From da5203026d8c6d49d7a4e3f67bc17d2fec7b8d77 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Roman=20Van=C3=AD=C4=8Dek?= <ivasoft@exprojekt.cz>
Date: Wed, 16 Nov 2022 22:07:47 +0100
Subject: [PATCH] Initial commit

---
 Dockerfile       | 38 ++++++++++++++++++++++++++++
 entrypoint.sh    | 66 ++++++++++++++++++++++++++++++++++++++++++++++++
 netlogon.conf.j2 |  3 +++
 smb.conf.j2      | 19 ++++++++++++++
 sysvol.conf.j2   |  3 +++
 5 files changed, 129 insertions(+)
 create mode 100644 Dockerfile
 create mode 100644 entrypoint.sh
 create mode 100644 netlogon.conf.j2
 create mode 100644 smb.conf.j2
 create mode 100644 sysvol.conf.j2

diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..b97ea6a
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,38 @@
+FROM alpine:3.16
+MAINTAINER Rich Braun "docker@instantlinux.net"
+ARG BUILD_DATE
+ARG VCS_REF
+LABEL org.label-schema.build-date=$BUILD_DATE \
+    org.label-schema.license=GPL-3.0 \
+    org.label-schema.name=samba-dc \
+    org.label-schema.vcs-ref=$VCS_REF \
+    org.label-schema.vcs-url=https://github.com/instantlinux/docker-tools
+
+ENV ADMIN_PASSWORD_SECRET=samba-admin-password \
+    ALLOW_DNS_UPDATES=secure \
+    BIND_INTERFACES_ONLY=yes \
+    DOMAIN_ACTION=provision \
+    DOMAIN_LOGONS=yes \
+    DOMAIN_MASTER=no \
+    INTERFACES="lo eth0" \
+    LOG_LEVEL=1 \
+    MODEL=standard \
+    NETBIOS_NAME= \
+    REALM=ad.example.com \
+    SERVER_STRING="Samba Domain Controller" \
+    TZ=UTC \
+    WINBIND_USE_DEFAULT_DOMAIN=yes \
+    WORKGROUP=AD
+
+ARG SAMBA_VERSION=4.15.7-r0
+
+COPY *.conf.j2 /root/
+COPY entrypoint.sh /usr/local/bin/
+RUN apk add --update --no-cache krb5 ldb-tools samba-dc=$SAMBA_VERSION tdb \
+      bind bind-libs bind-tools libcrypto1.1 libxml2 tzdata && \
+    chmod 0755 /usr/local/bin/entrypoint.sh
+
+VOLUME /etc/samba /var/lib/samba
+EXPOSE 53 53/udp 88 88/udp 135 137-138/udp 139 389 389/udp 445 464 464/udp 636 3268-3269 49152-65535
+
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100644
index 0000000..8f0aa11
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,66 @@
+#!/bin/sh -e
+
+if [ -z "$NETBIOS_NAME" ]; then
+  NETBIOS_NAME=$(hostname -s | tr [a-z] [A-Z])
+else
+  NETBIOS_NAME=$(echo $NETBIOS_NAME | tr [a-z] [A-Z])
+fi
+REALM=$(echo "$REALM" | tr [a-z] [A-Z])
+
+if [ ! -f /etc/timezone ] && [ ! -z "$TZ" ]; then
+  echo 'Set timezone'
+  cp /usr/share/zoneinfo/$TZ /etc/localtime
+  echo $TZ >/etc/timezone
+fi
+
+if [ ! -f /var/lib/samba/registry.tdb ]; then
+  if [ ! -f /run/secrets/$ADMIN_PASSWORD_SECRET ]; then
+    echo 'Cannot read secret $ADMIN_PASSWORD_SECRET in /run/secrets'
+    exit 1
+  fi
+  ADMIN_PASSWORD=$(cat /run/secrets/$ADMIN_PASSWORD_SECRET)
+  if [ "$BIND_INTERFACES_ONLY" == yes ]; then
+    INTERFACE_OPTS="--option=\"bind interfaces only=yes\" \
+      --option=\"interfaces=$INTERFACES\""
+  fi
+  if [ $DOMAIN_ACTION == provision ]; then
+    PROVISION_OPTS="--server-role=dc --use-rfc2307 --domain=$WORKGROUP \
+    --realm=$REALM --adminpass='$ADMIN_PASSWORD'"
+  elif [ $DOMAIN_ACTION == join ]; then
+    PROVISION_OPTS="$REALM DC -UAdministrator --password='$ADMIN_PASSWORD'"
+  else
+    echo 'Only provision and join actions are supported.'
+    exit 1
+  fi
+
+  rm -f /etc/samba/smb.conf /etc/krb5.conf
+
+  # This step is required for INTERFACE_OPTS to work as expected
+  echo "samba-tool domain $DOMAIN_ACTION $PROVISION_OPTS $INTERFACE_OPTS \
+     --dns-backend=SAMBA_INTERNAL" | sh
+
+  mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
+  echo 'root = administrator' > /etc/samba/smbusers
+fi
+mkdir -p -m 700 /etc/samba/conf.d
+for file in /etc/samba/smb.conf /etc/samba/conf.d/netlogon.conf \
+      /etc/samba/conf.d/sysvol.conf; do
+  sed -e "s:{{ ALLOW_DNS_UPDATES }}:$ALLOW_DNS_UPDATES:" \
+      -e "s:{{ BIND_INTERFACES_ONLY }}:$BIND_INTERFACES_ONLY:" \
+      -e "s:{{ DOMAIN_LOGONS }}:$DOMAIN_LOGONS:" \
+      -e "s:{{ DOMAIN_MASTER }}:$DOMAIN_MASTER:" \
+      -e "s+{{ INTERFACES }}+$INTERFACES+" \
+      -e "s:{{ LOG_LEVEL }}:$LOG_LEVEL:" \
+      -e "s:{{ NETBIOS_NAME }}:$NETBIOS_NAME:" \
+      -e "s:{{ REALM }}:$REALM:" \
+      -e "s:{{ SERVER_STRING }}:$SERVER_STRING:" \
+      -e "s:{{ WINBIND_USE_DEFAULT_DOMAIN }}:$WINBIND_USE_DEFAULT_DOMAIN:" \
+      -e "s:{{ WORKGROUP }}:$WORKGROUP:" \
+      /root/$(basename $file).j2 > $file
+done
+for file in $(ls -A /etc/samba/conf.d/*.conf); do
+  echo "include = $file" >> /etc/samba/smb.conf
+done
+ln -fns /var/lib/samba/private/krb5.conf /etc/
+
+exec samba --model=$MODEL -i </dev/null
diff --git a/netlogon.conf.j2 b/netlogon.conf.j2
new file mode 100644
index 0000000..51a919d
--- /dev/null
+++ b/netlogon.conf.j2
@@ -0,0 +1,3 @@
+[netlogon]
+	path = /var/lib/samba/sysvol/{{ REALM }}/scripts
+	read only = No
diff --git a/smb.conf.j2 b/smb.conf.j2
new file mode 100644
index 0000000..7d0a96c
--- /dev/null
+++ b/smb.conf.j2
@@ -0,0 +1,19 @@
+# Generated by entrypoint.sh. Add customizations under /etc/samba/conf.d.
+#  DO NOT EDIT THIS FILE.
+
+[global]
+	netbios name = {{ NETBIOS_NAME }}
+	realm = {{ REALM }}
+	server role = active directory domain controller
+	workgroup = {{ WORKGROUP }}
+
+	add machine script = /usr/sbin/adduser -D -H -G users -s /bin/false %u
+	allow dns updates = {{ ALLOW_DNS_UPDATES }}
+	bind interfaces only = {{ BIND_INTERFACES_ONLY }}
+	domain logons = {{ DOMAIN_LOGONS }}
+	domain master = {{ DOMAIN_MASTER }}
+	interfaces = {{ INTERFACES }}
+	log level = {{ LOG_LEVEL }}
+	winbind refresh tickets = Yes
+	winbind use default domain = {{ WINBIND_USE_DEFAULT_DOMAIN }}
+
diff --git a/sysvol.conf.j2 b/sysvol.conf.j2
new file mode 100644
index 0000000..5e7d997
--- /dev/null
+++ b/sysvol.conf.j2
@@ -0,0 +1,3 @@
+[sysvol]
+	path = /var/lib/samba/sysvol
+	read only = No