Initial commit
This commit is contained in:
38
Dockerfile
Normal file
38
Dockerfile
Normal file
@@ -0,0 +1,38 @@
|
||||
FROM alpine:3.16
|
||||
MAINTAINER Rich Braun "docker@instantlinux.net"
|
||||
ARG BUILD_DATE
|
||||
ARG VCS_REF
|
||||
LABEL org.label-schema.build-date=$BUILD_DATE \
|
||||
org.label-schema.license=GPL-3.0 \
|
||||
org.label-schema.name=samba-dc \
|
||||
org.label-schema.vcs-ref=$VCS_REF \
|
||||
org.label-schema.vcs-url=https://github.com/instantlinux/docker-tools
|
||||
|
||||
ENV ADMIN_PASSWORD_SECRET=samba-admin-password \
|
||||
ALLOW_DNS_UPDATES=secure \
|
||||
BIND_INTERFACES_ONLY=yes \
|
||||
DOMAIN_ACTION=provision \
|
||||
DOMAIN_LOGONS=yes \
|
||||
DOMAIN_MASTER=no \
|
||||
INTERFACES="lo eth0" \
|
||||
LOG_LEVEL=1 \
|
||||
MODEL=standard \
|
||||
NETBIOS_NAME= \
|
||||
REALM=ad.example.com \
|
||||
SERVER_STRING="Samba Domain Controller" \
|
||||
TZ=UTC \
|
||||
WINBIND_USE_DEFAULT_DOMAIN=yes \
|
||||
WORKGROUP=AD
|
||||
|
||||
ARG SAMBA_VERSION=4.15.7-r0
|
||||
|
||||
COPY *.conf.j2 /root/
|
||||
COPY entrypoint.sh /usr/local/bin/
|
||||
RUN apk add --update --no-cache krb5 ldb-tools samba-dc=$SAMBA_VERSION tdb \
|
||||
bind bind-libs bind-tools libcrypto1.1 libxml2 tzdata && \
|
||||
chmod 0755 /usr/local/bin/entrypoint.sh
|
||||
|
||||
VOLUME /etc/samba /var/lib/samba
|
||||
EXPOSE 53 53/udp 88 88/udp 135 137-138/udp 139 389 389/udp 445 464 464/udp 636 3268-3269 49152-65535
|
||||
|
||||
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
|
||||
66
entrypoint.sh
Normal file
66
entrypoint.sh
Normal file
@@ -0,0 +1,66 @@
|
||||
#!/bin/sh -e
|
||||
|
||||
if [ -z "$NETBIOS_NAME" ]; then
|
||||
NETBIOS_NAME=$(hostname -s | tr [a-z] [A-Z])
|
||||
else
|
||||
NETBIOS_NAME=$(echo $NETBIOS_NAME | tr [a-z] [A-Z])
|
||||
fi
|
||||
REALM=$(echo "$REALM" | tr [a-z] [A-Z])
|
||||
|
||||
if [ ! -f /etc/timezone ] && [ ! -z "$TZ" ]; then
|
||||
echo 'Set timezone'
|
||||
cp /usr/share/zoneinfo/$TZ /etc/localtime
|
||||
echo $TZ >/etc/timezone
|
||||
fi
|
||||
|
||||
if [ ! -f /var/lib/samba/registry.tdb ]; then
|
||||
if [ ! -f /run/secrets/$ADMIN_PASSWORD_SECRET ]; then
|
||||
echo 'Cannot read secret $ADMIN_PASSWORD_SECRET in /run/secrets'
|
||||
exit 1
|
||||
fi
|
||||
ADMIN_PASSWORD=$(cat /run/secrets/$ADMIN_PASSWORD_SECRET)
|
||||
if [ "$BIND_INTERFACES_ONLY" == yes ]; then
|
||||
INTERFACE_OPTS="--option=\"bind interfaces only=yes\" \
|
||||
--option=\"interfaces=$INTERFACES\""
|
||||
fi
|
||||
if [ $DOMAIN_ACTION == provision ]; then
|
||||
PROVISION_OPTS="--server-role=dc --use-rfc2307 --domain=$WORKGROUP \
|
||||
--realm=$REALM --adminpass='$ADMIN_PASSWORD'"
|
||||
elif [ $DOMAIN_ACTION == join ]; then
|
||||
PROVISION_OPTS="$REALM DC -UAdministrator --password='$ADMIN_PASSWORD'"
|
||||
else
|
||||
echo 'Only provision and join actions are supported.'
|
||||
exit 1
|
||||
fi
|
||||
|
||||
rm -f /etc/samba/smb.conf /etc/krb5.conf
|
||||
|
||||
# This step is required for INTERFACE_OPTS to work as expected
|
||||
echo "samba-tool domain $DOMAIN_ACTION $PROVISION_OPTS $INTERFACE_OPTS \
|
||||
--dns-backend=SAMBA_INTERNAL" | sh
|
||||
|
||||
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
|
||||
echo 'root = administrator' > /etc/samba/smbusers
|
||||
fi
|
||||
mkdir -p -m 700 /etc/samba/conf.d
|
||||
for file in /etc/samba/smb.conf /etc/samba/conf.d/netlogon.conf \
|
||||
/etc/samba/conf.d/sysvol.conf; do
|
||||
sed -e "s:{{ ALLOW_DNS_UPDATES }}:$ALLOW_DNS_UPDATES:" \
|
||||
-e "s:{{ BIND_INTERFACES_ONLY }}:$BIND_INTERFACES_ONLY:" \
|
||||
-e "s:{{ DOMAIN_LOGONS }}:$DOMAIN_LOGONS:" \
|
||||
-e "s:{{ DOMAIN_MASTER }}:$DOMAIN_MASTER:" \
|
||||
-e "s+{{ INTERFACES }}+$INTERFACES+" \
|
||||
-e "s:{{ LOG_LEVEL }}:$LOG_LEVEL:" \
|
||||
-e "s:{{ NETBIOS_NAME }}:$NETBIOS_NAME:" \
|
||||
-e "s:{{ REALM }}:$REALM:" \
|
||||
-e "s:{{ SERVER_STRING }}:$SERVER_STRING:" \
|
||||
-e "s:{{ WINBIND_USE_DEFAULT_DOMAIN }}:$WINBIND_USE_DEFAULT_DOMAIN:" \
|
||||
-e "s:{{ WORKGROUP }}:$WORKGROUP:" \
|
||||
/root/$(basename $file).j2 > $file
|
||||
done
|
||||
for file in $(ls -A /etc/samba/conf.d/*.conf); do
|
||||
echo "include = $file" >> /etc/samba/smb.conf
|
||||
done
|
||||
ln -fns /var/lib/samba/private/krb5.conf /etc/
|
||||
|
||||
exec samba --model=$MODEL -i </dev/null
|
||||
3
netlogon.conf.j2
Normal file
3
netlogon.conf.j2
Normal file
@@ -0,0 +1,3 @@
|
||||
[netlogon]
|
||||
path = /var/lib/samba/sysvol/{{ REALM }}/scripts
|
||||
read only = No
|
||||
19
smb.conf.j2
Normal file
19
smb.conf.j2
Normal file
@@ -0,0 +1,19 @@
|
||||
# Generated by entrypoint.sh. Add customizations under /etc/samba/conf.d.
|
||||
# DO NOT EDIT THIS FILE.
|
||||
|
||||
[global]
|
||||
netbios name = {{ NETBIOS_NAME }}
|
||||
realm = {{ REALM }}
|
||||
server role = active directory domain controller
|
||||
workgroup = {{ WORKGROUP }}
|
||||
|
||||
add machine script = /usr/sbin/adduser -D -H -G users -s /bin/false %u
|
||||
allow dns updates = {{ ALLOW_DNS_UPDATES }}
|
||||
bind interfaces only = {{ BIND_INTERFACES_ONLY }}
|
||||
domain logons = {{ DOMAIN_LOGONS }}
|
||||
domain master = {{ DOMAIN_MASTER }}
|
||||
interfaces = {{ INTERFACES }}
|
||||
log level = {{ LOG_LEVEL }}
|
||||
winbind refresh tickets = Yes
|
||||
winbind use default domain = {{ WINBIND_USE_DEFAULT_DOMAIN }}
|
||||
|
||||
3
sysvol.conf.j2
Normal file
3
sysvol.conf.j2
Normal file
@@ -0,0 +1,3 @@
|
||||
[sysvol]
|
||||
path = /var/lib/samba/sysvol
|
||||
read only = No
|
||||
Reference in New Issue
Block a user