API tools faq
paste
Advertisement
JWLLEWELYN

Samba-ad-dc_DNS-backend.sh

JWLLEWELYN
Sep 22nd, 2018 (edited)
329
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 17.36 KB | None | 0 0
raw download clone embed print report
  1. #!/bin/bash
  2. # Autor: John Llewelyn
  3. # Description: Install Samba Active Directory mode, Bind9_DLZ Domain Controller DNS Backend.
  4.  
  5. sudo -i
  6. clear
  7. read -p 'Enter the host name, example [server]: ' hostname
  8. clear
  9. read -p 'Enter the domain name, example [example.com]: ' domain
  10. clear
  11. read -p 'Enter the workgroup name, example [SANDOM]: ' workgroup
  12. clear
  13. read -p 'Enter the address of your network, example [192.168.1.0/24]: ' network
  14. clear
  15. read -p 'Enter the broadcast address of your network, example [192.168.1.255]: ' broadcast
  16. clear
  17. read -p 'Enter the local IP address, example [192.168.1.2]: ' ipaddress
  18. clear
  19. read -p 'Enter the IP address of your gateway, example [192.168.1.1]: ' gw
  20. clear
  21. read -p 'Enter the reverse address of your local network, example [1.168.192]: ' reverse
  22. clear
  23. read -p 'Enter the forwarder DNS addresses for your AD DC, example [8.8.8.8; 8.8.4.4;]: ' forwarders
  24. clear
  25. read -sp 'Enter the password for AD-DC: ' password
  26. clear
  27. echo 'the name of your host is:' ${hostname}
  28. echo 'the domain name is:' ${domain}
  29. echo 'the name of your work group is:' ${workgroup}
  30. echo 'the scheme of your network is:' ${network}
  31. echo 'the broadcast of your network is:' ${broadcast}
  32. echo 'the ip address of your AD DC is:' ${ipaddress}
  33. echo 'the ip address of your gateway is:' ${gw}
  34. echo 'the reverse address of your domain is:' ${reverse.in-addr.arpa.}
  35. echo 'the forwarding DNS addresses are:' ${forwarders}
  36. read -p 'Are you sure that this information entered is correct? y/n' -n 1 -r
  37. echo    # (optional) move to a new line
  38. if [[ ! $REPLY =~ ^[Yy]$ ]]
  39. then
  40.     exit 1
  41. fi
  42. clear
  43.  
  44. # Install packages
  45. set -xueo pipefail
  46.  
  47. export DEBIAN_FRONTEND=noninteractive
  48. apt-get -y update
  49.  
  50. apt-get -y install \
  51.     acl \
  52.     apt-utils \
  53.     attr \
  54.     autoconf \
  55.     bind9utils \
  56.     binutils \
  57.     bison \
  58.     build-essential \
  59.     ccache \
  60.     chrpath \
  61.     chrony \
  62.     curl \
  63.     debhelper \
  64.     dnsutils \
  65.     docbook-xml \
  66.     docbook-xsl \
  67.     flex \
  68.     gcc \
  69.     gdb \
  70.     git \
  71.     glusterfs-common \
  72.     gzip \
  73.     heimdal-multidev \
  74.     hostname \
  75.     htop \
  76.     krb5-config \
  77.     krb5-kdc \
  78.     krb5-user \
  79.     language-pack-en \
  80.     lcov \
  81.     libacl1-dev \
  82.     libarchive-dev \
  83.     libattr1-dev \
  84.     libavahi-common-dev \
  85.     libblkid-dev \
  86.     libbsd-dev \
  87.     libcap-dev \
  88.     libcephfs-dev \
  89.     libcups2-dev \
  90.     libdbus-1-dev \
  91.     libglib2.0-dev \
  92.     libgnutls28-dev \
  93.     libgpgme11-dev \
  94.     libicu-dev \
  95.     libjansson-dev \
  96.     libjs-jquery \
  97.     libjson-perl \
  98.     libkrb5-dev \
  99.     libldap2-dev \
  100.     liblmdb-dev \
  101.     libncurses5-dev \
  102.     libpam0g-dev \
  103.     libparse-yapp-perl \
  104.     libpcap-dev \
  105.     libpopt-dev \
  106.     libreadline-dev \
  107.     libsystemd-dev \
  108.     libtasn1-bin \
  109.     libtasn1-dev \
  110.     libunwind-dev \
  111.     lmdb-utils \
  112.     locales \
  113.     lsb-release \
  114.     make \
  115.     mawk \
  116.     mingw-w64 \
  117.     patch \
  118.     perl \
  119.     perl-modules \
  120.     pkg-config \
  121.     procps \
  122.     psmisc \
  123.     python3 \
  124.     python3-cryptography \
  125.     python3-dbg \
  126.     python3-dev \
  127.     python3-dnspython \
  128.     python3-gpg \
  129.     python3-iso8601 \
  130.     python3-markdown \
  131.     python3-matplotlib \
  132.     python3-pexpect \
  133.     python3-pyasn1 \
  134.     python3-setproctitle \
  135.     rng-tools \
  136.     rsync \
  137.     sed \
  138.     sudo \
  139.     tar \
  140.     tree \
  141.     uuid-dev \
  142.     wget \
  143.     xfslibs-dev \
  144.     xsltproc \
  145.     zlib1g-dev
  146.  
  147. apt-get -y autoremove
  148. apt-get -y autoclean
  149. apt-get -y clean
  150.  
  151. # incomplete
  152.  
  153. # Settings hostname, resolvconf, hosts, acl, attr
  154. hostnamectl set-hostname ${hostname}
  155. chmod 644 /etc/resolvconf/resolv.conf.d/tail
  156. bash -c "echo -e 'nameserver ${ipaddress}' >> /etc/resolvconf/resolv.conf.d/tail"
  157. bash -c "echo -e 'search ${domain}' >> /etc/resolvconf/resolv.conf.d/tail"
  158. # bash -c "echo -e '127.0.1.1 ${hostname} ${hostname}.${domain}'  >> /etc/hosts"
  159. bash -c "echo -e '${ipaddress} ${hostname} ${hostname}.${domain}' >> /etc/hosts"
  160. bash -c "echo -e '# The following lines are desirable for IPv6 capable hosts' >> /etc/hosts"
  161. bash -c "echo -e '::1 ip6-localhost ip6-loopback' >> /etc/hosts"
  162. bash -c "echo -e 'fe00::0 ip6-localnet' >> /etc/hosts"
  163. bash -c "echo -e 'ff00::0 ip6-mcastprefix' >> /etc/hosts"
  164. bash -c "echo -e 'ff02::1 ip6-allnodes' >> /etc/hosts"
  165. bash -c "echo -e 'ff02::2 ip6-allrouters' >> /etc/hosts"
  166. bash -c "echo -e 'ff02::3 ip6-allhosts' >> /etc/hosts"
  167. sed -i.old -r "/[ \t]\/[ \t]/{s/(ext4[\t ]*)([^\t ]*)/\1\2,acl,barrier=1/}" /etc/fstab
  168. mount -a -o remount,rw /
  169. resolvconf -u
  170.  
  171. # DC Promo
  172. systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
  173. systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service
  174. systemctl unmask samba-ad-dc
  175. rm -f /etc/samba/smb.conf
  176. rm -f /var/run/samba/*.[t,l]db
  177. rm -f /var/lib/samba/*.[t,l]db
  178. rm -f /var/cache/samba/*.[t,l]db
  179. rm -f /var/lib/samba/private/*.[t,l]db
  180. samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=BIND9_DLZ --realm=${domain} --domain=${workgroup} --function-level=2003 --adminpass=${password}
  181.  
  182. # Settings krb5.conf
  183. rm -f /etc/krb5.conf
  184. ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
  185. sed -i "/dns_lookup_kdc = true/a \        rdns = no" /var/lib/samba/private/krb5.conf
  186.  
  187. # Settings smb.conf
  188. sed -i '/global/a security = auto' /etc/samba/smb.conf
  189. sed -i '/security = auto/a allow dns updates = secure only' /etc/samba/smb.conf
  190. sed -ri 's/server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate/server services = -dns/g' /etc/samba/smb.conf
  191. sed -i '/workgroup = ${workgroup}/a # dns forwarder = ${ipaddress}' /etc/samba/smb.conf
  192. sed -i '/dns forwarder =/a # interfaces = ' /etc/samba/smb.conf
  193. sed -i '/interfaces =/a # bind interfaces only = yes' /etc/samba/smb.conf
  194. sed -i '/idmap_ldb:use rfc2307 = yes/a # Default idmap config for local BUILTIN accounts and groups\n\t idmap config * : backend = tdb\n\t idmap config * : range = 3000-7999\n\t # idmap config for the ${workgroup} domain\n\t idmap config ${workgroup}:backend = ad\n\t idmap config ${workgroup}:schema_mode = rfc2307\n\t idmap config ${workgroup}:range = 10000-999999\n\t idmap config ${workgroup}: unix_nss_info = yes\n\t idmap config ${workgroup}: unix_primary_group = yes' /etc/samba/smb.conf
  195. sed -i '/unix_primary_group =/a # Template settings for login shell and home directory\n\t template shell = /bin/bash\n\t template homedir = /home/%U' /etc/samba/smb.conf
  196. sed -i '/template homedir/a winbind enum users = yes\n winbind enum groups = yes\n winbind use default domain = yes\n winbind use default domain = yes\n winbind offline logon = no\n winbind cache time = 300\n winbind nss info = rfc2307' /etc/samba/smb.conf
  197. sed -i '/winbind nss info =/a server signing = auto\n#  server role check:inhibit = yes\n#  dsdb:schema update allowed = yes\n# drs:max object sync = 1200\n#   kernel share modes = yes\n# client use spnego = yes\n#  client NTLMv2 auth = yes\n# client min protocol = SMB2\n#   client max protocol = SMB3\n#   server min protocol = SMB2\n#   server max protocol = SMB3\n    restrict anonymous = 2\n    map to guest = Never' /etc/samba/smb.conf
  198. sed -i '/map to guest/a log level = 3' /etc/samba/smb.conf
  199. sed -i '/log level/a log file = /var/log/samba/samba.log' /etc/samba/smb.conf
  200. sed -i '/log file/a max log size = 100000' /etc/samba/smb.conf
  201. sed -i '/max log size/a # Configuring LDAP over SSL (LDAPS)\ntls enabled = yes\ntls keyfile = tls/samba.key\ntls certfile = tls/samba.crt\ntls cafile = ' /etc/samba/smb.conf
  202. sed -i '/tls cafile/a # printing = CUPS' /etc/samba/smb.conf
  203. sed -i '/printing =/a # include = /etc/samba/shares.conf\n# include = /etc/samba/profiles.conf\n#   include = /etc/samba/printers.conf' /etc/samba/smb.conf
  204. # Incomplete 1 line is missing.
  205.  
  206. # Roaming Windows User Profiles
  207. bash -c "echo -e '[profiles]\n        comment = Users profiles\n        path = /srv/samba/profiles/\n        browseable = No\n        read only = No\n        force create mode = 0600\n        force directory mode = 0700\n        csc policy = disable\n        store dos attributes = yes\n        vfs objects = acl_xattr' >> /etc/samba/profiles.conf"
  208. mkdir -p /srv/samba/profiles/
  209. # chgrp -R "Domain Users" /srv/samba/profiles/
  210. chmod 1750 /srv/samba/profiles/
  211.  
  212. # Creating /etc/samba/shares.conf
  213. bash -c "echo -e '[homes]\n    comment = Directorios de usuario\n    path = /home/%S\n    read only = no\n    browseable = no\n    create mask = 0611\n    directory mask = 0711\n    vfs objects = acl_xattr full_audit\n    full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename\n    full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename' >> /etc/samba/shares.conf"
  214.  
  215. # Creating /etc/samba/printers.conf
  216. bash -c "echo -e '[printers]\n       path = /var/spool/samba/\n       printable = yes' >> /etc/samba/printers.conf"
  217. mkdir -p /var/spool/samba/
  218. chmod 1777 /var/spool/samba/
  219. # smbcontrol all reload-config
  220.  
  221. # Settings windbind , PAM
  222. sed -ri 's/passwd:         compat systemd/passwd:         compat winbind/g' /etc/nsswitch.conf
  223. sed -ri 's/group:          compat systemd/group:          compat winbind/g' /etc/nsswitch.conf
  224. sed -ri 's/dns myhostname/dns mdns/g' /etc/nsswitch.conf
  225. sed -ri 's/pam_winbind.so use_authtok try_first_pass/pam_winbind.so try_first_pass/g' /etc/pam.d/common-password
  226. pam-auth-update
  227.  
  228. # Settings Bind9
  229. wget -q -O /etc/bind/db.root http://www.internic.net/zones/named.root
  230. wget -q -O /etc/bind/bind.keys https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11
  231. bash -c "echo -e 'include \"/var/lib/samba/private/named.conf\";' >> /etc/bind/named.conf"
  232. bash -c "echo -e 'include \"/etc/bind/named.conf.logging\";' >> /etc/bind/named.conf"
  233. bash -c "echo -e 'include \"/etc/bind/rndc.key\";' >> /etc/bind/named.conf"
  234. bash -c "echo -e 'include \"/etc/bind/rndc.conf\";' >> /etc/bind/named.conf"
  235. bash -c "echo -e 'controls {\n         inet 127.0.0.1 port 953 allow { localhost; } keys { \"rndc-key\"; };\n};' >> /etc/bind/rndc.conf"
  236. # chgrp bind /var/lib/samba/private/dns.keytab
  237. # chmod g+r /var/lib/samba/private/dns.keytab
  238. chmod 640 /var/lib/samba/private/dns.keytab
  239. chown root:bind /var/lib/samba/private/dns.keytab
  240. rndc-confgen -a
  241. chown root:bind /etc/bind/rndc.key
  242. chmod 640 /etc/bind/rndc.key
  243. # sed -i '/directory/a \        sortlist {\n        { $network ;{ ${network} ; };};\n        };' /etc/bind/named.conf.options
  244. cp -b /etc/bind/db.local /var/lib/bind/db.${reverse}
  245. chown bind:bind /var/lib/bind/db.${reverse}
  246. chmod 640 /var/lib/bind/db.${reverse}
  247. sed -ri 's/RESOLVCONF=no/RESOLVCONF=yes/g' /etc/default/bind9
  248. bash -c "echo -e 'acl \"trusted\" {\n    localhost;\n    localnets;\n};\n\nacl \"internal-local-nets\" {\n    ${network};\n};\n' >> /etc/bind/named.conf.local"
  249. bash -c "echo -e 'zone \"${reverse}.in-addr.arpa\" {\n    type master;\n    file \"/var/lib/bind/db.${reverse}\";\n    update-policy {\n        // The only allowed dynamic updates are PTR records\n        grant ${domain}. subdomain ${reverse}.in-addr.arpa. PTR TXT;\n        // Grant from localhost\n        grant local-ddns zonesub any;\n    };\n};\n' >> /etc/bind/named.conf.local"
  250. sed -i '/directory/a \        cleaning-interval 1440;\n        max-cache-ttl 2419200;\n        max-ncache-ttl 86400;\n        max-cache-size unlimited;\n        stacksize unlimited;\n        datasize unlimited;\n        coresize unlimited;\n        \n        listen-on { any; };'  /etc/bind/named.conf.options
  251. sed -i '/listen-on-v6/a \        allow-query { any; };\n        allow-recursion { trusted; };\n        allow-query-cache { trusted; };\n        allow-transfer { none; };\n        notify no;'  /etc/bind/named.conf.options
  252. sed -i '/dnssec-validation/a \        #dnssec-lookaside auto;'  /etc/bind/named.conf.options
  253. sed -i 's[// forwarders[forwarders[g' /etc/bind/named.conf.options
  254. # sed -i 's[// \t0.0.0.0;[      ${forwarders}[g' /etc/bind/named.conf.options
  255. sed -i 's[// };[};[g' /etc/bind/named.conf.options
  256. sed -i '/listen-on-v6/a \        tkey-gssapi-keytab\"/var/lib/samba/private/dns.keytab\";' /etc/bind/named.conf.options
  257. sed -i '/tkey-gssapi-keytab/i \        // DNS dynamic updates via Kerberos "/var/lib/samba/private/dns.keytab";' /etc/bind/named.conf.options
  258. sed -i '/notify no/a \        empty-zones-enable no;' /etc/bind/named.conf.options
  259. sed -i 's[//include[include[g' /etc/bind/named.conf.local
  260. bash -c "echo -e '# Samba4 DLZ and Active Directory Zones (default source installation)\n/usr/lib/x86_64-linux-gnu/ldb/** rwmk,\n/usr/lib/x86_64-linux-gnu/samba/** rwmk,\n/var/lib/samba/** rm,\n/var/lib/samba/private/dns/** rwmk,\n/etc/samba/smb.conf r,\n/var/lib/samba/private/named.conf r,\n/var/lib/samba/private/dns.keytab r,\n/etc/bind/rndc.key  r,\n/var/tmp/** rwmk,\n/dev/urandom rw,\n/var/log/bind/** rw,' >> /etc/apparmor.d/local/usr.sbin.named"
  261. bash -c "echo -e 'logging {\n        channel update_debug {\n                file \"/var/log/bind/update_debug.log\" versions 3 size 100k;\n                severity debug;\n                print-severity  yes;\n                print-time      yes;\n        };\n        channel security_info {\n                file \"/var/log/bind/security_info.log\" versions 1 size 100k;\n                severity info;\n                print-severity  yes;\n                print-time      yes;\n        };\n        channel bind_log {\n                file \"/var/log/bind/bind.log\" versions 3 size 1m;\n                severity info;\n                print-category  yes;\n                print-severity  yes;\n                print-time      yes;\n        };\n\n        category default { bind_log; };\n        category lame-servers { null; };\n        category update { update_debug; };\n        category update-security { update_debug; };\n        category security { security_info; };\n};' >> /etc/bind/named.conf.logging"
  262. mkdir -p /var/log/bind
  263. chown -R bind:root /var/log/bind
  264. chmod -R 775 /var/log/bind
  265.  
  266. # Settings NTP chrony
  267. bash -c "echo -e '# samba4 ntp signing socket\n/var/lib/samba/ntp_signd/socket rw,' >> /etc/apparmor.d/local/usr.sbin.chronyd"
  268. install -d /var/lib/samba/ntp_signd
  269. chown root:_chrony /var/lib/samba/ntp_signd
  270. chmod 750 /var/lib/samba/ntp_signd
  271. sed -ri 's/pool ntp.ubuntu.com        iburst maxsources 4/server 0.south-america.pool.ntp.org iburst/g' /etc/chrony/chrony.conf
  272. sed -ri 's/pool 0.ubuntu.pool.ntp.org iburst maxsources 1/server 1.south-america.pool.ntp.org iburst/g' /etc/chrony/chrony.conf
  273. sed -ri 's/pool 1.ubuntu.pool.ntp.org iburst maxsources 1/server 2.south-america.pool.ntp.org iburst/g' /etc/chrony/chrony.conf
  274. sed -ri 's/pool 2.ubuntu.pool.ntp.org iburst maxsources 2/server 3.south-america.pool.ntp.org iburst/g' /etc/chrony/chrony.conf
  275. bash -c "echo -e '# This directive tells 'chronyd' to parse the 'adjtime' file to find out if the\n# real-time clock keeps local time or UTC. It overrides the 'rtconutc' directive.\nhwclockfile /etc/adjtime' >> /etc/chrony/chrony.conf"
  276. bash -c "echo -e 'bindcmdaddress ${ipaddress}' >> /etc/chrony/chrony.conf"
  277. bash -c "echo -e 'broadcast 60 ${broadcast}' >> /etc/chrony/chrony.conf"
  278. bash -c "echo -e 'allow ${network}' >> /etc/chrony/chrony.conf"
  279. bash -c "echo -e 'ntpsigndsocket /var/lib/samba/ntp_signd' >> /etc/chrony/chrony.conf"
  280. timedatectl set-local-rtc 1
  281.  
  282. # Self-signed certificate
  283. rm -f /var/lib/samba/private/tls/cert.pem
  284. rm -f /var/lib/samba/private/tls/key.pem
  285. rm -f /var/lib/samba/private/tls/ca.pem
  286. # openssl req -newkey rsa:2048 -keyout /var/lib/samba/private/tls/samba.key -nodes -x509 -days 365 -out /var/lib/samba/private/tls/samba.crt
  287. # chmod 600 /var/lib/samba/private/tls/samba.key
  288.  
  289. # Certificate of trust
  290. openssl genrsa -out /var/lib/samba/private/tls/samba.key 2048
  291. openssl req -new -key /var/lib/samba/private/tls/samba.key -out /var/lib/samba/private/tls/samba.csr
  292. openssl x509 -req -days 365 -in /var/lib/samba/private/tls/samba.csr -signkey /var/lib/samba/private/tls/samba.key -out /var/lib/samba/private/tls/samba.crt
  293. chmod 600 /var/lib/samba/private/tls/samba.key
  294.  
  295. systemctl start samba-ad-dc
  296. systemctl enable samba-ad-dc
  297. systemctl daemon-reload
  298. systemctl reload apparmor
  299. systemctl restart systemd-networkd
  300. systemctl restart systemd-resolved
  301. systemctl restart bind9
  302. systemctl restart chrony
  303.  
  304. kinit administrator
  305. samba-tool domain level raise --domain-level=2008_R2
  306. samba-tool domain level raise --forest-level=2008_R2
  307. samba-tool group addmembers DnsAdmins dns-${hostname}
  308. samba-tool user setpassword administrator
  309. samba-tool user setexpiry administrator --noexpiry
  310. samba-tool domain passwordsettings set --complexity=on
  311. samba-tool domain passwordsettings set --store-plaintext=off
  312. samba-tool domain passwordsettings set --history-length=0
  313. samba-tool domain passwordsettings set --min-pwd-age=0
  314. samba-tool domain passwordsettings set --max-pwd-age=0
  315. samba-tool domain passwordsettings set --min-pwd-length=7
  316. samba-tool domain passwordsettings set --account-lockout-duration=30
  317. samba-tool domain passwordsettings set --account-lockout-threshold=0
  318. samba-tool domain passwordsettings set --reset-account-lockout-after=30
  319.  
  320. # Settings DHCP Server
  321. samba-tool user create dhcpd --description="Unprivileged user for TSIG-GSSAPI DNS updates via ISC DHCP server" --random-password
  322. samba-tool user setexpiry dhcpd --noexpiry
  323. samba-tool group addmembers DnsAdmins dhcpd
  324. install -vdm 755 /etc/dhcp/ddns-keys
  325. chown dhcpd:dhcpd /etc/dhcp/ddns-keys
  326. mv keys.keytab /etc/dhcp/ddns-keys
  327. samba-tool domain exportkeytab --principal=dhcpd@${domain} /etc/dhcp/ddns-keys/keys.keytab
  328. chown dhcpd:dhcpd /etc/dhcp/ddns-keys/keys.keytab
  329. chmod 400 /etc/dhcp/ddns-keys/keys.keytab
  330. # incomplete in development
  331. exit 0
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!