Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- # Autor: John Llewelyn
- # Description: Install Samba Active Directory mode, Bind9_DLZ Domain Controller DNS Backend.
- sudo -i
- clear
- read -p 'Enter the host name, example [server]: ' hostname
- clear
- read -p 'Enter the domain name, example [example.com]: ' domain
- clear
- read -p 'Enter the workgroup name, example [SANDOM]: ' workgroup
- clear
- read -p 'Enter the address of your network, example [192.168.1.0/24]: ' network
- clear
- read -p 'Enter the broadcast address of your network, example [192.168.1.255]: ' broadcast
- clear
- read -p 'Enter the local IP address, example [192.168.1.2]: ' ipaddress
- clear
- read -p 'Enter the IP address of your gateway, example [192.168.1.1]: ' gw
- clear
- read -p 'Enter the reverse address of your local network, example [1.168.192]: ' reverse
- clear
- read -p 'Enter the forwarder DNS addresses for your AD DC, example [8.8.8.8; 8.8.4.4;]: ' forwarders
- clear
- read -sp 'Enter the password for AD-DC: ' password
- clear
- echo 'the name of your host is:' ${hostname}
- echo 'the domain name is:' ${domain}
- echo 'the name of your work group is:' ${workgroup}
- echo 'the scheme of your network is:' ${network}
- echo 'the broadcast of your network is:' ${broadcast}
- echo 'the ip address of your AD DC is:' ${ipaddress}
- echo 'the ip address of your gateway is:' ${gw}
- echo 'the reverse address of your domain is:' ${reverse.in-addr.arpa.}
- echo 'the forwarding DNS addresses are:' ${forwarders}
- read -p 'Are you sure that this information entered is correct? y/n' -n 1 -r
- echo # (optional) move to a new line
- if [[ ! $REPLY =~ ^[Yy]$ ]]
- then
- exit 1
- fi
- clear
- # Install packages
- set -xueo pipefail
- export DEBIAN_FRONTEND=noninteractive
- apt-get -y update
- apt-get -y install \
- acl \
- apt-utils \
- attr \
- autoconf \
- bind9utils \
- binutils \
- bison \
- build-essential \
- ccache \
- chrpath \
- chrony \
- curl \
- debhelper \
- dnsutils \
- docbook-xml \
- docbook-xsl \
- flex \
- gcc \
- gdb \
- git \
- glusterfs-common \
- gzip \
- heimdal-multidev \
- hostname \
- htop \
- krb5-config \
- krb5-kdc \
- krb5-user \
- language-pack-en \
- lcov \
- libacl1-dev \
- libarchive-dev \
- libattr1-dev \
- libavahi-common-dev \
- libblkid-dev \
- libbsd-dev \
- libcap-dev \
- libcephfs-dev \
- libcups2-dev \
- libdbus-1-dev \
- libglib2.0-dev \
- libgnutls28-dev \
- libgpgme11-dev \
- libicu-dev \
- libjansson-dev \
- libjs-jquery \
- libjson-perl \
- libkrb5-dev \
- libldap2-dev \
- liblmdb-dev \
- libncurses5-dev \
- libpam0g-dev \
- libparse-yapp-perl \
- libpcap-dev \
- libpopt-dev \
- libreadline-dev \
- libsystemd-dev \
- libtasn1-bin \
- libtasn1-dev \
- libunwind-dev \
- lmdb-utils \
- locales \
- lsb-release \
- make \
- mawk \
- mingw-w64 \
- patch \
- perl \
- perl-modules \
- pkg-config \
- procps \
- psmisc \
- python3 \
- python3-cryptography \
- python3-dbg \
- python3-dev \
- python3-dnspython \
- python3-gpg \
- python3-iso8601 \
- python3-markdown \
- python3-matplotlib \
- python3-pexpect \
- python3-pyasn1 \
- python3-setproctitle \
- rng-tools \
- rsync \
- sed \
- sudo \
- tar \
- tree \
- uuid-dev \
- wget \
- xfslibs-dev \
- xsltproc \
- zlib1g-dev
- apt-get -y autoremove
- apt-get -y autoclean
- apt-get -y clean
- # incomplete
- # Settings hostname, resolvconf, hosts, acl, attr
- hostnamectl set-hostname ${hostname}
- chmod 644 /etc/resolvconf/resolv.conf.d/tail
- bash -c "echo -e 'nameserver ${ipaddress}' >> /etc/resolvconf/resolv.conf.d/tail"
- bash -c "echo -e 'search ${domain}' >> /etc/resolvconf/resolv.conf.d/tail"
- # bash -c "echo -e '127.0.1.1 ${hostname} ${hostname}.${domain}' >> /etc/hosts"
- bash -c "echo -e '${ipaddress} ${hostname} ${hostname}.${domain}' >> /etc/hosts"
- bash -c "echo -e '# The following lines are desirable for IPv6 capable hosts' >> /etc/hosts"
- bash -c "echo -e '::1 ip6-localhost ip6-loopback' >> /etc/hosts"
- bash -c "echo -e 'fe00::0 ip6-localnet' >> /etc/hosts"
- bash -c "echo -e 'ff00::0 ip6-mcastprefix' >> /etc/hosts"
- bash -c "echo -e 'ff02::1 ip6-allnodes' >> /etc/hosts"
- bash -c "echo -e 'ff02::2 ip6-allrouters' >> /etc/hosts"
- bash -c "echo -e 'ff02::3 ip6-allhosts' >> /etc/hosts"
- sed -i.old -r "/[ \t]\/[ \t]/{s/(ext4[\t ]*)([^\t ]*)/\1\2,acl,barrier=1/}" /etc/fstab
- mount -a -o remount,rw /
- resolvconf -u
- # DC Promo
- systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
- systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service
- systemctl unmask samba-ad-dc
- rm -f /etc/samba/smb.conf
- rm -f /var/run/samba/*.[t,l]db
- rm -f /var/lib/samba/*.[t,l]db
- rm -f /var/cache/samba/*.[t,l]db
- rm -f /var/lib/samba/private/*.[t,l]db
- samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=BIND9_DLZ --realm=${domain} --domain=${workgroup} --function-level=2003 --adminpass=${password}
- # Settings krb5.conf
- rm -f /etc/krb5.conf
- ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
- sed -i "/dns_lookup_kdc = true/a \ rdns = no" /var/lib/samba/private/krb5.conf
- # Settings smb.conf
- sed -i '/global/a security = auto' /etc/samba/smb.conf
- sed -i '/security = auto/a allow dns updates = secure only' /etc/samba/smb.conf
- sed -ri 's/server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate/server services = -dns/g' /etc/samba/smb.conf
- sed -i '/workgroup = ${workgroup}/a # dns forwarder = ${ipaddress}' /etc/samba/smb.conf
- sed -i '/dns forwarder =/a # interfaces = ' /etc/samba/smb.conf
- sed -i '/interfaces =/a # bind interfaces only = yes' /etc/samba/smb.conf
- sed -i '/idmap_ldb:use rfc2307 = yes/a # Default idmap config for local BUILTIN accounts and groups\n\t idmap config * : backend = tdb\n\t idmap config * : range = 3000-7999\n\t # idmap config for the ${workgroup} domain\n\t idmap config ${workgroup}:backend = ad\n\t idmap config ${workgroup}:schema_mode = rfc2307\n\t idmap config ${workgroup}:range = 10000-999999\n\t idmap config ${workgroup}: unix_nss_info = yes\n\t idmap config ${workgroup}: unix_primary_group = yes' /etc/samba/smb.conf
- sed -i '/unix_primary_group =/a # Template settings for login shell and home directory\n\t template shell = /bin/bash\n\t template homedir = /home/%U' /etc/samba/smb.conf
- sed -i '/template homedir/a winbind enum users = yes\n winbind enum groups = yes\n winbind use default domain = yes\n winbind use default domain = yes\n winbind offline logon = no\n winbind cache time = 300\n winbind nss info = rfc2307' /etc/samba/smb.conf
- sed -i '/winbind nss info =/a server signing = auto\n# server role check:inhibit = yes\n# dsdb:schema update allowed = yes\n# drs:max object sync = 1200\n# kernel share modes = yes\n# client use spnego = yes\n# client NTLMv2 auth = yes\n# client min protocol = SMB2\n# client max protocol = SMB3\n# server min protocol = SMB2\n# server max protocol = SMB3\n restrict anonymous = 2\n map to guest = Never' /etc/samba/smb.conf
- sed -i '/map to guest/a log level = 3' /etc/samba/smb.conf
- sed -i '/log level/a log file = /var/log/samba/samba.log' /etc/samba/smb.conf
- sed -i '/log file/a max log size = 100000' /etc/samba/smb.conf
- sed -i '/max log size/a # Configuring LDAP over SSL (LDAPS)\ntls enabled = yes\ntls keyfile = tls/samba.key\ntls certfile = tls/samba.crt\ntls cafile = ' /etc/samba/smb.conf
- sed -i '/tls cafile/a # printing = CUPS' /etc/samba/smb.conf
- sed -i '/printing =/a # include = /etc/samba/shares.conf\n# include = /etc/samba/profiles.conf\n# include = /etc/samba/printers.conf' /etc/samba/smb.conf
- # Incomplete 1 line is missing.
- # Roaming Windows User Profiles
- bash -c "echo -e '[profiles]\n comment = Users profiles\n path = /srv/samba/profiles/\n browseable = No\n read only = No\n force create mode = 0600\n force directory mode = 0700\n csc policy = disable\n store dos attributes = yes\n vfs objects = acl_xattr' >> /etc/samba/profiles.conf"
- mkdir -p /srv/samba/profiles/
- # chgrp -R "Domain Users" /srv/samba/profiles/
- chmod 1750 /srv/samba/profiles/
- # Creating /etc/samba/shares.conf
- bash -c "echo -e '[homes]\n comment = Directorios de usuario\n path = /home/%S\n read only = no\n browseable = no\n create mask = 0611\n directory mask = 0711\n vfs objects = acl_xattr full_audit\n full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename\n full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename' >> /etc/samba/shares.conf"
- # Creating /etc/samba/printers.conf
- bash -c "echo -e '[printers]\n path = /var/spool/samba/\n printable = yes' >> /etc/samba/printers.conf"
- mkdir -p /var/spool/samba/
- chmod 1777 /var/spool/samba/
- # smbcontrol all reload-config
- # Settings windbind , PAM
- sed -ri 's/passwd: compat systemd/passwd: compat winbind/g' /etc/nsswitch.conf
- sed -ri 's/group: compat systemd/group: compat winbind/g' /etc/nsswitch.conf
- sed -ri 's/dns myhostname/dns mdns/g' /etc/nsswitch.conf
- sed -ri 's/pam_winbind.so use_authtok try_first_pass/pam_winbind.so try_first_pass/g' /etc/pam.d/common-password
- pam-auth-update
- # Settings Bind9
- wget -q -O /etc/bind/db.root http://www.internic.net/zones/named.root
- wget -q -O /etc/bind/bind.keys https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11
- bash -c "echo -e 'include \"/var/lib/samba/private/named.conf\";' >> /etc/bind/named.conf"
- bash -c "echo -e 'include \"/etc/bind/named.conf.logging\";' >> /etc/bind/named.conf"
- bash -c "echo -e 'include \"/etc/bind/rndc.key\";' >> /etc/bind/named.conf"
- bash -c "echo -e 'include \"/etc/bind/rndc.conf\";' >> /etc/bind/named.conf"
- bash -c "echo -e 'controls {\n inet 127.0.0.1 port 953 allow { localhost; } keys { \"rndc-key\"; };\n};' >> /etc/bind/rndc.conf"
- # chgrp bind /var/lib/samba/private/dns.keytab
- # chmod g+r /var/lib/samba/private/dns.keytab
- chmod 640 /var/lib/samba/private/dns.keytab
- chown root:bind /var/lib/samba/private/dns.keytab
- rndc-confgen -a
- chown root:bind /etc/bind/rndc.key
- chmod 640 /etc/bind/rndc.key
- # sed -i '/directory/a \ sortlist {\n { $network ;{ ${network} ; };};\n };' /etc/bind/named.conf.options
- cp -b /etc/bind/db.local /var/lib/bind/db.${reverse}
- chown bind:bind /var/lib/bind/db.${reverse}
- chmod 640 /var/lib/bind/db.${reverse}
- sed -ri 's/RESOLVCONF=no/RESOLVCONF=yes/g' /etc/default/bind9
- bash -c "echo -e 'acl \"trusted\" {\n localhost;\n localnets;\n};\n\nacl \"internal-local-nets\" {\n ${network};\n};\n' >> /etc/bind/named.conf.local"
- bash -c "echo -e 'zone \"${reverse}.in-addr.arpa\" {\n type master;\n file \"/var/lib/bind/db.${reverse}\";\n update-policy {\n // The only allowed dynamic updates are PTR records\n grant ${domain}. subdomain ${reverse}.in-addr.arpa. PTR TXT;\n // Grant from localhost\n grant local-ddns zonesub any;\n };\n};\n' >> /etc/bind/named.conf.local"
- sed -i '/directory/a \ cleaning-interval 1440;\n max-cache-ttl 2419200;\n max-ncache-ttl 86400;\n max-cache-size unlimited;\n stacksize unlimited;\n datasize unlimited;\n coresize unlimited;\n \n listen-on { any; };' /etc/bind/named.conf.options
- sed -i '/listen-on-v6/a \ allow-query { any; };\n allow-recursion { trusted; };\n allow-query-cache { trusted; };\n allow-transfer { none; };\n notify no;' /etc/bind/named.conf.options
- sed -i '/dnssec-validation/a \ #dnssec-lookaside auto;' /etc/bind/named.conf.options
- sed -i 's[// forwarders[forwarders[g' /etc/bind/named.conf.options
- # sed -i 's[// \t0.0.0.0;[ ${forwarders}[g' /etc/bind/named.conf.options
- sed -i 's[// };[};[g' /etc/bind/named.conf.options
- sed -i '/listen-on-v6/a \ tkey-gssapi-keytab\"/var/lib/samba/private/dns.keytab\";' /etc/bind/named.conf.options
- sed -i '/tkey-gssapi-keytab/i \ // DNS dynamic updates via Kerberos "/var/lib/samba/private/dns.keytab";' /etc/bind/named.conf.options
- sed -i '/notify no/a \ empty-zones-enable no;' /etc/bind/named.conf.options
- sed -i 's[//include[include[g' /etc/bind/named.conf.local
- bash -c "echo -e '# Samba4 DLZ and Active Directory Zones (default source installation)\n/usr/lib/x86_64-linux-gnu/ldb/** rwmk,\n/usr/lib/x86_64-linux-gnu/samba/** rwmk,\n/var/lib/samba/** rm,\n/var/lib/samba/private/dns/** rwmk,\n/etc/samba/smb.conf r,\n/var/lib/samba/private/named.conf r,\n/var/lib/samba/private/dns.keytab r,\n/etc/bind/rndc.key r,\n/var/tmp/** rwmk,\n/dev/urandom rw,\n/var/log/bind/** rw,' >> /etc/apparmor.d/local/usr.sbin.named"
- bash -c "echo -e 'logging {\n channel update_debug {\n file \"/var/log/bind/update_debug.log\" versions 3 size 100k;\n severity debug;\n print-severity yes;\n print-time yes;\n };\n channel security_info {\n file \"/var/log/bind/security_info.log\" versions 1 size 100k;\n severity info;\n print-severity yes;\n print-time yes;\n };\n channel bind_log {\n file \"/var/log/bind/bind.log\" versions 3 size 1m;\n severity info;\n print-category yes;\n print-severity yes;\n print-time yes;\n };\n\n category default { bind_log; };\n category lame-servers { null; };\n category update { update_debug; };\n category update-security { update_debug; };\n category security { security_info; };\n};' >> /etc/bind/named.conf.logging"
- mkdir -p /var/log/bind
- chown -R bind:root /var/log/bind
- chmod -R 775 /var/log/bind
- # Settings NTP chrony
- bash -c "echo -e '# samba4 ntp signing socket\n/var/lib/samba/ntp_signd/socket rw,' >> /etc/apparmor.d/local/usr.sbin.chronyd"
- install -d /var/lib/samba/ntp_signd
- chown root:_chrony /var/lib/samba/ntp_signd
- chmod 750 /var/lib/samba/ntp_signd
- sed -ri 's/pool ntp.ubuntu.com iburst maxsources 4/server 0.south-america.pool.ntp.org iburst/g' /etc/chrony/chrony.conf
- sed -ri 's/pool 0.ubuntu.pool.ntp.org iburst maxsources 1/server 1.south-america.pool.ntp.org iburst/g' /etc/chrony/chrony.conf
- sed -ri 's/pool 1.ubuntu.pool.ntp.org iburst maxsources 1/server 2.south-america.pool.ntp.org iburst/g' /etc/chrony/chrony.conf
- sed -ri 's/pool 2.ubuntu.pool.ntp.org iburst maxsources 2/server 3.south-america.pool.ntp.org iburst/g' /etc/chrony/chrony.conf
- bash -c "echo -e '# This directive tells 'chronyd' to parse the 'adjtime' file to find out if the\n# real-time clock keeps local time or UTC. It overrides the 'rtconutc' directive.\nhwclockfile /etc/adjtime' >> /etc/chrony/chrony.conf"
- bash -c "echo -e 'bindcmdaddress ${ipaddress}' >> /etc/chrony/chrony.conf"
- bash -c "echo -e 'broadcast 60 ${broadcast}' >> /etc/chrony/chrony.conf"
- bash -c "echo -e 'allow ${network}' >> /etc/chrony/chrony.conf"
- bash -c "echo -e 'ntpsigndsocket /var/lib/samba/ntp_signd' >> /etc/chrony/chrony.conf"
- timedatectl set-local-rtc 1
- # Self-signed certificate
- rm -f /var/lib/samba/private/tls/cert.pem
- rm -f /var/lib/samba/private/tls/key.pem
- rm -f /var/lib/samba/private/tls/ca.pem
- # openssl req -newkey rsa:2048 -keyout /var/lib/samba/private/tls/samba.key -nodes -x509 -days 365 -out /var/lib/samba/private/tls/samba.crt
- # chmod 600 /var/lib/samba/private/tls/samba.key
- # Certificate of trust
- openssl genrsa -out /var/lib/samba/private/tls/samba.key 2048
- openssl req -new -key /var/lib/samba/private/tls/samba.key -out /var/lib/samba/private/tls/samba.csr
- openssl x509 -req -days 365 -in /var/lib/samba/private/tls/samba.csr -signkey /var/lib/samba/private/tls/samba.key -out /var/lib/samba/private/tls/samba.crt
- chmod 600 /var/lib/samba/private/tls/samba.key
- systemctl start samba-ad-dc
- systemctl enable samba-ad-dc
- systemctl daemon-reload
- systemctl reload apparmor
- systemctl restart systemd-networkd
- systemctl restart systemd-resolved
- systemctl restart bind9
- systemctl restart chrony
- kinit administrator
- samba-tool domain level raise --domain-level=2008_R2
- samba-tool domain level raise --forest-level=2008_R2
- samba-tool group addmembers DnsAdmins dns-${hostname}
- samba-tool user setpassword administrator
- samba-tool user setexpiry administrator --noexpiry
- samba-tool domain passwordsettings set --complexity=on
- samba-tool domain passwordsettings set --store-plaintext=off
- samba-tool domain passwordsettings set --history-length=0
- samba-tool domain passwordsettings set --min-pwd-age=0
- samba-tool domain passwordsettings set --max-pwd-age=0
- samba-tool domain passwordsettings set --min-pwd-length=7
- samba-tool domain passwordsettings set --account-lockout-duration=30
- samba-tool domain passwordsettings set --account-lockout-threshold=0
- samba-tool domain passwordsettings set --reset-account-lockout-after=30
- # Settings DHCP Server
- samba-tool user create dhcpd --description="Unprivileged user for TSIG-GSSAPI DNS updates via ISC DHCP server" --random-password
- samba-tool user setexpiry dhcpd --noexpiry
- samba-tool group addmembers DnsAdmins dhcpd
- install -vdm 755 /etc/dhcp/ddns-keys
- chown dhcpd:dhcpd /etc/dhcp/ddns-keys
- mv keys.keytab /etc/dhcp/ddns-keys
- samba-tool domain exportkeytab --principal=dhcpd@${domain} /etc/dhcp/ddns-keys/keys.keytab
- chown dhcpd:dhcpd /etc/dhcp/ddns-keys/keys.keytab
- chmod 400 /etc/dhcp/ddns-keys/keys.keytab
- # incomplete in development
- exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement