Samba member server.

.drone.yml

@@ -0,0 +1,14 @@
+kind: pipeline
+name: default
+
+steps:
+- name: docker  
+  image: plugins/docker
+  settings:
+    registry: https://git.ivasoft.cz
+    username:
+      from_secret: repo_user
+    password:
+      from_secret: repo_pass
+    repo: git.ivasoft.cz/sw/samba-member
+    tags: latest

Dockerfile

@@ -0,0 +1,68 @@
+FROM debian:stable
+
+MAINTAINER Roman VANICEK <roman.vanicek@ivasoft.cz>
+
+ENV ADMIN_PASSWORD_SECRET=samba-admin-password \
+    BIND_INTERFACES_ONLY=yes \
+    INTERFACES="lo eth0" \
+    LOG_LEVEL=1 \
+    MODEL=standard \
+    NETBIOS_NAME= \
+    REALM=ad.example.com \
+    SERVER_STRING="Samba Member Server" \
+    TZ=UTC \
+    WINBIND_USE_DEFAULT_DOMAIN=yes \
+    WORKGROUP=AD
+
+ENV TERM=xterm
+
+ENV DEBIAN_FRONTEND noninteractive
+
+RUN apt-get -y update && \
+    apt-get -yqq --no-install-recommends install \
+        resolvconf \
+        dnsutils \
+        vim \
+        nano \
+        crudini \
+        dbus \
+        realmd \
+        krb5-user \
+        libpam-krb5 \
+        adcli \
+        winbind \
+        libnss-winbind \
+        libpam-winbind \
+        samba \
+        samba-dsdb-modules \
+        samba-client \
+        samba-vfs-modules \
+        logrotate \
+        attr \
+        libpam-mount \
+        policykit-1 \
+        packagekit \
+        sssd \
+        sssd-tools \
+        libnss-sss \
+        libpam-sss \
+        adcli \
+        supervisor && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
+    systemctl enable sssd && \
+    mkdir -p /var/lib/samba/private
+
+#RUN chmod 777 /home
+
+RUN env --unset=DEBIAN_FRONTEND
+
+COPY *.conf.j2 /root/
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+RUN chmod +x /docker-entrypoint.sh
+COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
+
+EXPOSE 137 138 139 445
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
+CMD ["/usr/bin/supervisord","-c","/etc/supervisor/conf.d/supervisord.conf"]

entrypoint.sh

@@ -0,0 +1,82 @@
+#!/bin/sh -e
+
+if [ -z "$NETBIOS_NAME" ]; then
+  NETBIOS_NAME=$(hostname -s | tr [a-z] [A-Z])
+else
+  NETBIOS_NAME=$(echo $NETBIOS_NAME | tr [a-z] [A-Z])
+fi
+REALM=$(echo "$REALM" | tr [a-z] [A-Z])
+
+if [ ! -f /etc/timezone ] && [ ! -z "$TZ" ]; then
+  echo 'Set timezone'
+  cp /usr/share/zoneinfo/$TZ /etc/localtime
+  echo $TZ >/etc/timezone
+fi
+
+if [ ! -f /var/lib/samba/registry.tdb ]; then
+  if [ ! -f /run/secrets/$ADMIN_PASSWORD_SECRET ]; then
+    echo 'Cannot read secret $ADMIN_PASSWORD_SECRET in /run/secrets'
+    exit 1
+  fi
+  ADMIN_PASSWORD=$(cat /run/secrets/$ADMIN_PASSWORD_SECRET)
+  if [ "$BIND_INTERFACES_ONLY" == yes ]; then
+    INTERFACE_OPTS="--option=\"bind interfaces only=yes\" \
+      --option=\"interfaces=$INTERFACES\""
+  fi
+  PROVISION_OPTS="$REALM MEMBER -UAdministrator --password='$ADMIN_PASSWORD'"
+
+  rm -f /etc/samba/smb.conf /etc/krb5.conf
+
+  # This step is required for INTERFACE_OPTS to work as expected
+  echo "samba-tool domain $DOMAIN_ACTION $PROVISION_OPTS $INTERFACE_OPTS \
+     --dns-backend=SAMBA_INTERNAL" | sh
+
+  mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
+  echo 'root = administrator' > /etc/samba/smbusers
+fi
+mkdir -p -m 700 /etc/samba/conf.d
+for file in /etc/samba/smb.conf /etc/samba/conf.d/netlogon.conf \
+      /etc/samba/conf.d/sysvol.conf; do
+  sed -e "s:{{ ALLOW_DNS_UPDATES }}:$ALLOW_DNS_UPDATES:" \
+      -e "s:{{ BIND_INTERFACES_ONLY }}:$BIND_INTERFACES_ONLY:" \
+      -e "s:{{ DOMAIN_LOGONS }}:$DOMAIN_LOGONS:" \
+      -e "s:{{ DOMAIN_MASTER }}:$DOMAIN_MASTER:" \
+      -e "s+{{ INTERFACES }}+$INTERFACES+" \
+      -e "s:{{ LOG_LEVEL }}:$LOG_LEVEL:" \
+      -e "s:{{ NETBIOS_NAME }}:$NETBIOS_NAME:" \
+      -e "s:{{ REALM }}:$REALM:" \
+      -e "s:{{ SERVER_STRING }}:$SERVER_STRING:" \
+      -e "s:{{ WINBIND_USE_DEFAULT_DOMAIN }}:$WINBIND_USE_DEFAULT_DOMAIN:" \
+      -e "s:{{ WORKGROUP }}:$WORKGROUP:" \
+      /root/$(basename $file).j2 > $file
+done
+for file in $(ls -A /etc/samba/conf.d/*.conf); do
+  echo "include = $file" >> /etc/samba/smb.conf
+done
+ln -fns /var/lib/samba/private/krb5.conf /etc/
+
+echo " Starting system message bus"
+/etc/init.d/dbus start
+
+echo "Starting: \"sssd\""
+cat /etc/sssd/sssd.conf
+timeout 30s /etc/init.d/sssd restart
+timeout 30s /etc/init.d/sssd status
+
+#echo "Activating home directory auto-creation"
+#echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" | tee -a /etc/pam.d/common-session
+
+echo "Updating NSSwitch configuration: \"/etc/nsswitch.conf\""
+if [[ ! `grep "winbind" /etc/nsswitch.conf` ]]; then
+    sed -i "s#^\(passwd\:\s*compat\)\s*\(.*\)\$#\1 \2 winbind#" /etc/nsswitch.conf
+    sed -i "s#^\(group\:\s*compat\)\s*\(.*\)\$#\1 \2 winbind#" /etc/nsswitch.conf
+    sed -i "s#^\(shadow\:\s*compat\)\s*\(.*\)\$#\1 \2 winbind#" /etc/nsswitch.conf
+fi
+
+pam-auth-update
+
+echo 'Restarting Samba using supervisord'
+/etc/init.d/winbind stop
+/etc/init.d/nmbd stop
+/etc/init.d/smbd stop
+exec "$@"

smb.conf.j2

@@ -0,0 +1,16 @@
+# Generated by entrypoint.sh. Add customizations under /etc/samba/conf.d.
+#  DO NOT EDIT THIS FILE.
+
+[global]
+	netbios name = {{ NETBIOS_NAME }}
+	realm = {{ REALM }}
+	server role = active directory domain controller
+	workgroup = {{ WORKGROUP }}
+
+	add machine script = /usr/sbin/adduser -D -H -G users -s /bin/false %u
+	bind interfaces only = {{ BIND_INTERFACES_ONLY }}
+	interfaces = {{ INTERFACES }}
+	log level = {{ LOG_LEVEL }}
+	winbind refresh tickets = Yes
+	winbind use default domain = {{ WINBIND_USE_DEFAULT_DOMAIN }}
+

supervisord.conf

@@ -0,0 +1,19 @@
+[supervisord]
+nodaemon=true
+loglevel=info
+
+[program:smbd]
+command=/usr/sbin/smbd --daemon --foreground --log-stdout
+redirect_stderr=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:nmbd]
+command=/usr/sbin/nmbd --daemon --foreground --log-stdout
+redirect_stderr=true
+
+[program:winbind]
+command=/usr/sbin/winbindd --daemon --foreground --stdout
+redirect_stderr=true