SW/samba-member
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
8bf39954d99f0b4cd83e090942ceb27105132350
samba-member/entrypoint.sh
Roman Vaníček 8bf39954d9
All checks were successful
continuous-integration/drone/push Build is passing
Details
CUPS persistence 
CUPS domain administrator permission
dcerpc as a separate service
2022-12-15 02:09:05 +01:00

133 lines
4.4 KiB
Bash
Raw Blame History

#!/bin/bash -e
# Loosely based on https://github.com/fjudith/docker-samba-join-ad/tree/master/sssd
if [ -z "$NETBIOS_NAME" ]; then
NETBIOS_NAME=$(hostname -s | tr [a-z] [A-Z])
else
NETBIOS_NAME=$(echo $NETBIOS_NAME | tr [a-z] [A-Z])
fi
REALM=$(echo "$REALM" | tr [a-z] [A-Z])
if [ ! -f /etc/timezone ] && [ ! -z "$TZ" ]; then
echo 'Set timezone'
cp /usr/share/zoneinfo/$TZ /etc/localtime
echo $TZ >/etc/timezone
fi
#echo " Starting system message bus"
#/etc/init.d/dbus start
if [ ! -f /etc/samba/krb5.keytab ]; then
if [ ! -f /run/secrets/$ADMIN_PASSWORD_SECRET ]; then
echo 'Cannot read secret $ADMIN_PASSWORD_SECRET in /run/secrets'
exit 1
fi
ADMIN_PASSWORD=$(cat /run/secrets/$ADMIN_PASSWORD_SECRET)
rm -f /etc/samba/smb.conf /etc/krb5.conf
# realm join is broken as it requires --privileged but difficult to add for swarm
# so it can execute /usr/sbin/adcli. Therefore we execute it directly and create
# the /etc/krb5.conf and /etc/sssd/sssd.conf manually
# echo $ADMIN_PASSWORD|realm join -v $REALM --user=$ADMIN_ACCOUNT
echo $ADMIN_PASSWORD|/usr/sbin/adcli join --verbose --domain $DOMAIN --domain-realm $REALM --login-type user --login-user $ADMIN_ACCOUNT --stdin-password
mv /etc/krb5.keytab /etc/samba/
#mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
echo 'root = administrator' > /etc/samba/smbusers
fi
if [ ! -L /etc/krb5.keytab ]; then
ln -s /etc/samba/krb5.keytab /etc/krb5.keytab
fi
echo -e "[libdefaults]\ndefault_realm = $REALM" > /etc/krb5.conf
echo -e "[sssd] \n\
domains = $DOMAIN \n\
config_file_version = 2 \n\
services = nss, pam \n\
\n\
[domain/$DOMAIN] \n\
default_shell = /bin/bash \n\
krb5_store_password_if_offline = True \n\
cache_credentials = True \n\
krb5_realm = $REALM \n\
realmd_tags = manages-system joined-with-adcli \n\
id_provider = ad \n\
fallback_homedir = /home/%u@%d \n\
ad_domain = $DOMAIN \n\
use_fully_qualified_names = True \n\
ldap_id_mapping = True \n\
access_provider = ad" > /etc/sssd/sssd.conf
# SSSD is picky about the mask and fails to start otherwise
chmod 600 /etc/sssd/sssd.conf
# FIX SSSD service by removing non-existent -f option
sed -i "s:DAEMON_OPTS\=\"\-D \-f\":DAEMON_OPTS=\"-D\":" /etc/default/sssd
mkdir -p -m 700 /etc/samba/conf.d
for file in /etc/samba/smb.conf; do
sed -e "s:{{ ALLOW_DNS_UPDATES }}:$ALLOW_DNS_UPDATES:" \
-e "s:{{ BIND_INTERFACES_ONLY }}:$BIND_INTERFACES_ONLY:" \
-e "s:{{ DOMAIN_LOGONS }}:$DOMAIN_LOGONS:" \
-e "s:{{ DOMAIN_MASTER }}:$DOMAIN_MASTER:" \
-e "s+{{ INTERFACES }}+$INTERFACES+" \
-e "s:{{ LOG_LEVEL }}:$LOG_LEVEL:" \
-e "s:{{ NETBIOS_NAME }}:$NETBIOS_NAME:" \
-e "s:{{ REALM }}:$REALM:" \
-e "s:{{ SERVER_STRING }}:$SERVER_STRING:" \
-e "s:{{ WINBIND_USE_DEFAULT_DOMAIN }}:$WINBIND_USE_DEFAULT_DOMAIN:" \
-e "s:{{ WORKGROUP }}:$WORKGROUP:" \
/root/$(basename $file).j2 > $file
done
for file in $(ls -A /etc/samba/conf.d/*.conf); do
echo "include = $file" >> /etc/samba/smb.conf
done
echo "Starting: \"sssd\""
cat /etc/sssd/sssd.conf
timeout 30s /etc/init.d/sssd restart
timeout 30s /etc/init.d/sssd status
#echo "Activating home directory auto-creation"
#echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" | tee -a /etc/pam.d/common-session
echo "Updating NSSwitch configuration: \"/etc/nsswitch.conf\""
if [[ ! `grep "winbind" /etc/nsswitch.conf` ]]; then
sed -i "s#^\(passwd\:\s*compat\)\s*\(.*\)\$#\1 \2 winbind#" /etc/nsswitch.conf
sed -i "s#^\(group\:\s*compat\)\s*\(.*\)\$#\1 \2 winbind#" /etc/nsswitch.conf
sed -i "s#^\(shadow\:\s*compat\)\s*\(.*\)\$#\1 \2 winbind#" /etc/nsswitch.conf
fi
pam-auth-update
if [ ! -f /var/lib/samba/private/secrets.tdb ]; then
if [ ! -f /run/secrets/$ADMIN_PASSWORD_SECRET ]; then
echo 'Cannot read secret $ADMIN_PASSWORD_SECRET in /run/secrets'
exit 1
fi
ADMIN_PASSWORD=$(cat /run/secrets/$ADMIN_PASSWORD_SECRET)
echo "Joining domain using net ads"
mkdir -p /var/lib/samba/private
mkdir -p /var/lib/samba/printerdrivers
net ads join -U"$ADMIN_ACCOUNT"%"$ADMIN_PASSWORD"
# Shares are not visible otherwise
chmod 666 /var/lib/samba/share_info.tdb
fi
# CUPS persistence and permissions
mkdir -p /etc/cups-persist/ppd
touch /etc/cups-persist/printers.conf
sed -i -E "s:^(lpadmin\:x\:[0-9]+\:)(.*)$:\1$ADMIN_ACCOUNT\,\2:" /etc/group
echo 'Restarting Samba using supervisord'
/etc/init.d/winbind stop
/etc/init.d/nmbd stop
/etc/init.d/smbd stop
exec "$@"
Reference in New Issue View Git Blame Copy Permalink