-
Notifications
You must be signed in to change notification settings - Fork 128
/
Copy pathinit.sh
executable file
·192 lines (177 loc) · 7.02 KB
/
init.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
#!/bin/bash
set -e
appSetup () {
# Set variables
DOMAIN=${DOMAIN:-SAMDOM.LOCAL}
DOMAINPASS=${DOMAINPASS:-youshouldsetapassword^123}
JOIN=${JOIN:-false}
JOINSITE=${JOINSITE:-NONE}
MULTISITE=${MULTISITE:-false}
NOCOMPLEXITY=${NOCOMPLEXITY:-false}
INSECURELDAP=${INSECURELDAP:-false}
DNSFORWARDER=${DNSFORWARDER:-NONE}
HOSTIP=${HOSTIP:-NONE}
RPCPORTS=${RPCPORTS:-"49152-49172"}
DOMAIN_DC=${DOMAIN_DC:-${DOMAIN_DC}}
LDOMAIN=${DOMAIN,,}
UDOMAIN=${DOMAIN^^}
URDOMAIN=${UDOMAIN%%.*}
# If multi-site, we need to connect to the VPN before joining the domain
if [[ ${MULTISITE,,} == "true" ]]; then
/usr/sbin/openvpn --config /docker.ovpn &
VPNPID=$!
echo "Sleeping 30s to ensure VPN connects ($VPNPID)";
sleep 30
fi
# Set host ip option
if [[ "$HOSTIP" != "NONE" ]]; then
HOSTIP_OPTION="--host-ip=$HOSTIP"
else
HOSTIP_OPTION=""
fi
# Set up samba
mv /etc/krb5.conf /etc/krb5.conf.orig
echo "[libdefaults]" > /etc/krb5.conf
echo " dns_lookup_realm = false" >> /etc/krb5.conf
echo " dns_lookup_kdc = true" >> /etc/krb5.conf
echo " default_realm = ${UDOMAIN}" >> /etc/krb5.conf
# If the finished file isn't there, this is brand new, we're not just moving to a new container
FIRSTRUN=false
if [[ ! -f /etc/samba/external/smb.conf ]]; then
FIRSTRUN=true
mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
if [[ ${JOIN,,} == "true" ]]; then
if [[ ${JOINSITE} == "NONE" ]]; then
samba-tool domain join ${LDOMAIN} DC -U"${URDOMAIN}\administrator" --password="${DOMAINPASS}" --dns-backend=SAMBA_INTERNAL
else
samba-tool domain join ${LDOMAIN} DC -U"${URDOMAIN}\administrator" --password="${DOMAINPASS}" --dns-backend=SAMBA_INTERNAL --site=${JOINSITE}
fi
else
samba-tool domain provision --use-rfc2307 --domain=${URDOMAIN} --realm=${UDOMAIN} --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass=${DOMAINPASS} ${HOSTIP_OPTION}
if [[ ${NOCOMPLEXITY,,} == "true" ]]; then
samba-tool domain passwordsettings set --complexity=off
samba-tool domain passwordsettings set --history-length=0
samba-tool domain passwordsettings set --min-pwd-age=0
samba-tool domain passwordsettings set --max-pwd-age=0
fi
fi
sed -i "/\[global\]/a \
\\\tidmap_ldb:use rfc2307 = yes\\n\
wins support = yes\\n\
template shell = /bin/bash\\n\
template homedir = /home/%U\\n\
idmap config ${URDOMAIN} : schema_mode = rfc2307\\n\
idmap config ${URDOMAIN} : unix_nss_info = yes\\n\
idmap config ${URDOMAIN} : backend = ad\\n\
rpc server dynamic port range = ${RPCPORTS}\
" /etc/samba/smb.conf
sed -i "s/LOCALDC/${URDOMAIN}DC/g" /etc/samba/smb.conf
if [[ $DNSFORWARDER != "NONE" ]]; then
sed -i "/dns forwarder/d" /etc/samba/smb.conf
sed -i "/\[global\]/a \
\\\tdns forwarder = ${DNSFORWARDER}\
" /etc/samba/smb.conf
fi
if [[ ${INSECURELDAP,,} == "true" ]]; then
sed -i "/\[global\]/a \
\\\tldap server require strong auth = no\
" /etc/samba/smb.conf
fi
# Once we are set up, we'll make a file so that we know to use it if we ever spin this up again
cp -f /etc/samba/smb.conf /etc/samba/external/smb.conf
else
cp -f /etc/samba/external/smb.conf /etc/samba/smb.conf
fi
# Set up supervisor
echo "[supervisord]" > /etc/supervisor/conf.d/supervisord.conf
echo "nodaemon=true" >> /etc/supervisor/conf.d/supervisord.conf
echo "" >> /etc/supervisor/conf.d/supervisord.conf
echo "[program:ntpd]" >> /etc/supervisor/conf.d/supervisord.conf
echo "command=/usr/sbin/ntpd -c /etc/ntpd.conf -n" >> /etc/supervisor/conf.d/supervisord.conf
echo "[program:samba]" >> /etc/supervisor/conf.d/supervisord.conf
echo "command=/usr/sbin/samba -i" >> /etc/supervisor/conf.d/supervisord.conf
if [[ ${MULTISITE,,} == "true" ]]; then
if [[ -n $VPNPID ]]; then
kill $VPNPID
fi
echo "" >> /etc/supervisor/conf.d/supervisord.conf
echo "[program:openvpn]" >> /etc/supervisor/conf.d/supervisord.conf
echo "command=/usr/sbin/openvpn --config /docker.ovpn" >> /etc/supervisor/conf.d/supervisord.conf
fi
echo "server 127.127.1.0" > /etc/ntpd.conf
echo "fudge 127.127.1.0 stratum 10" >> /etc/ntpd.conf
echo "server 0.pool.ntp.org iburst prefer" >> /etc/ntpd.conf
echo "server 1.pool.ntp.org iburst prefer" >> /etc/ntpd.conf
echo "server 2.pool.ntp.org iburst prefer" >> /etc/ntpd.conf
echo "driftfile /var/lib/ntp/ntp.drift" >> /etc/ntpd.conf
echo "logfile /var/log/ntp" >> /etc/ntpd.conf
echo "ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/" >> /etc/ntpd.conf
echo "restrict default kod nomodify notrap nopeer mssntp" >> /etc/ntpd.conf
echo "restrict 127.0.0.1" >> /etc/ntpd.conf
echo "restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery" >> /etc/ntpd.conf
echo "restrict 1.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery" >> /etc/ntpd.conf
echo "restrict 2.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery" >> /etc/ntpd.conf
echo "tinker panic 0" >> /etc/ntpd.conf
appStart ${FIRSTRUN}
}
fixDomainUsersGroup () {
GIDNUMBER=$(ldbedit -H /var/lib/samba/private/sam.ldb -e cat "samaccountname=domain users" | { grep ^gidNumber: || true; })
if [ -z "${GIDNUMBER}" ]; then
echo "dn: CN=Domain Users,CN=Users,${DOMAIN_DC}
changetype: modify
add: gidNumber
gidNumber: 3000000" | ldbmodify -H /var/lib/samba/private/sam.ldb
net cache flush
fi
}
setupSSH () {
echo "dn: CN=sshPublicKey,CN=Schema,CN=Configuration,${DOMAIN_DC}
changetype: add
objectClass: top
objectClass: attributeSchema
attributeID: 1.3.6.1.4.1.24552.500.1.1.1.13
cn: sshPublicKey
name: sshPublicKey
lDAPDisplayName: sshPublicKey
description: MANDATORY: OpenSSH Public key
attributeSyntax: 2.5.5.10
oMSyntax: 4
isSingleValued: FALSE
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,${DOMAIN_DC}
searchFlags: 8
schemaIDGUID:: cjDAZyEXzU+/akI0EGDW+g==" > /tmp/Sshpubkey.attr.ldif
echo "dn: CN=ldapPublicKey,CN=Schema,CN=Configuration,${DOMAIN_DC}
changetype: add
objectClass: top
objectClass: classSchema
governsID: 1.3.6.1.4.1.24552.500.1.1.2.0
cn: ldapPublicKey
name: ldapPublicKey
description: MANDATORY: OpenSSH LPK objectclass
lDAPDisplayName: ldapPublicKey
subClassOf: top
objectClassCategory: 3
objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,${DOMAIN_DC}
defaultObjectCategory: CN=ldapPublicKey,CN=Schema,CN=Configuration,${DOMAIN_DC}
mayContain: sshPublicKey
schemaIDGUID:: +8nFQ43rpkWTOgbCCcSkqA==" > /tmp/Sshpubkey.class.ldif
ldbadd -H /var/lib/samba/private/sam.ldb /var/lib/samba/private/sam.ldb /tmp/Sshpubkey.attr.ldif --option="dsdb:schema update allowed"=true
ldbadd -H /var/lib/samba/private/sam.ldb /var/lib/samba/private/sam.ldb /tmp/Sshpubkey.class.ldif --option="dsdb:schema update allowed"=true
}
appStart () {
/usr/bin/supervisord > /var/log/supervisor/supervisor.log 2>&1 &
if [ "${1}" = "true" ]; then
echo "Sleeping 10 before checking on Domain Users of gid 3000000 and setting up sshPublicKey"
sleep 10
fixDomainUsersGroup
setupSSH
fi
while [ ! -f /var/log/supervisor/supervisor.log ]; do
echo "Waiting for log files..."
sleep 1
done
sleep 3
tail -F /var/log/supervisor/*.log
}
appSetup
exit 0