#!/bin/bash -e # Loosely based on https://github.com/fjudith/docker-samba-join-ad/tree/master/sssd if [ -z "$NETBIOS_NAME" ]; then NETBIOS_NAME=$(hostname -s | tr [a-z] [A-Z]) else NETBIOS_NAME=$(echo $NETBIOS_NAME | tr [a-z] [A-Z]) fi REALM=$(echo "$REALM" | tr [a-z] [A-Z]) DOMAIN=$(echo "$REALM" | tr [A-Z] [a-z]) if [ ! -f /etc/timezone ] && [ ! -z "$TZ" ]; then echo 'Set timezone' rm /etc/localtime cp /usr/share/zoneinfo/$TZ /etc/localtime echo $TZ >/etc/timezone fi if [ ! -f /etc/samba/krb5.keytab ]; then if [ ! -f /run/secrets/$ADMIN_PASSWORD_SECRET ]; then echo 'Cannot read secret $ADMIN_PASSWORD_SECRET in /run/secrets' exit 1 fi ADMIN_PASSWORD=$(cat /run/secrets/$ADMIN_PASSWORD_SECRET) rm -f /etc/samba/smb.conf /etc/krb5.conf # realm join is broken as it requires --privileged but difficult to add for swarm # so it can execute /usr/sbin/adcli. Therefore we execute it directly and create # the /etc/krb5.conf and /etc/sssd/sssd.conf manually # echo $ADMIN_PASSWORD|realm join -v $REALM --user=$ADMIN_ACCOUNT echo $ADMIN_PASSWORD|/usr/sbin/adcli join --verbose --domain $DOMAIN --domain-realm $REALM --login-type user --login-user $ADMIN_ACCOUNT --stdin-password mv /etc/krb5.keytab /etc/samba/ fi if [ ! -L /etc/krb5.keytab ]; then ln -s /etc/samba/krb5.keytab /etc/krb5.keytab fi echo -e "[libdefaults]\ndefault_realm = $REALM\ndns_lookup_realm = false\ndns_lookup_kdc = true" > /etc/krb5.conf mkdir -p -m 700 /etc/samba/conf.d for file in /etc/samba/smb.conf; do sed -e "s:{{ ALLOW_DNS_UPDATES }}:$ALLOW_DNS_UPDATES:" \ -e "s:{{ BIND_INTERFACES_ONLY }}:$BIND_INTERFACES_ONLY:" \ -e "s+{{ INTERFACES }}+$INTERFACES+" \ -e "s:{{ LOG_LEVEL }}:$LOG_LEVEL:" \ -e "s:{{ NETBIOS_NAME }}:$NETBIOS_NAME:" \ -e "s:{{ REALM }}:$REALM:" \ -e "s:{{ SERVER_STRING }}:$SERVER_STRING:" \ -e "s:{{ WINBIND_USE_DEFAULT_DOMAIN }}:$WINBIND_USE_DEFAULT_DOMAIN:" \ -e "s:{{ WORKGROUP }}:$WORKGROUP:" \ /root/$(basename $file).j2 > $file done for file in $(ls -A /etc/samba/conf.d/*.conf); do echo "include = $file" >> /etc/samba/smb.conf done #echo "Activating home directory auto-creation" #echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" | tee -a /etc/pam.d/common-session if [ ! -f /var/lib/samba/private/secrets.tdb ]; then if [ ! -f /run/secrets/$ADMIN_PASSWORD_SECRET ]; then echo 'Cannot read secret $ADMIN_PASSWORD_SECRET in /run/secrets' exit 1 fi ADMIN_PASSWORD=$(cat /run/secrets/$ADMIN_PASSWORD_SECRET) echo "Joining domain using net ads" mkdir -p /var/lib/samba/private mkdir -p /var/lib/samba/printerdrivers # Join net ads join --no-dns-updates -U"$ADMIN_ACCOUNT"%"$ADMIN_PASSWORD" ((/usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf -j /tmp/sp.pid)&) sleep 10 # Allow adding printer drivers for Administrator # Note: These commands require running winbind that resolves the group name and dcerpcd that accesses printers list rpcclient -P -c enumprinters 127.0.0.1 chgrp -R "Domain Admins" /var/lib/samba/printerdrivers chmod -R 775 /var/lib/samba/printerdrivers setfacl -R -m "d:g:Domain Admins:rwx" /var/lib/samba/printerdrivers # HACK: In Samba 4.16 and above shares are not visible otherwise smbclient -L 127.0.0.1 -P chmod 666 /var/lib/samba/share_info.tdb kill `cat /tmp/sp.pid` fi # CUPS persistence and permissions mkdir -p /etc/cups-persist/ppd touch /etc/cups-persist/printers.conf sed -i -E "s:^(lpadmin\:x\:[0-9]+\:)(.*)$:\1$ADMIN_ACCOUNT\,\2:" /etc/group sed -i -E "s:^(lpadmin\:x\:[0-9]+\:)(.*)$:\1$ADMIN_ACCOUNT\,\2:" /etc/group if [ -z "$CUPS_TRUSTED_PROXY" ]; then sed -E -i "s:(Order allow\,deny):\1\n Allow all:" /etc/cups/cupsd.conf else sed -E -i "s:(Order allow\,deny):\1\n Allow $CUPS_TRUSTED_PROXY:" /etc/cups/cupsd.conf echo -e "\n" >> /etc/cups/cupsd.conf echo "DefaultEncryption Never" >> /etc/cups/cupsd.conf fi echo 'Restarting Samba using supervisord' exec "$@"