#!/bin/bash -e # Loosely based on https://github.com/fjudith/docker-samba-join-ad/tree/master/sssd if [ "$1" = "ctdb" ]; then # Run ctdbd node and skip supervisord entirely if [ -z "$CLUSTER_NODE_NAMES" ]; then echo 'The CTDB cluster nodes DNS names CLUSTER_NODE_NAMES must be provided' exit 1 fi if [ -z "$CLUSTER_SYSDIR_SHARED" ]; then echo 'System persistent directory shared across the cluster CLUSTER_SYSDIR_SHARED must be provided' exit 1 fi if [ -z "$CLUSTER_SYSDIR_LOCAL" ]; then echo 'System persistent directory local to the node CLUSTER_SYSDIR_LOCAL must be provided' exit 1 fi CLUSTER_LOG_LEVEL="${CLUSTER_LOG_LEVEL:-NOTICE}" echo "Starting a CTDB node" rm -f /etc/ctdb/ctdb.conf # For CTDB variables see https://ctdb.samba.org/manpages/ctdb.conf.5.html echo [logging] >> /etc/ctdb/ctdb.conf echo log level = $CLUSTER_LOG_LEVEL >> /etc/ctdb/ctdb.conf echo [cluster] >> /etc/ctdb/ctdb.conf echo 'nodes list = !/usr/bin/bash /resolveNodes.sh '"$CLUSTER_NODE_NAMES" >> /etc/ctdb/ctdb.conf # Locking seems broken on objectivefs #mkdir -p "$CLUSTER_SYSDIR_SHARED/ctdb" #echo cluster lock = $CLUSTER_SYSDIR_SHARED/ctdb/ctdb.lock >> /etc/ctdb/ctdb.conf mkdir -p "$CLUSTER_SYSDIR_LOCAL/ctdb" mkdir -p "$CLUSTER_SYSDIR_LOCAL/ctdb-volatile" echo [database] >> /etc/ctdb/ctdb.conf echo persistent database directory = $CLUSTER_SYSDIR_LOCAL/ctdb >> /etc/ctdb/ctdb.conf echo volatile database directory = $CLUSTER_SYSDIR_LOCAL/ctdb-volatile >> /etc/ctdb/ctdb.conf # We do not have enough privileges in a container for setting scheduling echo [legacy] >> /etc/ctdb/ctdb.conf echo realtime scheduling = false >> /etc/ctdb/ctdb.conf # Option --socket= is no longer supported for ctdbd mkdir -p "$CLUSTER_SYSDIR_LOCAL/ctdb-run" rm -rf /run/ctdb ln -s "$CLUSTER_SYSDIR_LOCAL/ctdb-run" /run/ctdb # We cannot run as PID 1 due to orphans (see https://lists.samba.org/archive/samba-technical/2021-July/136753.html) exec tini -- /usr/sbin/ctdbd --interactive fi if [ -z "$NETBIOS_NAME" ]; then NETBIOS_NAME=$(hostname -s | tr [a-z] [A-Z]) else NETBIOS_NAME=$(echo $NETBIOS_NAME | tr [a-z] [A-Z]) fi REALM=$(echo "$REALM" | tr [a-z] [A-Z]) DOMAIN=$(echo "$REALM" | tr [A-Z] [a-z]) if [ ! -f /etc/timezone ] && [ ! -z "$TZ" ]; then echo 'Set timezone' rm /etc/localtime cp /usr/share/zoneinfo/$TZ /etc/localtime echo $TZ >/etc/timezone fi # Clustering if [ -z "$CLUSTER_NAME" ]; then CTDB_ENABLED=false ETC_DIR=/etc/samba PRINTERDRIVERS_DIR=/var/lib/samba/printerdrivers mkdir -p "$PRINTERDRIVERS_DIR" else if [ -z "$CLUSTER_SYSDIR_SHARED" ]; then echo 'System persistent directory shared across the cluster CLUSTER_SYSDIR_SHARED must be provided' exit 1 fi if [ -z "$CLUSTER_SYSDIR_LOCAL" ]; then echo 'System persistent directory local to the node CLUSTER_SYSDIR_LOCAL must be provided' exit 1 fi echo "Starting as a cluster" CTDB_ENABLED=true mkdir -p "$CLUSTER_SYSDIR_SHARED/etc" mkdir -p "$CLUSTER_SYSDIR_SHARED/cups" ln -s "$CLUSTER_SYSDIR_SHARED/cups" /etc/cups-persist mkdir -p "$CLUSTER_SYSDIR_SHARED/printerdrivers" ETC_DIR=$CLUSTER_SYSDIR_SHARED/etc PRINTERDRIVERS_DIR=$CLUSTER_SYSDIR_SHARED/printerdrivers NETBIOS_NAME=$CLUSTER_NAME # HACK: Make volatile accessible from the CTDB container rm -rf /var/lib/ctdb/volatile ln -s "$CLUSTER_SYSDIR_LOCAL/ctdb-volatile" /var/lib/ctdb/volatile fi if [ ! -f "$ETC_DIR/krb5.keytab" ]; then if [ ! -f /run/secrets/$ADMIN_PASSWORD_SECRET ]; then echo 'Cannot read secret $ADMIN_PASSWORD_SECRET in /run/secrets' exit 1 fi ADMIN_PASSWORD=$(cat /run/secrets/$ADMIN_PASSWORD_SECRET) rm -f "$ETC_DIR/smb.conf" /etc/krb5.conf if [ "$CTDB_ENABLED" = "true" ]; then PREV_HOSTNAME=`hostname` hostname -b "$CLUSTER_NAME.$DOMAIN" fi # realm join is broken as it requires --privileged but difficult to add for swarm # so it can execute /usr/sbin/adcli. Therefore we execute it directly and create # the /etc/krb5.conf and /etc/sssd/sssd.conf manually # echo $ADMIN_PASSWORD|realm join -v $REALM --user=$ADMIN_ACCOUNT echo $ADMIN_PASSWORD|/usr/sbin/adcli join --verbose --domain $DOMAIN --domain-realm $REALM --login-type user --login-user $ADMIN_ACCOUNT --stdin-password if [ "$CTDB_ENABLED" = "true" ]; then hostname -b "$PREV_HOSTNAME" fi mv /etc/krb5.keytab "$ETC_DIR/" fi if [ ! -L /etc/krb5.keytab ]; then ln -s "$ETC_DIR/krb5.keytab" /etc/krb5.keytab fi echo -e "[libdefaults]\ndefault_realm = $REALM\ndns_lookup_realm = false\ndns_lookup_kdc = true" > /etc/krb5.conf mkdir -p -m 700 "$ETC_DIR/conf.d" for file in /etc/samba/smb.conf; do sed -e "s:{{ ALLOW_DNS_UPDATES }}:$ALLOW_DNS_UPDATES:" \ -e "s:{{ BIND_INTERFACES_ONLY }}:$BIND_INTERFACES_ONLY:" \ -e "s+{{ INTERFACES }}+$INTERFACES+" \ -e "s:{{ LOG_LEVEL }}:$LOG_LEVEL:" \ -e "s:{{ NETBIOS_NAME }}:$NETBIOS_NAME:" \ -e "s:{{ REALM }}:$REALM:" \ -e "s:{{ KEYTAB_PATH }}:$ETC_DIR/krb5.keytab:" \ -e "s:{{ PRINTERDRIVERS_DIR }}:$PRINTERDRIVERS_DIR:" \ -e "s:{{ SERVER_STRING }}:$SERVER_STRING:" \ -e "s:{{ WINBIND_USE_DEFAULT_DOMAIN }}:$WINBIND_USE_DEFAULT_DOMAIN:" \ -e "s:{{ WORKGROUP }}:$WORKGROUP:" \ /root/$(basename $file).j2 > $file done for file in "$ETC_DIR"/conf.d/*.conf; do echo "include = $file" >> /etc/samba/smb.conf done if [ "$CTDB_ENABLED" = "true" ]; then echo "clustering = yes" >> /etc/samba/smb.conf echo "ctdbd socket = $CLUSTER_SYSDIR_LOCAL/ctdb-run/ctdbd.socket" >> /etc/samba/smb.conf fi #echo "Activating home directory auto-creation" #echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" | tee -a /etc/pam.d/common-session # Join REAL_REALM=$(net ads info 2>/dev/null | awk -F': ' '/Realm/ {print $2; exit}') if [ -z "$REAL_REALM" ]; then if [ ! -f /run/secrets/$ADMIN_PASSWORD_SECRET ]; then echo 'Cannot read secret $ADMIN_PASSWORD_SECRET in /run/secrets' exit 1 fi ADMIN_PASSWORD=$(cat /run/secrets/$ADMIN_PASSWORD_SECRET) echo "Joining domain using net ads" mkdir -p /var/lib/samba/private # Join net ads join --no-dns-updates -U"$ADMIN_ACCOUNT"%"$ADMIN_PASSWORD" ((/usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf -j /tmp/sp.pid)&) sleep 30 # Allow adding printer drivers for Administrator # Note: These commands require running winbind that resolves the group name and dcerpcd that accesses printers list rpcclient -P -c enumprinters 127.0.0.1 chgrp -R "Domain Admins" "$PRINTERDRIVERS_DIR" chmod -R 775 "$PRINTERDRIVERS_DIR" setfacl -R -m "d:g:Domain Admins:rwx" "$PRINTERDRIVERS_DIR" # HACK: In Samba 4.16 and above shares are not visible otherwise if [ "$CTDB_ENABLED" = "false" ]; then smbclient -L 127.0.0.1 -P chmod 666 /var/lib/samba/share_info.tdb fi kill `cat /tmp/sp.pid` fi # CUPS persistence and permissions mkdir -p /etc/cups-persist/ppd touch /etc/cups-persist/printers.conf sed -i -E "s:^(lpadmin\:x\:[0-9]+\:)(.*)$:\1$ADMIN_ACCOUNT\,\2:" /etc/group sed -i -E "s:^(lpadmin\:x\:[0-9]+\:)(.*)$:\1$ADMIN_ACCOUNT\,\2:" /etc/group if [ -z "$CUPS_TRUSTED_PROXY" ]; then sed -E -i "s:(Order allow\,deny):\1\n Allow all:" /etc/cups/cupsd.conf else sed -E -i "s:(Order allow\,deny):\1\n Allow $CUPS_TRUSTED_PROXY:" /etc/cups/cupsd.conf echo -e "\n" >> /etc/cups/cupsd.conf echo "DefaultEncryption Never" >> /etc/cups/cupsd.conf fi # Samba exporter pipes pipe_permissions="660" pipe_owner="root:samba-exporter" request_pipe_file="/run/samba_exporter.request.pipe" response_pipe_file="/run/samba_exporter.response.pipe" rm -f "$request_pipe_file" mkfifo "$request_pipe_file" chown "$pipe_owner" "$request_pipe_file" chmod "$pipe_permissions" "$request_pipe_file" rm -f "$response_pipe_file" mkfifo "$response_pipe_file" chown "$pipe_owner" "$response_pipe_file" chmod "$pipe_permissions" "$response_pipe_file" echo 'Restarting Samba using supervisord' exec /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf