Roman Vanicek
aa74eb46e6
All checks were successful
continuous-integration/drone/push Build is passing
198 lines
6.7 KiB
Bash
198 lines
6.7 KiB
Bash
#!/bin/bash -e
|
|
|
|
# Loosely based on https://github.com/fjudith/docker-samba-join-ad/tree/master/sssd
|
|
|
|
if [ -z "$NETBIOS_NAME" ]; then
|
|
NETBIOS_NAME=$(hostname -s | tr [a-z] [A-Z])
|
|
else
|
|
NETBIOS_NAME=$(echo $NETBIOS_NAME | tr [a-z] [A-Z])
|
|
fi
|
|
REALM=$(echo "$REALM" | tr [a-z] [A-Z])
|
|
DOMAIN=$(echo "$REALM" | tr [A-Z] [a-z])
|
|
|
|
if [ ! -f /etc/timezone ] && [ ! -z "$TZ" ]; then
|
|
echo 'Set timezone'
|
|
rm /etc/localtime
|
|
cp /usr/share/zoneinfo/$TZ /etc/localtime
|
|
echo $TZ >/etc/timezone
|
|
fi
|
|
|
|
# Clustering
|
|
if [ -z "$CLUSTER_NODE_NAMES" ]; then
|
|
export CTDB_ENABLED=false
|
|
ETC_DIR=/etc/samba
|
|
PRINTERDRIVERS_DIR=/var/lib/samba/printerdrivers
|
|
mkdir -p "$PRINTERDRIVERS_DIR"
|
|
else
|
|
if [ -z "$CLUSTER_NAME" ]; then
|
|
echo 'The cluster DNS name CLUSTER_NAME must be provided'
|
|
exit 1
|
|
fi
|
|
if [ -z "$CLUSTER_SYSDIR_SHARED" ]; then
|
|
echo 'System persistent directory shared across the cluster CLUSTER_SYSDIR_SHARED must be provided'
|
|
exit 1
|
|
fi
|
|
if [ -z "$CLUSTER_SYSDIR_LOCAL" ]; then
|
|
echo 'System persistent directory local to the node CLUSTER_SYSDIR_LOCAL must be provided'
|
|
exit 1
|
|
fi
|
|
echo "Starting as a cluster"
|
|
rm -f /etc/ctdb/ctdb.conf
|
|
# For CTDB variables see https://ctdb.samba.org/manpages/ctdb.conf.5.html
|
|
export CTDB_ENABLED=true
|
|
echo [cluster] >> /etc/ctdb/ctdb.conf
|
|
echo 'nodes list = !/usr/bin/bash /resolveNodes.sh '"$CLUSTER_NODE_NAMES" >> /etc/ctdb/ctdb.conf
|
|
mkdir -p "$CLUSTER_SYSDIR_SHARED/ctdb"
|
|
mkdir -p "$CLUSTER_SYSDIR_SHARED/etc"
|
|
mkdir -p "$CLUSTER_SYSDIR_SHARED/cups"
|
|
ln -s "$CLUSTER_SYSDIR_SHARED/cups" /etc/cups-persist
|
|
mkdir -p "$CLUSTER_SYSDIR_SHARED/printerdrivers"
|
|
# Locking seems broken on objectivefs
|
|
#echo cluster lock = $CLUSTER_SYSDIR_SHARED/ctdb/ctdb.lock >> /etc/ctdb/ctdb.conf
|
|
ETC_DIR=$CLUSTER_SYSDIR_SHARED/etc
|
|
PRINTERDRIVERS_DIR=$CLUSTER_SYSDIR_SHARED/printerdrivers
|
|
|
|
mkdir -p "$CLUSTER_SYSDIR_LOCAL/ctdb"
|
|
echo [database] >> /etc/ctdb/ctdb.conf
|
|
echo persistent database directory = $CLUSTER_SYSDIR_LOCAL/ctdb >> /etc/ctdb/ctdb.conf
|
|
|
|
# We do not have enough privileges in a container for setting scheduling
|
|
echo [legacy] >> /etc/ctdb/ctdb.conf
|
|
echo realtime scheduling = false >> /etc/ctdb/ctdb.conf
|
|
|
|
NETBIOS_NAME=$CLUSTER_NAME
|
|
|
|
mkdir -p /run/ctdb
|
|
fi
|
|
|
|
if [ ! -f "$ETC_DIR/krb5.keytab" ]; then
|
|
if [ ! -f /run/secrets/$ADMIN_PASSWORD_SECRET ]; then
|
|
echo 'Cannot read secret $ADMIN_PASSWORD_SECRET in /run/secrets'
|
|
exit 1
|
|
fi
|
|
ADMIN_PASSWORD=$(cat /run/secrets/$ADMIN_PASSWORD_SECRET)
|
|
|
|
rm -f "$ETC_DIR/smb.conf" /etc/krb5.conf
|
|
|
|
if [ "$CTDB_ENABLED" = "true" ]; then
|
|
PREV_HOSTNAME=`hostname`
|
|
hostname -b "$CLUSTER_NAME.$DOMAIN"
|
|
fi
|
|
# realm join is broken as it requires --privileged but difficult to add for swarm
|
|
# so it can execute /usr/sbin/adcli. Therefore we execute it directly and create
|
|
# the /etc/krb5.conf and /etc/sssd/sssd.conf manually
|
|
# echo $ADMIN_PASSWORD|realm join -v $REALM --user=$ADMIN_ACCOUNT
|
|
echo $ADMIN_PASSWORD|/usr/sbin/adcli join --verbose --domain $DOMAIN --domain-realm $REALM --login-type user --login-user $ADMIN_ACCOUNT --stdin-password
|
|
if [ "$CTDB_ENABLED" = "true" ]; then
|
|
hostname -b "$PREV_HOSTNAME"
|
|
fi
|
|
mv /etc/krb5.keytab "$ETC_DIR/"
|
|
fi
|
|
|
|
if [ ! -L /etc/krb5.keytab ]; then
|
|
ln -s "$ETC_DIR/krb5.keytab" /etc/krb5.keytab
|
|
fi
|
|
|
|
echo -e "[libdefaults]\ndefault_realm = $REALM\ndns_lookup_realm = false\ndns_lookup_kdc = true" > /etc/krb5.conf
|
|
|
|
mkdir -p -m 700 "$ETC_DIR/conf.d"
|
|
for file in /etc/samba/smb.conf; do
|
|
sed -e "s:{{ ALLOW_DNS_UPDATES }}:$ALLOW_DNS_UPDATES:" \
|
|
-e "s:{{ BIND_INTERFACES_ONLY }}:$BIND_INTERFACES_ONLY:" \
|
|
-e "s+{{ INTERFACES }}+$INTERFACES+" \
|
|
-e "s:{{ LOG_LEVEL }}:$LOG_LEVEL:" \
|
|
-e "s:{{ NETBIOS_NAME }}:$NETBIOS_NAME:" \
|
|
-e "s:{{ REALM }}:$REALM:" \
|
|
-e "s:{{ KEYTAB_PATH }}:$ETC_DIR/krb5.keytab:" \
|
|
-e "s:{{ PRINTERDRIVERS_DIR }}:$PRINTERDRIVERS_DIR:" \
|
|
-e "s:{{ SERVER_STRING }}:$SERVER_STRING:" \
|
|
-e "s:{{ WINBIND_USE_DEFAULT_DOMAIN }}:$WINBIND_USE_DEFAULT_DOMAIN:" \
|
|
-e "s:{{ WORKGROUP }}:$WORKGROUP:" \
|
|
/root/$(basename $file).j2 > $file
|
|
done
|
|
for file in "$ETC_DIR"/conf.d/*.conf; do
|
|
echo "include = $file" >> /etc/samba/smb.conf
|
|
done
|
|
if [ "$CTDB_ENABLED" = "true" ]; then
|
|
echo "clustering = yes" >> /etc/samba/smb.conf
|
|
echo "ctdbd socket = /run/ctdb/ctdbd.socket" >> /etc/samba/smb.conf
|
|
fi
|
|
|
|
#echo "Activating home directory auto-creation"
|
|
#echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0022" | tee -a /etc/pam.d/common-session
|
|
|
|
# Join
|
|
REAL_REALM=$(net ads info 2>/dev/null | awk -F': ' '/Realm/ {print $2; exit}')
|
|
if [ -z "$REAL_REALM" ]; then
|
|
if [ ! -f /run/secrets/$ADMIN_PASSWORD_SECRET ]; then
|
|
echo 'Cannot read secret $ADMIN_PASSWORD_SECRET in /run/secrets'
|
|
exit 1
|
|
fi
|
|
ADMIN_PASSWORD=$(cat /run/secrets/$ADMIN_PASSWORD_SECRET)
|
|
|
|
echo "Joining domain using net ads"
|
|
mkdir -p /var/lib/samba/private
|
|
|
|
# Join
|
|
if [ "$CTDB_ENABLED" = "true" ]; then
|
|
/usr/sbin/ctdbd --interactive &
|
|
CTDB_PID=$!
|
|
sleep 30
|
|
fi
|
|
net ads join --no-dns-updates -U"$ADMIN_ACCOUNT"%"$ADMIN_PASSWORD"
|
|
if [ "$CTDB_ENABLED" = "true" ]; then
|
|
kill $CTDB_PID
|
|
fi
|
|
|
|
((/usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf -j /tmp/sp.pid)&)
|
|
sleep 30
|
|
|
|
# Allow adding printer drivers for Administrator
|
|
# Note: These commands require running winbind that resolves the group name and dcerpcd that accesses printers list
|
|
rpcclient -P -c enumprinters 127.0.0.1
|
|
chgrp -R "Domain Admins" "$PRINTERDRIVERS_DIR"
|
|
chmod -R 775 "$PRINTERDRIVERS_DIR"
|
|
setfacl -R -m "d:g:Domain Admins:rwx" "$PRINTERDRIVERS_DIR"
|
|
|
|
# HACK: In Samba 4.16 and above shares are not visible otherwise
|
|
if [ "$CTDB_ENABLED" = "false" ]; then
|
|
smbclient -L 127.0.0.1 -P
|
|
chmod 666 /var/lib/samba/share_info.tdb
|
|
fi
|
|
|
|
kill `cat /tmp/sp.pid`
|
|
fi
|
|
|
|
# CUPS persistence and permissions
|
|
mkdir -p /etc/cups-persist/ppd
|
|
touch /etc/cups-persist/printers.conf
|
|
sed -i -E "s:^(lpadmin\:x\:[0-9]+\:)(.*)$:\1$ADMIN_ACCOUNT\,\2:" /etc/group
|
|
sed -i -E "s:^(lpadmin\:x\:[0-9]+\:)(.*)$:\1$ADMIN_ACCOUNT\,\2:" /etc/group
|
|
|
|
if [ -z "$CUPS_TRUSTED_PROXY" ]; then
|
|
sed -E -i "s:(Order allow\,deny):\1\n Allow all:" /etc/cups/cupsd.conf
|
|
else
|
|
sed -E -i "s:(Order allow\,deny):\1\n Allow $CUPS_TRUSTED_PROXY:" /etc/cups/cupsd.conf
|
|
echo -e "\n" >> /etc/cups/cupsd.conf
|
|
echo "DefaultEncryption Never" >> /etc/cups/cupsd.conf
|
|
fi
|
|
|
|
# Samba exporter pipes
|
|
pipe_permissions="660"
|
|
pipe_owner="root:samba-exporter"
|
|
request_pipe_file="/run/samba_exporter.request.pipe"
|
|
response_pipe_file="/run/samba_exporter.response.pipe"
|
|
|
|
rm -f "$request_pipe_file"
|
|
mkfifo "$request_pipe_file"
|
|
chown "$pipe_owner" "$request_pipe_file"
|
|
chmod "$pipe_permissions" "$request_pipe_file"
|
|
|
|
rm -f "$response_pipe_file"
|
|
mkfifo "$response_pipe_file"
|
|
chown "$pipe_owner" "$response_pipe_file"
|
|
chmod "$pipe_permissions" "$response_pipe_file"
|
|
|
|
echo 'Restarting Samba using supervisord'
|
|
exec "$@"
|