 lines (130 loc) · 4.29 KB
/
1-install_samba_ad.sh
File metadata and controls
152 lines (130 loc) · 4.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
#!/bin/bash
# Load environment variables
if [ -f .env ]; then
source .env
else
echo "Error: .env file not found!"
exit 1
fi
# Samba AD DC Installation Script
# Based on: https://wiki.ubuntuusers.de/HowTo/Samba-AD-Server_unter_Ubuntu_20.04_installieren/
# 1. Disable IPv6
echo "Disabling IPv6..."
cat > /etc/default/grub.d/disable-ipv6.cfg << EOF
GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1"
EOF
update-grub
# 2. Configure static IP (Debian style)
echo "Configuring static IP..."
cat > /etc/network/interfaces << EOF
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
allow-hotplug ${PRIMARY_DC_INTERFACE}
auto ${PRIMARY_DC_INTERFACE}
iface ${PRIMARY_DC_INTERFACE} inet static
address ${PRIMARY_DC_IP}
netmask 255.255.255.0
gateway ${PRIMARY_DC_GATEWAY_IP}
EOF
systemctl restart networking
# 3. Configure resolve file
cat > /etc/resolv.conf << EOF
search ${REALM}
nameserver ${PRIMARY_DC_FORWARDER_DNS}
EOF
# 4. Set hostname
echo "Setting hostname..."
hostnamectl set-hostname ${PRIMARY_DC_HOSTNAME}
# 5. Configure hosts file
cat > /etc/hosts << EOF
127.0.0.1 localhost
${PRIMARY_DC_IP} ${PRIMARY_DC_HOSTNAME}.${REALM} ${PRIMARY_DC_HOSTNAME}
EOF
# 6. Install required packages
echo "Installing required packages..."
apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install -y samba heimdal-clients smbclient winbind chrony ldb-tools python3-setproctitle dnsutils
# 7. Backup original config files
echo "Backing up original configuration files..."
mv /etc/samba/smb.conf{,.bu.orig}
mv /etc/krb5.conf{,.bu.orig}
mv /etc/default/chrony{,.bu.orig}
mv /etc/chrony/chrony.conf{,.bu.orig}
# 8. Stop and mask standard Samba services
echo "Stopping and masking standard Samba services..."
systemctl stop smbd nmbd winbind
systemctl disable smbd nmbd winbind
systemctl mask smbd nmbd winbind
# 9. Clean up Samba databases
echo "Cleaning up Samba databases..."
rm -f /run/samba/*.tdb
rm -f /var/lib/samba/*.tdb
rm -f /var/cache/samba/*.tdb
rm -f /var/lib/samba/private/*.tdb
# 10. Provision Samba AD
echo "Provisioning Samba AD..."
samba-tool domain provision --use-rfc2307 --realm="${REALM}" --domain="${DOMAIN}" \
--server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass="${ADMIN_PASSWORD}" \
--option="interfaces=127.0.0.1 ${PRIMARY_DC_IP}" --option="bind interfaces only=yes" \
--option="dns forwarder=${PRIMARY_DC_FORWARDER_DNS}"
# 11. Copy Kerberos configuration
echo "Configuring Kerberos..."
cp /var/lib/samba/private/krb5.conf /etc/
# 12. Reconfigure static IP (Debian style)
echo "Reconfiguring static IP..."
cat > /etc/network/interfaces << EOF
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
allow-hotplug ${PRIMARY_DC_INTERFACE}
auto ${PRIMARY_DC_INTERFACE}
iface ${PRIMARY_DC_INTERFACE} inet static
address ${PRIMARY_DC_IP}
netmask 255.255.255.0
gateway ${PRIMARY_DC_GATEWAY_IP}
EOF
systemctl restart networking
# 13. Reconfigure resolve file
cat > /etc/resolv.conf << EOF
search ${REALM}
nameserver ${PRIMARY_DC_IP}
EOF
# 14. Configure chrony
echo "Configuring chrony..."
cat > /etc/chrony/chrony.conf << EOF
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst
keyfile /etc/chrony/chrony.keys
driftfile /var/lib/chrony/chrony.drift
logdir /var/log/chrony
maxupdateskew 100.0
rtcsync
makestep 1 3
leapsectz right/UTC
bindcmdaddress 127.0.0.1
bindaddress ${PRIMARY_DC_IP}
allow ${PRIMARY_DC_NETWORK}
ntpsigndsocket /var/lib/samba/ntp_signd
EOF
# Configure chrony for IPv4 only
cat > /etc/default/chrony << EOF
DAEMON_OPTS="-F 1 -4"
SYNC_IN_CONTAINER="no"
EOF
# Set correct permissions for NTP signd socket
chgrp _chrony /var/lib/samba/ntp_signd
chmod g+rx /var/lib/samba/ntp_signd
# 15. Start and enable services
echo "Starting services..."
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl start samba-ad-dc
systemctl restart chrony
# 16. Create reverse DNS zone
echo "Creating reverse DNS zone..."
samba-tool dns zonecreate ${PRIMARY_DC_HOSTNAME} ${PRIMARY_DC_PTR_ADDRESS} -Uadministrator%${ADMIN_PASSWORD}
samba-tool dns add ${PRIMARY_DC_HOSTNAME}.${REALM} ${PRIMARY_DC_PTR_ADDRESS} $(echo ${PRIMARY_DC_IP} | awk -F. '{ print $4 }') PTR ${PRIMARY_DC_HOSTNAME}.${REALM} -Uadministrator%${ADMIN_PASSWORD}
echo "Installation complete. Please review the configuration and reboot the system."