Avoid realm join and use adcli join directly.

2022-12-14 11:40:49 +01:00
parent 86b78e7569
commit e10974ab72
2 changed files with 26 additions and 8 deletions
--- a/1
+++ b/1
@@ -3,6 +3,7 @@ FROM debian:bookworm
 MAINTAINER Roman VANICEK <roman.vanicek@ivasoft.cz>

 ENV ADMIN_PASSWORD_SECRET=samba-admin-password \
+    ADMIN_ACCOUNT=Administrator
    BIND_INTERFACES_ONLY=yes \
    INTERFACES="lo eth0" \
    LOG_LEVEL=1 \
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -24,18 +24,35 @@ if [ ! -f /var/lib/samba/private/secrets.tdb ]; then
    exit 1
  fi
  ADMIN_PASSWORD=$(cat /run/secrets/$ADMIN_PASSWORD_SECRET)
-  if [ "$BIND_INTERFACES_ONLY" == "yes" ]; then
-    INTERFACE_OPTS="--option=\"bind interfaces only=yes\" \
-      --option=\"interfaces=$INTERFACES\""
-  fi
-  PROVISION_OPTS="$REALM MEMBER -UAdministrator --password='$ADMIN_PASSWORD'"

  rm -f /etc/samba/smb.conf /etc/krb5.conf
  mkdir -p /var/lib/samba/private

-  # This step is required for INTERFACE_OPTS to work as expected
-  #echo "samba-tool domain join $PROVISION_OPTS $INTERFACE_OPTS" | sh
-  echo $ADMIN_PASSWORD|realm join -v $REALM --user=Administrator
+  # realm join is broken as it requires --privileged but difficult to add for swarm
+  # so it can execute /usr/sbin/adcli. Therefore we execute it directly and create
+  # the /etc/sssd/sssd.conf manually
+  # echo $ADMIN_PASSWORD|realm join -v $REALM --user=Administrator
+  echo $ADMIN_PASSWORD|/usr/sbin/adcli join --verbose --domain $DOMAIN --domain-realm $REALM --login-type user --login-user $ADMIN_ACCOUNT --stdin-password
+  echo -e "[sssd] \n\
+domains = $DOMAIN \n\
+config_file_version = 2 \n\
+services = nss, pam \n\
+\n\
+[domain/$DOMAIN] \n\
+default_shell = /bin/bash \n\
+krb5_store_password_if_offline = True \n\
+cache_credentials = True \n\
+krb5_realm = $REALM \n\
+realmd_tags = manages-system joined-with-adcli \n\
+id_provider = ad \n\
+fallback_homedir = /home/%u@%d \n\
+ad_domain = $DOMAIN \n\
+use_fully_qualified_names = True \n\
+ldap_id_mapping = True \n\
+access_provider = ad" > /etc/sssd/sssd.conf
+
+  # SSSD is picky about the mask and fails to start otherwise
+  chmod 600 /etc/sssd/sssd.conf

  mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
  echo 'root = administrator' > /etc/samba/smbusers