├── README.md ├── backup-script ├── README.md └── backup_samba4 ├── full-howto-Ubuntu18.04-samba-AD_DC.txt ├── function-samba-winbind.sh ├── get-samba-sources.sh ├── howtos ├── Buster-member-base.txt ├── README.MD ├── stretch-base-1.0.txt ├── stretch-base-1.1-checkup.txt ├── stretch-base-2.0-samba-minimal-ad.txt ├── stretch-base-2.1-samba-minimal-ad-checks.txt ├── stretch-base-3.1-samba-member-debian-install.txt ├── stretch-base-3.2-samba-member-fileserver.txt └── stretch-base-3.3-samba-member-fileserver-rights-example.txt ├── samba-check-SePrivileges.sh ├── samba-check-db-repl.sh ├── samba-check-set-sysvol.sh ├── samba-collect-debug-info.sh ├── samba-dns-mass-add.sh ├── samba-fix-userhome-recursive.sh ├── samba-info.sh ├── samba-setup-checkup.sh ├── samba-setup-share-folders.sh └── samba-with-nfsv4.sh /README.md: -------------------------------------------------------------------------------- 1 | # samba4 2 | ============== 3 | 4 | Here you can find some scripts I daily use with samba 4 (AD-DC) 5 | 6 | 7 | All my scripts are made and tested on Debian Jessie and Stretch servers. 8 | Questions about the scripts, mail the samba mailing list, i'll answer them. 9 | If you have improvements, well add them thats why ive added them on github. 10 | 11 | A small recap of these scripts. 12 | ---------------- 13 | backup-script/backup_samba4: A modified version of the original samba_backup script. 14 | 15 | samba-check-SePrivileges.sh : shows the configured SePrivileges and its groups set, no modifications are done. 16 | 17 | samba-check-set-sysvol.sh: check and set the ACL for sysvol and tells you what to check. 18 | 19 | samba-info.sh: simpel tool to show domain info. Works now for AD Member and AD DC. 20 | 21 | samba-setup-checkup.sh: (Work in progress), Goal, check you system for the correct and needed setttings to install samba. 22 | 23 | samba-with-nfsv4.sh: the script i used to setup my domain members on my jessie server. Debian stretch is different. 24 | 25 | samba-dns-mass-add.sh: This script create hostnames between an asked range with A and PTR records. 26 | 27 | samba-collect-debug-info.sh: This script collects some debugging info to a file. 28 | Please note, this script is tested only on debian, it will not work correctly yet for other OS and/or source installations. 29 | ONLY tested on AD-DC setups, not yet for member servers. 30 | 31 | 32 | ## donations 33 | If you like my work, support me a bit, even with 1 $ your helping me. 34 | I dont ask for hunderds, a (few) buck(s) are a great gift also. 35 | - [Donate via Paypal](https://www.paypal.me/LouisVanBelle) (my paypal email is louis at van-belle .nl) 36 | - Donate via Bitcoin: 3BMEXFUrncjVKByryNU1fcVLBLKE8i9TpX 37 | 38 | ## Thanks 39 | -------------------------------------------------------------------------------- /backup-script/README.md: -------------------------------------------------------------------------------- 1 | # backup_samba4 2 | ============== 3 | 4 | The script is tested on debian Wheezy and Debian Jessie and is running now on Debian Stretch, but should work with any linux os. 5 | This is a modified version of the backup_samba4 script, the original script is found in the samba source. 6 | 7 | By default the scripts logs tot syslog. 8 | running ./backup_samba4 --debug give console output. 9 | 10 | The first time you start it, run it with --debug, so you can check if all is ok. 11 | 12 | How does it work: 13 | - The script collects the commands use in full path, if one isn't found you get a message and the script ends. 14 | - The script extracts the sysvol etc and private folders in full paths from the running samba. 15 | - The script uses a counter to make multple backups on the same day. 16 | - The script cleans up backup files older then DAYS. 17 | - This all is done without stopping samba. 18 | 19 | 20 | You need to add something like this in cron. 21 | This example shows a 5x backup during work hours on weekdays 22 | and last at 23:00 for the daily (normal) backup procedures. 23 | 24 | 6 7,10,13,16,19 * * 1,2,3,4,5 root /PATH_TO/backup_samba4 &> /dev/null 25 | 26 | 0 23 * * * root /PATH_TO/backup_samba4 &> /dev/null 27 | 28 | You need to configure the following in the script: 29 | 30 | A Config example 31 | ---------------- 32 | The location to backup to. 33 | - STOREDIR=/home/backups/hostname 34 | 35 | This creates an extra acl backup of sysvol with getfacl -R (yes/no). 36 | Best is not to change this. 37 | - BACKUP_SYSVOL_ACL="yes" 38 | 39 | Original not in samba script but very usefull. 40 | Full /etc backup (yes/no). 41 | Best is not to change this. 42 | - BACKUP_ETC="yes" 43 | 44 | Number of days to keep the backup. 45 | - DAYS=30 46 | 47 | KEEP_DAYS, keeps every date with 01 and 15 in the backup (yes/no) 48 | While we obey the "DAYS" if set to no, only DAYS settings do apply 49 | if you dont want numberd backup files like : sysvol-2015-12-10-0.tar.bz2 set to: yes 50 | So options to set are : yes, no 51 | - KEEP_DAYS="no" removes all files older then $DAYS 52 | - KEEP_DAYS="yes" removes all files older then $DAYS but now it keeps the day numbers 53 | Set in KEEP_DAY1 and KEEP_DAY2 54 | 55 | The day numbers of the month to keep, only effective if KEEP_DAYS="yes" ! 56 | - KEEP_DAY1="01" 57 | - KEEP_DAY2="15" 58 | 59 | What to backup of samba, this should normaly not be needed to change. 60 | The full paths are extracted from the running samba. 61 | - DIRS="private sysvol samba" 62 | 63 | The location for the command file, can be any place any file name. 64 | - SCRIPT_COMMANDS_FILE="/etc/samba/backup_samba4_commands" 65 | 66 | 67 | The commando's this scripts need, should not be changed. 68 | - SCRIPT_COMMANDS="samba tdbbackup logger tar dirname cat grep echo awk sed date find rm getfacl tail cut wc awk sort" 69 | -------------------------------------------------------------------------------- /backup-script/backup_samba4: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | # 3 | # Copyright (C) Matthieu Patou 2010-2011 4 | # 5 | # This program is free software; you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License as published by 7 | # the Free Software Foundation; either version 3 of the License, or 8 | # (at your option) any later version. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program. If not, see . 17 | # 18 | # Revised 2013-09-25, Brian Martin, as follows: 19 | # - Allow retention period ("DAYS") to be specified as a parameter. 20 | # - Allow individual positional parameters to be left at the default 21 | # by specifying "-" 22 | # - Use IS0 8601 standard dates (yyyy-mm-dd instead of mmddyyyy). 23 | # - Display tar exit codes when reporting errors. 24 | # - Don't send error messages to /dev/null, so we know what failed. 25 | # - Suppress useless tar "socket ignored" message. 26 | # - Fix retention period bug when deleting old backups ($DAYS variable 27 | # could be set, but was ignored). 28 | # 29 | # Revised 2015-10-25, Rowland Penny, as follows: 30 | # - Added check to make sure being run by root. 31 | # - Change Variable names to make them more obvious. 32 | # - Removed option to change where to backup from. 33 | # - Remove option to use arguments, this is a set & use script, 34 | # and will not work with self compiled Samba without modification. 35 | # - Backup acls & attrs if using GNU-tar version 1.27 up 36 | # - Backup *.ldb & *.tdb files 37 | # - Added debug option 38 | # 39 | # Revised 2015-12-08, Rowland Penny, as follows: 40 | # - made to work with debian packages and self compiled installs 41 | # 42 | # Revised 2015-12-09, Louis van Belle, as follows: 43 | # - corrected few echo's to $DEBUG 44 | # - added the option for a full /etc backup also. 45 | # - added the option to remove the backup files, 46 | # but keep the 1e and 15e of the month 47 | # - add ability to run the script multiple times per day 48 | # without your files getting overridden (backups wil be numberd per run time) 49 | # 50 | # Revised 2015-12-11, Louis van Belle, as follows: 51 | # - Script error when running from within cron. 52 | # automatic put full paths in for the commands 53 | # - changed shell from sh to bash, tested on debian wheezy 54 | # Revised 2015-12-14, Louis van Belle, as follows: 55 | # - Script error when running from within, missed a typo. 56 | # - added file definitions by date/time standards 57 | # Revised 2017-12-19, Louis van Belle: 58 | # - exclude netlogon_creds_cli.tdb from the backups, its not needed, 59 | # see: https://bugzilla.samba.org/show_bug.cgi?id=13088 60 | # - make keep_day work, in test now. 61 | # Revised 2017-12-19, Louis van Belle, Thanks Norbert Hanke.: 62 | # - Fixed detection of samba/etc with a self compiled samba. 63 | # Revised 2019-08-01, Louis van Belle, Thanks Norbert Hanke.: 64 | # - Fixed detection of samba/etc with a self compiled samba. 65 | # Revised 2019-08-01, Louis van Belle, Thanks jkirk. 66 | # - Fixed backup folder rights. 67 | # Revised 2019-10-02, Louis van Belle, Thanks t2semi. 68 | # - Fixed tar paramater ordering. 69 | # Revised 2019-10-02, Louis van Belle, re-style code. 70 | ## 71 | 72 | # Used format in the backup file names. 73 | # date format: ISO 8601 YYYY-MM-DD (extended format) 74 | # time format: ISO 8601 24-hour clock system [hh][mm][ss] (basic format). 75 | 76 | 77 | # where to store backups ( change this ) 78 | STOREDIR="/home/backups/$(hostname -s)" 79 | 80 | # this creates an extra acl backup of sysvol with getfacl -R (yes/no) 81 | BACKUP_SYSVOL_ACL="yes" 82 | 83 | # Full /etc backup (yes/no) 84 | BACKUP_ETC="yes" 85 | 86 | # Number of days to keep the backup 87 | DAYS=60 88 | 89 | # KEEP_DAYS, for auto cleanup and extra safe backups. 90 | # Keeps every date with ( defaults to ) 01e and 15e in the backup. 91 | # Files are older then XX DAYS will be removed automaticly. 92 | # If set to "yes" then any file with 01 or 15 in it will not be removed. 93 | # default "yes" because its good the have backups even older then XX Days. 94 | # If set to "no", any file older then XX Days wil be removed from the backup. 95 | KEEP_DAYS="yes" 96 | 97 | # The day numbers of the month to keep, only effective if KEEP_DAYS="yes" ! 98 | KEEP_DAY1="01" 99 | KEEP_DAY2="15" 100 | 101 | # the commando's this scripts need. 102 | SCRIPT_COMMANDS="echo samba tdbbackup logger tar dirname cat grep awk sed date find rm getfacl tail cut wc awk sort" 103 | 104 | # The location for the command file, make sure that folder exists. 105 | SCRIPT_COMMANDS_FILE="/etc/samba/backup_samba4_commands" 106 | 107 | # what to backup of samba, this should normaly not be needed to change. 108 | DIRS="private sysvol samba" 109 | 110 | ######################################################################### 111 | # DO NOT CHANGE ANYTHING BELOW HERE UNLESS YOU KNOW WHAT YOU ARE DOING! # 112 | # IF YOU BREAK IT, YOU FIX IT # 113 | ######################################################################### 114 | if [ -n "$1" ] && [ "$1" = "-h" ] || [ "$1" = "--help" ]; then 115 | echo "This script will backup the Samba4 AD DC database files." 116 | echo "It will backup your provision and archive it to $STOREDIR." 117 | echo "The archived files will be stored for ${DAYS} days" 118 | echo "usage:" 119 | echo " '$0 --debug' will echo messages to screen," 120 | echo " usually used when initially testing." 121 | echo " '$0 -h or --help' will print this message." 122 | echo " '$0' by itself will log to syslog," 123 | echo " usually used when run from cron." 124 | echo 125 | exit 0 126 | fi 127 | 128 | # assign CMD_COMMAND variables 129 | if [ ! -e ${SCRIPT_COMMANDS_FILE} ] 130 | then 131 | for COMMANDS in ${SCRIPT_COMMANDS} 132 | do 133 | # determin all command needed and add it the backup_samba4_commands file. 134 | # This speeds up the second and all other backup runs. 135 | EVAL_PROG="CMD_" 136 | EVAL_PROG_DATA="${COMMANDS^^}" 137 | EVAL_DATA="$(command -v "${COMMANDS}")" 138 | 139 | eval "${EVAL_PROG}${EVAL_PROG_DATA}"="\"${EVAL_DATA}\"" 140 | EVAL_CHECK="${EVAL_PROG}${EVAL_PROG_DATA}" 141 | 142 | if [ -z "${EVAL_CHECK}" ] || [ -z "${EVAL_DATA}" ] 143 | then 144 | echo "Error command ${EVAL_CHECK} is without data" 145 | echo "Please adjust this value manualy in the file ${SCRIPT_COMMANDS_FILE}" 146 | echo "${EVAL_CHECK}=\"${EVAL_DATA}\"" >> ${SCRIPT_COMMANDS_FILE} 147 | else 148 | echo "${EVAL_CHECK}=\"${EVAL_DATA}\"" >> ${SCRIPT_COMMANDS_FILE} 149 | fi 150 | done 151 | echo "Exitting now...commands file created, please restart the script.." 152 | exit 1 153 | else 154 | # Import the commands 155 | source ${SCRIPT_COMMANDS_FILE} 156 | 157 | # revalidate commands, check if variable are filled. 158 | for COMMANDS in ${SCRIPT_COMMANDS} 159 | do 160 | EVAL2_PROG="CMD_" 161 | EVAL2_PROG_DATA=${COMMANDS^^} 162 | EVAL2_CHECK="${EVAL2_PROG}${EVAL2_PROG_DATA}" 163 | 164 | if [ -z "${EVAL2_CHECK}" ] 165 | then 166 | echo "Error, ${EVAL2_CHECK} does not have a value" 167 | echo "Please put the command in the file ${SCRIPT_COMMANDS_FILE}" 168 | echo "Exitting now... " 169 | exit 1 170 | fi 171 | 172 | if [ ! -e "${!EVAL2_CHECK}" ] 173 | then 174 | echo "Error, ${EVAL2_CHECK} is unset or set to the empty string" 175 | echo "Please correct the command in the file ${SCRIPT_COMMANDS_FILE}" 176 | echo "Exitting now... " 177 | exit 1 178 | fi 179 | 180 | if [ "$1" = "--debug" ] 181 | then 182 | echo "Command checks : ${EVAL2_CHECK} contains : ${!EVAL2_CHECK}" 183 | fi 184 | 185 | done 186 | fi 187 | 188 | # Run with --debug for console output. 189 | if [ -n "$1" ] && [ "$1" = "--debug" ] 190 | then 191 | DEBUG="${CMD_ECHO}" 192 | else 193 | # Else log it to syslog with logger 194 | DEBUG="${CMD_LOGGER} -t $0" 195 | fi 196 | 197 | # make sure this is being run by root 198 | USER=$(whoami) 199 | if [ "$USER" != "root" ] 200 | then 201 | ${DEBUG} "You must be root to run backup_samba4" 202 | exit 1 203 | fi 204 | 205 | # Test if GNU tar is installed and is the required version or newer 206 | TARVERSION="$(${CMD_TAR} --version | ${CMD_GREP} 'GNU tar' | ${CMD_AWK} '{print $NF}' | ${CMD_AWK} -F '.' '{print $2}')" 207 | if [ -n "${TARVERSION}" ] && [ "${TARVERSION}" -ge "27" ] 208 | then 209 | TARARGS="-cj --acls --xattrs -f " 210 | else 211 | TARARGS="-cj -f " 212 | fi 213 | 214 | if [ ! -d "${STOREDIR}" ] 215 | then 216 | ${DEBUG} "Missing backup directory $STOREDIR" 217 | ${DEBUG} "Will now create it." 218 | install -d "${STOREDIR}" -o root -g staff -m 660 219 | fi 220 | 221 | # get where the directory that holds smb.conf is stored 222 | CONFBASE="$(${CMD_SAMBA} -b | ${CMD_GREP} [C]ONFIGFILE | ${CMD_AWK} '{print $NF}' | ${CMD_AWK} -F '/' '{print $2}')" 223 | if [ "${CONFBASE}" = "etc" ] 224 | then 225 | CONFDIR="/etc" 226 | elif [ "${CONFBASE}" = "usr" ] 227 | then 228 | CONFDIR="/usr/local/samba/etc" 229 | else 230 | ${DEBUG} "Cannot find Samba conf dir. ${CONFBASE}" 231 | ${DEBUG} "Cannot continue... Exiting." 232 | exit 1 233 | fi 234 | 235 | ${DEBUG} "Starting backup with $0" 236 | # get the directory that holds the private dir 237 | PRIVATEBASE="$(${CMD_DIRNAME} $(${CMD_SAMBA} -b | ${CMD_GREP} [P]RIVATE_DIR | ${CMD_AWK} '{print $NF}'))" 238 | if [ ! -d "${PRIVATEBASE}" ] 239 | then 240 | ${DEBUG} "Missing or wrong provision directory ${PRIVATEBASE}" 241 | exit 1 242 | fi 243 | 244 | # get the directory that holds the sysvol dir 245 | CONFILE="$(${CMD_SAMBA} -b | ${CMD_GREP} [C]ONFIGFILE | ${CMD_AWK} '{print $NF}')" 246 | SYSVOLBASE="$(${CMD_CAT} ${CONFILE} | ${CMD_GREP} sysvol | ${CMD_GREP} scripts | ${CMD_AWK} '{print $NF}' | ${CMD_SED} 's/sysvol.*//')" 247 | 248 | # backup .tdb & .ldb files 249 | backup_file () { 250 | FILE="${1}" 251 | if [ -z "${FILE}" ] 252 | then 253 | ${DEBUG} "Error: No file supplied - Cannot continue." 254 | exit 1 255 | fi 256 | ${CMD_TDBBACKUP} $1 257 | Status=$? 258 | if [ $Status -ne 0 ] 259 | then 260 | ${DEBUG} "Error while backing up $1 - status $Status" 261 | exit 1 262 | fi 263 | } 264 | 265 | # check for existing backup files, if exist, create new files with following numbers. 266 | check_backup_file () { 267 | BACKUPDATE="$(${CMD_DATE} +%Y-%m-%d)" # ISO 8601 standard date. 268 | ${DEBUG} "Backupdate = $BACKUPDATE" 269 | ${DEBUG} "Message: checking for previous backups of this day : $d" 270 | # determin last use counter nr 271 | COUNTER="$(ls ${STOREDIR} | ${CMD_GREP} ${BACKUPDATE} | sort | ${CMD_GREP} $d | ${CMD_TAIL} -n1 | ${CMD_CUT} -d"-" -f5 | ${CMD_CUT} -d"." -f1)" 272 | ${DEBUG} "Counter = $COUNTER" 273 | if [ -z "$COUNTER" ] 274 | then 275 | COUNTER=0 276 | BACKUPDATE="${BACKUPDATE}-${COUNTER}" 277 | else 278 | COUNTER=$((COUNTER+1)) 279 | BACKUPDATE="${BACKUPDATE}-${COUNTER}" 280 | fi 281 | ${DEBUG} "Message: setting date and counter : ${BACKUPDATE} for $d" 282 | } 283 | 284 | for d in $DIRS 285 | do 286 | if [ "$d" = "private" ] 287 | then 288 | check_backup_file 289 | cd ${PRIVATEBASE} 290 | relativedirname="$(${CMD_FIND} . -type d -name "$d" -prune)" 291 | ${CMD_FIND} $relativedirname -name "*.ldb.bak" -exec ${CMD_RM} {} \; 292 | ${CMD_FIND} $relativedirname -name "*.tdb.bak" -exec ${CMD_RM} {} \; 293 | for ldb in $(${CMD_FIND} $relativedirname -name "*.ldb") 294 | do 295 | # backup .ldb files 296 | backup_file $ldb 297 | done 298 | # exclude netlogon_creds_cli : https://bugzilla.samba.org/show_bug.cgi?id=13088 299 | for tdb in $(${CMD_FIND} $d -name "*.tdb" -type f -print | xargs -0 | grep -v 'netlogon_creds_cli') 300 | do 301 | # backup .tdb files 302 | backup_file $tdb 303 | done 304 | # Run the backup. 305 | # --warning=no-file-ignored suppresses "socket ignored" messages. 306 | # --warning=no-file-changed suppresses "file changed as we read it" 307 | ${CMD_TAR} ${TARARGS} ${STOREDIR}/${d}-${BACKUPDATE}.tar.bz2 \ 308 | --warning=no-file-ignored --warning=no-file-changed \ 309 | --transform 's/.ldb.bak/.ldb/' --transform 's/.tdb.bak/.tdb/' \ 310 | --exclude='*.ldb' --exclude='*.tdb' $relativedirname 311 | Status=$? 312 | if [ $Status -ne 0 -a $Status -ne 1 ] 313 | then 314 | # Ignore 1 - private dir is always changing. 315 | ${DEBUG} "Error archiving:" 316 | ${DEBUG} " ${STOREDIR}/${d}-${BACKUPDATE}.tar.bz2" 317 | ${DEBUG} " Status: $Status" 318 | exit 1 319 | else 320 | ${DEBUG} "Backup Status ${d}: ok" 321 | fi 322 | # delete any .bak files 323 | ${CMD_FIND} $relativedirname -name "*.ldb.bak" -exec ${CMD_RM} {} \; 324 | ${CMD_FIND} $relativedirname -name "*.tdb.bak" -exec ${CMD_RM} {} \; 325 | elif [ "$d" = "sysvol" ] 326 | then 327 | check_backup_file 328 | cd ${SYSVOLBASE} 329 | relativedirname=$(${CMD_FIND} . -type d -name "$d" -prune) 330 | # Run the backup. 331 | # --warning=no-file-ignored suppresses "socket ignored" messages. 332 | # --warning=no-file-changed suppresses "file changed as we read it" 333 | ${CMD_TAR} ${TARARGS} ${STOREDIR}/${d}-${BACKUPDATE}.tar.bz2 \ 334 | --warning=no-file-ignored --warning=no-file-changed $relativedirname 335 | Status=$? 336 | if [ $Status -ne 0 ] 337 | then 338 | ${DEBUG} "Error archiving:" 339 | ${DEBUG} " ${STOREDIR}/${d}-${BACKUPDATE}.tar.bz2" 340 | ${DEBUG} "Status: $Status" 341 | exit 1 342 | else 343 | ${DEBUG} "Backup Status ${d}: ok" 344 | fi 345 | if [ ${BACKUP_SYSVOL_ACL} = "yes" ] 346 | then 347 | # ! Dont use sysvol here, it messes up the sysvol counter. 348 | d=acl-sys_vol 349 | check_backup_file 350 | ${DEBUG} "creating sysvol ACL file" 351 | ${CMD_GETFACL} -R sysvol > ${STOREDIR}/${d}.${BACKUPDATE}.acl 352 | ${CMD_TAR} ${TARARGS} ${STOREDIR}/${d}.${BACKUPDATE}.acl.tar.bz2 \ 353 | ${STOREDIR}/${d}.${BACKUPDATE}.acl >/dev/null 2>&1 354 | if [ $? -ne 0 ] 355 | then 356 | ${DEBUG} "Error while archiving \ 357 | ${STOREDIR}/sysvolacl.${BACKUPDATE}.tar.bz2" 358 | exit 1 359 | else 360 | ${DEBUG} "Backup Status sysvol acl: ok" 361 | ${CMD_RM} ${STOREDIR}/${d}.${BACKUPDATE}.acl 362 | fi 363 | # 364 | fi 365 | elif [ "$d" = "samba" ] 366 | then 367 | check_backup_file 368 | cd ${CONFDIR} 369 | if [ "${CONFILE}" = "/etc/samba/smb.conf" ] 370 | then 371 | relativedirname=$(${CMD_FIND} . -type d -name "$d" -prune) 372 | else 373 | relativedirname=$(${CMD_FIND} .. -type d -name "etc" -prune) 374 | fi 375 | # Run the backup. 376 | # --warning=no-file-ignored suppresses "socket ignored" messages. 377 | # --warning=no-file-changed suppresses "file changed as we read it" 378 | ${CMD_TAR} ${TARARGS} ${STOREDIR}/${d}-${BACKUPDATE}.tar.bz2 \ 379 | --warning=no-file-ignored --warning=no-file-changed $relativedirname 380 | Status=$? 381 | if [ $Status -ne 0 ] 382 | then 383 | ${DEBUG} "Error archiving:" 384 | ${DEBUG} " ${STOREDIR}/${d}-${BACKUPDATE}.tar.bz2" 385 | ${DEBUG} "Status: $Status" 386 | exit 1 387 | else 388 | ${DEBUG} "Backup Status ${d}: ok" 389 | fi 390 | fi 391 | done 392 | 393 | # full backup of /etc 394 | if [ ${BACKUP_ETC} = "yes" ] 395 | then 396 | d=etc 397 | check_backup_file 398 | ${DEBUG} "creating full backup of /etc" 399 | ${CMD_TAR} ${TARARGS} ${STOREDIR}/etc-${BACKUPDATE}.tar.bz2 /etc >/dev/null 2>&1 400 | Status=$? 401 | if [ $Status -ne 0 ] 402 | then 403 | ${DEBUG} "Error archiving:" 404 | ${DEBUG} " ${STOREDIR}/${d}-${BACKUPDATE}.tar.bz2" 405 | ${DEBUG} "Status: $Status" 406 | exit 1 407 | else 408 | ${DEBUG} "Backup Status /etc: ok" 409 | fi 410 | fi 411 | 412 | # Remove any files over $DAYS days old from backup dir, keep the $KEEP_DAY1 and $KEEP_DAY2 of the month. 413 | if [ ${KEEP_DAYS} = "yes" ] 414 | then 415 | ${DEBUG} "Deleting any backup files over ${DAYS} days old, keeping date $KEEP_DAY1 and $KEEP_DAY2 of the month." 416 | ${CMD_FIND} ${STOREDIR} -name "*.bz2" -mtime +${DAYS} -type f -print | xargs -0 | egrep -v "\-${KEEP_DAY1}\-|\-${KEEP_DAY2}\-" | xargs ${CMD_RM} >/dev/null 2>&1 417 | fi 418 | if [ ${KEEP_DAYS} = "no" ] 419 | then 420 | ${DEBUG} "Deleting any backup files over ${DAYS} days old." 421 | ${CMD_FIND} ${STOREDIR} -name "*.bz2" -mtime +${DAYS} -exec ${CMD_RM} {} \; >/dev/null 2>&1 422 | fi 423 | 424 | exit 0 425 | -------------------------------------------------------------------------------- /full-howto-Ubuntu18.04-samba-AD_DC.txt: -------------------------------------------------------------------------------- 1 | # 2 | # A small howoto for Ubuntu 18.04/20.04 3 | # updated 7-sept-2020 4 | # 5 | # This one is based on my Debian installs. 6 | # 7 | # As of 14 Nov 2018, you can use this with the new ubuntu 18.04 repo. ( info below in this file. ) 8 | # The ubuntu bionic for samba 4.9 repo contains all needed ubuntu packages. 9 | # You can use the Debian Stretch samba 4.8 packages also on ubuntu 18.04 but you better use the 4.9+ repo for ubuntu. 10 | # and yes you can use the following also with the supplied packages of Ubuntu 18.04. 11 | 12 | This should be a good base to start with as howto for Ubuntu 18.04 systemd based. 13 | 14 | Any suggestion additions please add them, below is also the order i configured and installed the server. 15 | Note, apparmor may have to much rights now but it works, someone with good apparmor knowledge correct it please. 16 | 17 | The setup below is tested and works, i did not look at fire-walling. 18 | Try it and tell us the result. 19 | ---------------------------------------------------------------------------- 20 | Installing Ubuntu for a Dedicated Active Directory Domain Controller server. 21 | - boot from CD 22 | - Choose the base language, and press F6, choose EXPERT. 23 | 24 | -----Ubuntu Installer Menu ---- 25 | choose you language and keyboard 26 | ( go throught the other options, keep the defaults ) 27 | load the pre-configuration 28 | 29 | configure the network. 30 | - Auto-configure networking (NO) 31 | and enter your ip. 32 | IP 192.168.0.10/24 ( choose your own ip ) 33 | GW 192.168.0.1 ( choose your own gateway) 34 | NS 8.8.8.8 ( any internet ip for DNS ) 35 | 36 | ( my test hostname/domain ) 37 | set the hostname, ( ubuntu1804 ) 38 | set the domainname, ( internal.example.com ) 39 | 40 | Set up users and passwords. 41 | THe first two questions, the defaults are ok. 42 | 43 | The user, full name, what you want but NO username Administrator. 44 | i prefer nixadmin 45 | ( this is a user for maintaining the system. ) 46 | 47 | encrypt homedir, No. 48 | configure clock. 49 | set the clock using NTP. (yes) 50 | You can keep the defaults ( for now ) 51 | 52 | Configure the disk. 53 | what you want, a AD-DC only server, 10G is more than sufficient. ( for me ) 54 | My current Debian 9 shows : 55 | Size Used Avail Use% Mounted on 56 | 6.0G 1.8G 3.9G 31% / 57 | 58 | This ubuntu setup used ( finished ) 59 | Filesystem Size Used Avail Use% Mounted on 60 | /dev/root 7.3G 1.8G 5.2G 26% / 61 | 62 | So about the same. 63 | 64 | WARNING 65 | The "use entire disk" option does not include the swap partition. 66 | with 10Gb partition i set 2GB swap, rest is for the system. 67 | (tip, separating the log partition helps in less defragmentation ) 68 | 69 | --- Install the system 70 | initrd, DONT select targeted, choose generic. 71 | - package manager, use a mirror yes. 72 | 73 | - Don't select back-ported software. 74 | - Don't select partner repository, only if you need to. 75 | - Don't select sources, its not needed. 76 | Keep other defaults. 77 | 78 | - Select and install software. 79 | I preffer Install security updated automatically, but you might not. 80 | 81 | Now, an important part, 82 | Choose software to install. 83 | Select ONLY OpenSSH server. 84 | 85 | - install grub. 86 | (keep the defaults) 87 | Note, sometimes ubuntu detects you disk wrong if you install from usb. 88 | use ALT-F2 goto and console, type df and check what your disk is. 89 | /dev/sda or /dev/xvda something like that. ( look for the /target disk ) 90 | ALT-F1 go back to the installer. 91 | Finish the install 92 | 93 | Login. 94 | 95 | first check if you ip is up. 96 | type: ip a 97 | and what is your "interface name" for me its eth0. 98 | All below is base on ETH0 so change this !! 99 | 100 | Now, you might find out that your network isnt working. 101 | lets configure a systemd static ip. 102 | 103 | AGAIN: Please don't forget to change the ip and interface-name below!! 104 | 105 | cat << EOF >> /etc/systemd/network/50-static.network 106 | # /etc/systemd/network/50-static.network 107 | [Match] 108 | Name=eth0 109 | 110 | [Network] 111 | Address=192.168.0.10/24 112 | Gateway=192.168.0.1 113 | EOF 114 | systemctl enable systemd-networkd 115 | systemctl start systemd-networkd 116 | systemctl status systemd-networkd 117 | 118 | 119 | Edit the systemd resolver. 120 | 121 | nano /etc/systemd/resolv.conf 122 | configure DNS and FallbackDNS ( for now, 8.8.8.8 and 8.8.4.4 google dns. ) 123 | NOTE set DNSSEC=no also because google does not support DNSSEC. 124 | save,exit. 125 | 126 | systemctl daemon-reload 127 | systemctl restart systemd-resolved 128 | 129 | And check if it works 130 | nslookup www.google.com 131 | 132 | Add my (Debian) repo 133 | There is now a ubuntu repo for 4.9.x (bionic-samba49) / 4.10.x (bionic-samba410) / 4.11.x (bionic-samba411) 134 | 135 | for the 4.11.x 136 | echo "deb http://apt.van-belle.nl/debian bionic-samba411 main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list 137 | wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add - 138 | apt update -y 139 | 140 | Or for the 4.8.x, use the debian stretch repo, but i suggest, move up to 4.9, 4.10 or 4.11. 141 | echo "deb http://apt.van-belle.nl/debian stretch-samba48 main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list 142 | wget -O - http://apt.van-belle.nl/louis-van-belle.gpg-key.asc | apt-key add - 143 | apt update -y 144 | 145 | And have a look. 146 | apt-cache policy samba 147 | 148 | 149 | -- Some Cleanup i did first. ( optional, but the lesser on the server the better imo ) 150 | First, get rid of the "howto make you system slower..." command-not-found packages 151 | but wait a bit because you might miss some packages... 152 | ( remove if you dont use these. ) 153 | apt remove --purge lxd-client 154 | apt remove --purge lxd lxd-client 155 | apt remove --purge lxcfs 156 | apt remove --purge command-not-found command-not-found-data python3-commandnotfound 157 | apt remove --purge snapd 158 | apt remove --purge laptop-detect 159 | So, now this Ubuntu server performs almost as a Debian server. ;-) 160 | 161 | Optional, as i dont use LVM. ( i snap shot my virtuals ) 162 | apt remove --purge lvm2 liblvm2app2.2 liblvm2cmd2.02 dmeventd 163 | 164 | Optional, i dont like the check every login for security/load etc. 165 | It just slows down the server imo. 166 | 167 | Optional, remove cpu info at login. 168 | rm /etc/update-motd.d/50-landscape-sysinfo 169 | run the command : landscape-sysinfo to get the info or remove it: 170 | apt remove --purge landscap-sysinfo 171 | 172 | Optional, disable the anoying motd messages. 173 | sudo systemctl disable motd 174 | sudo systemctl mask motd 175 | sudo chmod -R 0644 /etc/update-motd.d/ 176 | if you want you can enable some, just add the Execute bit. (755) back on a file. 177 | 178 | #Optional(2) if you dont want any of above. 179 | #apt remove --purge update-notifier-common 180 | My advice is just chmod it. 181 | 182 | Results in a server with internet access and ssh. 183 | 184 | -------------------------------------------------- 185 | 186 | Login with ssh, and prepare for the real work for samba. 187 | 188 | 189 | Preparing for samba. 190 | # the AD DC, with ntp bind one liner : 191 | apt install samba winbind libnss-winbind libpam-winbind ntp bind9 binutils ldb-tools krb5-user 192 | # Note, i use the defaults for krb5-user ( Kerberos configuration ) 193 | 194 | #The separated parts. 195 | #apt install samba winbind krb5-user 196 | #(optional must often used so install it. ) 197 | #apt install libnss-winbind libpam-winbind 198 | 199 | for the time sync in samba we need ntp or chrony. 200 | #Prepare time ( I preffer ntp.) 201 | #apt install ntp 202 | #Prepare DNS ( I preffer bind9 ) 203 | #apt install bind9 204 | 205 | # and add some tools you might need. 206 | #apt install binutils ldb-tools smbclient 207 | #apt install libpam-krb5 208 | 209 | 210 | systemctl disable nmbd smbd winbind 211 | systemctl stop nmbd smbd winbind 212 | systemctl unmask samba-ad-dc 213 | systemctl enable samba-ad-dc 214 | 215 | --------------------- 216 | Setup NTP 217 | cp /etc/ntp.conf{,.backup} 218 | install -d /var/lib/samba/ntp_signd -m 750 -o root -g ntp 219 | 220 | cat << EOF >> /etc/ntp.conf 221 | # 222 | ###### Needed for Samba 4 ###### 223 | # extra info, in the restrict -4 or -6 added mssntp. 224 | # Location of the samba ntp_signed directory 225 | ntpsigndsocket /var/lib/samba/ntp_signd 226 | # 227 | EOF 228 | 229 | # add the mssntp part. 230 | sed -i 's/restrict -4 default kod notrap nomodify nopeer noquery limited/restrict -4 default kod notrap nomodify nopeer noquery limited mssntp/g' /etc/ntp.conf 231 | sed -i 's/restrict -6 default kod notrap nomodify nopeer noquery limited/restrict -6 default kod notrap nomodify nopeer noquery limited mssntp/g' /etc/ntp.conf 232 | 233 | systemctl restart ntp 234 | systemctl status ntp 235 | run : ntpq -p 236 | and check the output, if ok, ntp is up now and syncing. 237 | 238 | --------------------- 239 | Setup kerberos. 240 | Backup the original version 241 | cp /etc/krb5.conf{,.backup} 242 | cat /etc/krb5.conf | head -n2 > /etc/krb5.conf.new 243 | 244 | echo " 245 | ; Note, this is added because other software may need it. 246 | ; personaly i would remove : des-cbc-crc des-cbc-md5 but for compatibility i leave it in. 247 | ; for Windows 2008 with AES 248 | default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 249 | default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 250 | permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 251 | " >> /etc/krb5.conf.new 252 | rm /etc/krb5.conf 253 | mv /etc/krb5.conf.new /etc/krb5.conf 254 | 255 | 256 | --------------------- 257 | # Setup Samba 258 | Prepare for provisioning. 259 | rm /var/lib/samba/*.tdb 260 | rm /var/cache/samba/*.tdb 261 | rm /var/cache/samba/browse.dat 262 | 263 | mv /etc/samba/smb.conf /etc/samba/smb.conf.orig 264 | 265 | samba-tool domain provision --use-rfc2307 --realm=INTERNAL.EXAMPLE.COM --domain=INTERNAL --dns-backend=BIND9_DLZ 266 | Admin password: uP9B=H?H#%Mg@R6[H 267 | Server Role: active directory domain controller 268 | Hostname: ubuntu1804 269 | NetBIOS Domain: INTERNAL 270 | DNS Domain: internal.example.com 271 | DOMAIN SID: S-1-5-21-851884449-3694958272-1707027855 272 | 273 | # Setup BIND 274 | cp -r /etc/bind{,.backup} 275 | # enable the forwarders. 276 | sed -i 's[// forwarders[forwarders[g' /etc/bind/named.conf.options 277 | sed -i "s[// \t0.0.0.0;[ 8.8.8.8; 8.8.4.4;[g" /etc/bind/named.conf.options 278 | sed -i "s[// };[};[g" /etc/bind/named.conf.options 279 | # NOTE, if you samba is 4.8 or lower, use : 280 | sed -i "/listen-on-v6/a \ tkey-gssapi-keytab \"/var/lib/samba/private/dns.keytab\";" /etc/bind/named.conf.options 281 | sed -i "/tkey-gssapi-keytab/i \ // DNS dynamic updates via Kerberos "/var/lib/samba/private/dns.keytab";" /etc/bind/named.conf.options 282 | echo "// adding the Samba dlopen ( Bind DLZ ) module 283 | include \"/var/lib/samba/private/named.conf\";" >> /etc/bind/named.conf.local 284 | # Now open this file : /var/lib/samba/private/named.conf and verify if the correct BIND version is enabled. 285 | 286 | 287 | # samba 4.9 and up use : 288 | sed -i "/listen-on-v6/a \ tkey-gssapi-keytab \"/var/lib/samba/bind-dns/dns.keytab\";" /etc/bind/named.conf.options 289 | sed -i "/tkey-gssapi-keytab/i \ // DNS dynamic updates via Kerberos "/var/lib/samba/bind-dns/dns.keytab";" /etc/bind/named.conf.options 290 | echo "// adding the Samba dlopen ( Bind DLZ ) module 291 | include \"/var/lib/samba/bind-dns/named.conf\";" >> /etc/bind/named.conf.local 292 | # Now open this file : /var/lib/samba/bind-dns/named.conf and verify if the correct BIND version is enabled. 293 | 294 | sed -i "/listen-on-v6/a \ notify no;" /etc/bind/named.conf.options 295 | sed -i "/notify no/a empty-zones-enable no;" /etc/bind/named.conf.options 296 | 297 | # Please note, You need yes to use new samba backup online tool also. 298 | sed -i "s/auth-nxdomain no/auth-nxdomain yes/g" /etc/bind/named.conf.options 299 | 300 | 301 | As of this part, apparmor, this might need more optimizing but this works. 302 | echo "# Samba4 DLZ and Active Directory Zones (default source installation) 303 | # bind support before samba 4.9 304 | /var/lib/samba/private/dns/** rwmk, 305 | /var/lib/samba/private/dns.keytab r, 306 | /var/lib/samba/private/named.conf r, 307 | /var/lib/samba/private/dns/** rwk, 308 | # bind support after samba 4.9 309 | /var/lib/samba/bind-dns/** rwmk, 310 | /var/lib/samba/bind-dns/dns.keytab r, 311 | /var/lib/samba/bind-dns/named.conf r, 312 | /var/lib/samba/bind-dns/dns/** rwk, 313 | # Regular samba. 314 | /var/lib/samba/lib/** rm, 315 | /usr/lib/**/samba/bind9/** rmk, 316 | /usr/lib/**/samba/gensec/* rmk, 317 | /usr/lib/**/samba/ldb/** rmk, 318 | /usr/lib/**/ldb/modules/ldb/** rmk, 319 | /var/tmp/** rwmk," >> /etc/apparmor.d/local/usr.sbin.named 320 | 321 | # add the ntp part to apparmor 322 | echo "# To sign replies to MS-SNTP clients by the NTP daemon in /var/lib/samba 323 | /var/lib/samba/ntp_signd/socket rw, 324 | " >> /etc/apparmor.d/local/usr.sbin.ntpd 325 | 326 | --------------------- 327 | Correct the resolving. 328 | 329 | Now we link the lan interface to the systemd resolver. 330 | ! Please note, you might need to change eth0.network to you interface name. 331 | echo " 332 | [Match] 333 | Name=eth0 334 | 335 | [Network] 336 | DNS=192.168.0.10 337 | DNSSECNegativeTrustAnchors=lan 338 | Domains=lan" >> /etc/systemd/network/eth0.network 339 | 340 | and we change the systemd-resolved and point it to the IP ( NOT localhost ) of the server 341 | now change the systemd-resolvd DNS. 342 | sed -i "s/DNS=8.8.8.8/DNS=$(hostname -i)/g" /etc/systemd/resolved.conf 343 | # Note, the DNS=$(hostname -i) that is the ip of the server. NOT 127.0.0.1. 344 | 345 | Now i dont like warnings or errors in my logs. 346 | And we now might see: 347 | /lib/systemd/system-generators/netplan failed with exit status 1. 348 | The fix is: editor /etc/netplan/01-netcfg.yaml 349 | The last adresses: needs a server adres. 350 | 351 | cat /etc/netplan/01-netcfg.yaml 352 | # This file describes the network interfaces available on your system 353 | # For more information, see netplan(5). 354 | network: 355 | version: 2 356 | renderer: networkd 357 | ethernets: 358 | eth0: 359 | addresses: [ 192.168.0.10/24 ] 360 | gateway4: 192.168.0.1 361 | nameservers: 362 | search: [ internal.example.com ] 363 | addresses: 364 | 365 | The corrected version is : 366 | cat /etc/netplan/01-netcfg.yaml 367 | # This file describes the network interfaces available on your system 368 | # For more information, see netplan(5). 369 | network: 370 | version: 2 371 | renderer: networkd 372 | ethernets: 373 | eth0: 374 | addresses: [ 192.168.0.10/24 ] 375 | gateway4: 192.168.0.1 376 | nameservers: 377 | search: [ internal.example.com ] <<<< your primary DNS domain. ( hostname -d ) 378 | addresses: [ 192.168.0.10 ] <<<< IP OF THE AD-DC. 379 | 380 | When this is set run the following. 381 | netplan --debug generate 382 | 383 | # and we reload some services. 384 | systemctl daemon-reload 385 | systemctl reload apparmor 386 | systemctl restart systemd-networkd 387 | systemctl restart systemd-resolved 388 | systemctl restart bind9 389 | systemctl restart ntp 390 | now check your logs, and if ok clear them. 391 | 392 | and reboot. 393 | now check your logs, again. 394 | 395 | now go testing. ;-) 396 | 397 | -------------------------------------------------------------------------------- /function-samba-winbind.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Verified with Debian Buster's shellcheck 0.5.0-3 4 | 5 | # Version: function-samba-winbind=0.02 6 | 7 | # This script is for checking and setting up winbind for Samba. 8 | # It can be use on Domain Members and AD Domain Controllers. 9 | # 10 | # Copyright (C) Louis van Belle 2020 11 | # 12 | # This program is free software; you can redistribute it and/or modify 13 | # it under the terms of the GNU General Public License as published by 14 | # the Free Software Foundation; either version 3 of the License, or 15 | # (at your option) any later version. 16 | # 17 | # This program is distributed in the hope that it will be useful, 18 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 19 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 20 | # GNU General Public License for more details. 21 | # 22 | # You should have received a copy of the GNU General Public License 23 | # along with this program. If not, see . 24 | 25 | if [ "$(dpkg-query -l libpam-winbind)" ] 26 | then 27 | # True 28 | echo "libpam-winbind already installed" 29 | else 30 | # False 31 | echo "installing libpam-winbind" 32 | apt-get install -y libpam-winbind 33 | fi 34 | if [ "$(dpkg-query -l libnss-winbind)" ] 35 | then 36 | # True 37 | echo "libnss-winbind already installed" 38 | else 39 | # False 40 | echo "installing libnss-winbind" 41 | apt-get install -y libnss-winbind 42 | fi 43 | 44 | if [ "$(grep -ic winbind /etc/nsswitch.conf)" -eq 2 ] 45 | then 46 | echo "nsswitch.conf was already adjusted" 47 | elif [ "$(grep -c winbind /etc/nsswitch.conf)" -eq 1 ] 48 | then 49 | FOUND_VALUE="$(grep winbind /etc/nsswitch.conf |cut -d: -f1)" 50 | echo "Warning Detected only 1 adjusted line with winbind in it, line: ${FOUND_VALUE}" 51 | if [ "${FOUND_VALUE}" = "passwd" ] 52 | then 53 | sed -i 's/group: files systemd/& winbind/g' /etc/nsswitch.conf 54 | elif [ "${FOUND_VALUE}" = "group" ] 55 | then 56 | sed -i 's/passwd: files systemd/& winbind/g' /etc/nsswitch.conf 57 | fi 58 | elif [ "$(grep -c winbind /etc/nsswitch.conf)" -eq 0 ] 59 | then 60 | echo "Adjusting nsswitch.conf" 61 | sed -i 's/passwd: files systemd/& winbind/g' /etc/nsswitch.conf 62 | sed -i 's/group: files systemd/& winbind/g' /etc/nsswitch.conf 63 | else 64 | echo "Error, we dont know what when wrong here. more then 3 winbind lines maybe?" 65 | echo "Captical check on winbind/detected: $(grep -i winbind /etc/nsswitch.conf )" 66 | echo "Please check /etc/nsswitch.conf" 67 | fi 68 | -------------------------------------------------------------------------------- /get-samba-sources.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # A simple script that pulls the sources of my or your OS original repo. 4 | # The highest versions are alway pulled. 5 | # feel free to share this, abuse it, but be nice, name me in your versions.. 6 | 7 | echo -n "For which OS are we building? (debian/ubuntu/raspbian/all)(default:debian) : " 8 | read OsBuildVer 9 | OsBuildVer="${OsBuildVer:-debian}" 10 | 11 | echo -n "For which OS Distro are we building? (buster/stretch/jessie/bionic)(default:buster): " 12 | read OsDistBuildVer 13 | OsDistBuildVer="${OsDistBuildVer:-buster}" 14 | 15 | echo -n "For which package are we building? example samba squid (default samba) : " 16 | read BLD_PKGIN 17 | BLD_PKG="${BLD_PKGIN:-samba}" 18 | 19 | echo -n "For which version of that package $BLD_PGK are we building? example 411 410 49 48 (default 411): " 20 | read BLD_VER 21 | PackageBuildingFor="${BLD_PKG}${BLD_VER:-411}" 22 | 23 | # add the remote van-belle repo also to the host to allow you to get the correct sources if needed. 24 | echo "deb http://apt.van-belle.nl/debian ${OsDistBuildVer}-${PackageBuildingFor} main contrib non-free" | sudo tee /etc/apt/sources.list.d/van-belle.list 25 | echo "deb-src http://apt.van-belle.nl/debian ${OsDistBuildVer}-${PackageBuildingFor} main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list 26 | echo "running apt update, please wait" 27 | sudo apt-get -qq update 28 | echo "----------------------------" 29 | echo 30 | echo -n "Do we need more sources, for example this is for a new samba version in a new os/distro? (defaults to no)(yes/no): " 31 | read NewBuilds 32 | NewBuilds="${NewBuilds:-no}" 33 | if [ "${NewBuilds}" = "yes" ] 34 | then 35 | echo -n "Which extra repo do you want to add (debian/ubuntu/raspbian/all)(default:debian) : " 36 | read OsBuildVerExtra 37 | OsBuildVerExtra="${OsBuildVerExtra:-debian}" 38 | 39 | echo -n "Which extra Distro ? (buster/stretch/jessie/bionic)(default:buster): " 40 | read OsDistBuildVerExtra 41 | OsDistBuildVerExtra="${OsDistBuildVerExtra:-buster}" 42 | 43 | echo -n "Which samba version you need the old sources from ? example 411 410 49 48 experimental: " 44 | read BLD_VEREX 45 | if [ "${BLD_VEREX}" = experimental ] 46 | then 47 | PackageBuildingForExtra="${BLD_VEREX}" 48 | else 49 | PackageBuildingForExtra="${BLD_PKG}${BLD_VER}" 50 | fi 51 | echo "Please wait adding extra repo and running apt update" 52 | echo "deb http://apt.van-belle.nl/debian ${OsDistBuildVerExtra}-${PackageBuildingForExtra} main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list 53 | echo "deb-src http://apt.van-belle.nl/debian ${OsDistBuildVerExtra}-${PackageBuildingForExtra} main contrib non-free" | sudo tee -a /etc/apt/sources.list.d/van-belle.list 54 | sudo apt-get -qq update 55 | fi 56 | 57 | if [ ! -d 01-talloc ] 58 | then 59 | mkdir 01-talloc 02-tevent 03-tdb 04-cmocka 05-ldb 06-nss-wrapper 07-resolv-wrapper 08-uid-wrapper 09-socket-wrapper 10-pam-wrapper 11-samba 60 | fi 61 | cd 01-talloc/ 62 | apt-get source talloc 63 | cd .. 64 | cd 02-tevent/ 65 | apt-get source tevent 66 | cd .. 67 | cd 03-tdb/ 68 | apt-get source tdb 69 | cd .. 70 | cd 04-cmocka/ 71 | apt-get source cmocka 72 | cd .. 73 | cd 05-ldb/ 74 | apt-get source ldb 75 | cd .. 76 | cd 06-nss-wrapper/ 77 | apt-get source nss-wrapper 78 | cd .. 79 | cd 07-resolv-wrapper/ 80 | apt-get source resolv-wrapper 81 | cd .. 82 | cd 08-uid-wrapper/ 83 | apt-get source uid-wrapper 84 | cd .. 85 | cd 09-socket-wrapper/ 86 | apt-get source socket-wrapper 87 | cd .. 88 | cd 10-pam-wrapper/ 89 | apt-get source pam-wrapper 90 | cd .. 91 | cd 11-samba/ 92 | apt-get source samba 93 | 94 | echo "Sources are ready to rebuild, start with 01.. " 95 | echo "Verify the minimal, you might be able to skip some rebuilds, please wait, getting info." 96 | echo 97 | echo 98 | 99 | cd $(ls -ltr|grep "drwx" |awk '{ print $NF }') 100 | grep ^VERSION lib/{talloc,tdb,tevent,ldb}/wscript 101 | cat buildtools/wafsamba/samba_third_party.py | grep minversion | awk -F"(" '{ print $2 }' 102 | echo 103 | echo 104 | cd .. 105 | -------------------------------------------------------------------------------- /howtos/Buster-member-base.txt: -------------------------------------------------------------------------------- 1 | Part 1.0 The basic Debian Buster Install. 2 | 3 | Pre-work and things to consider. 4 | 5 | First, read this, there are rules to obey if you setup a server, this is a small checklist i follow. 6 | 7 | The checklist for you host-name and domain-name and ip address. 8 | This is the most important part you should think about. 9 | 10 | You need to have this info before you install, because we don’t want to change to much after you installed your server base. 11 | 12 | There are rules to follow to make sure you servers work as they should. 13 | This is covert in the internet standards: Request For Change (RFC). 14 | And per example, these 2 shown RFC’s involve the “example” setups. 15 | https://tools.ietf.org/html/rfc2606 16 | https://tools.ietf.org/html/rfc6761 17 | 18 | Domain name choices for these examples/howto’s. 19 | – StandAlone: Home use: private.example 20 | – StandAlone/Internet/business use : example.tld 21 | – Office domainname office.example.tld 22 | 23 | ! Dont use .local or .lan these are reserved names for Apple’s mDNS 24 | See: https://en.wikipedia.org/wiki/.local and https://tools.ietf.org/html/rfc6762. 25 | 26 | Other good articals with examples: 27 | https://social.technet.microsoft.com/wiki/contents/articles/34981.active-directory-best-practices-for-internal-domain-and-network-names.aspx. 28 | And a security consideration (Leaking DNS info): https://www.us-cert.gov/ncas/alerts/TA16-144A 29 | 30 | And since most of my howto’s will involve a Active Directory, this is a must read : 31 | https://support.microsoft.com/en-us/help/909264/naming-conventions-in-active-directory-for-computers-domains-sites-and 32 | And looking at table 6.2 here: 33 | https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959336(v=technet.10) 34 | Example of “lables” as mentioned in table 6.2 35 | (hostname(=label).office(= label).example(= label).tld( = label) 36 | 37 | When you combine these rules, we end up with something like this example: hostname.office.example.tld 38 | 39 | We want to setup so its compatible for any setup. 40 | – hostname , min 1, max 15 characters, a-Z,0-9, – 41 | – DNS domain name, max total FQDN 254 characters, include the dot’s. 42 | And 254-15, results in 239 characters left for the domain.tld part. 43 | 44 | !! The FQDN for an Active Directory domain name is limited to 64 bytes, including the dots, 45 | an Active directory server name example : s4dc01.office.example.tld 46 | 47 | A FQDN = Fully Qualified Domain Name = hostname.domain.tld, can also be : hostname.office.domain.tld. 48 | But can not be : hostname ( or any one-word domain). 49 | 50 | For any office use of use in combination with internet accessin your server, like web server, mailserver, vpn server then i really recommend to buy a domainname and use it. 51 | for about 1-2 dollar a month your set. 52 | 53 | Or use https://wiki.debian.org/FreedomBox/Manual/DynamicDNS, a free DDNS service, there are more if these. 54 | 55 | 56 | 57 | - The Debian Buster Install Basics. 58 | - Advanced Options 59 | - Expert install 60 | - Language 61 | - Language : English - English 62 | - Country, territory or area: other -> Europe -> Netherlands 63 | - Country to base default locale settings on: United States - en_US.UTF-8 64 | - Additional locales: ( not really needed, its easy to add later on when needed. ) 65 | 66 | - Access software for blind person.. skip 67 | 68 | - Configure keyboard 69 | - American/English 70 | 71 | - Detect and mount CDROM 72 | - usb-storage, ( keep default ) 73 | 74 | - Load installer components from CDROM 75 | - ( i switch to ssh later on, so i enable network-console ) 76 | 77 | - Detect network hardware 78 | 79 | - Configure the network 80 | - Auto-configure networking 81 | ! Yes, you can install with automatic, but then you need to correct after and move to static IP. 82 | NOTE1 After install and reboot we will use the setup-systemd-networkd.sh 83 | to generate the IPv4 compliant files for systemd-networkd 84 | This setup does not include/support IPv6. (yet) 85 | 86 | Check the info, and if ok, hit enter. 87 | 88 | - Configure the Hostname 89 | - Hostname : server1ad 90 | - Domainname: internal.example.com 91 | NO .local, NO .lan 92 | ( results in server1ad.internal.example.com as FQDN ) 93 | - Continue installation remotely using SSH. 94 | type your pass. ( user name is: installer ) 95 | ( login with ssh, and choose : Start installer (expert mode) ) 96 | 97 | - Set up users and passwords 98 | - Enable shadow passwords? Yes 99 | - Allow login as root? No ( i say No No No... NO ...... NO ) 100 | - Fullname new user: (What you want.) Linux Admin 101 | - Username for your account: linuxadmin 102 | - Password for the new user: (default) 103 | - Configure the clock 104 | - Set the clock using NTP? Yes 105 | # For AD-DC's you set a external stable NTP server. 106 | # For a member you set the Ipnumbers of the DC. 107 | - NTP server to use: ( choose stratum 1 server, ntp1.nl.net ) 108 | - Timezone : Europe/Amsterdam ( if you dont see you country/region go back to language, and set that correct. ) 109 | - Detect disks 110 | - Partition disks 111 | Manual (started, choose Guided - user entire disk. ) 112 | Select disk, Create Empty (msdos) table 113 | Select partition, Create new partition... (Stop and think.) 114 | Now, here the minimal i advice is 115 | / ( a samba AD DC, needed only 1.5GB for the complete OS install, set it to 8Gb as minimal ) 116 | /var/log ( if you get a log run, it can fillup you partion and damage a samba database, 1Gb-2Gb more the ok ) 117 | ( this example shows 6GB for / and 1Gb /var/log) 118 | New ( 6GB, Primary, beginning ) 119 | Use as : ext4 120 | mount point : / 121 | Mount option : (SSD, select discard) ( other keep default ) 122 | Label : OS_/ 123 | Reserved blocks : 5% 124 | Typical usage : standard ( partitions with only large files ( iso/mkv/mov ) choose largefile4 ( adviced 500Mb+ files ) 125 | Bootable flag : on 126 | Done setting up the partition 127 | 128 | New ( 1GB, Logical, beginning ) 129 | Use as : ext4 130 | mount point : (Enter Manualy) /var/log 131 | Mount option : (SSD, select discard) ( other optional, noatime ) 132 | Label : OS_/var/log 133 | Reserved blocks : 5% 134 | Typical usage : standard ( partitions with only large files ( iso/mkv/mov ) choose largefile4 ( adviced with lots of 500Mb+ files ) 135 | Bootable flag : off 136 | Done setting up the partition 137 | 138 | New ( 1,6GB, Logical, beginning ) 139 | Use as: swap area 140 | Done setting up the partition 141 | 142 | New ( XXXX GB, Logical, beginning ) ! a dedicated partion for all our samba data 143 | Use as : ext4 144 | mount point : (Enter Manualy) /srv/samba 145 | Mount option : (SSD, select discard) ( other optional, noatime ) 146 | Label : SRV_/SambaData 147 | Reserved blocks : 5% 148 | Typical usage : standard ( partitions with only large files ( iso/mkv/mov ) choose largefile4 ( adviced 500Mb+ files ) 149 | Bootable flag : off 150 | Done setting up the partition 151 | 152 | Finish partitioning and write changes to disk .. 153 | 154 | - Install the base system 155 | Kernel to install: 156 | linux-image-VERSIONNR-amd64 157 | linux-image-amd64 158 | 159 | If you choose linux-image-amd64, you keep following latest stable kernel ( or from backports if enabled ) 160 | 161 | Drivers to include in the initrd: 162 | Now, generic is the best option 163 | if you know you are never going to move the server to other hardware, then targeted is an option. 164 | i did choose targeted since its a VM i use, and it save me some time. 165 | Safest option is "Generic" ! 166 | 167 | - Configure the package manager 168 | Scan another CD or DVD? No 169 | Use a network mirror? Yes 170 | Protocol for file downloads: http ( https is better, but easy to add later on. ) 171 | Debian archive mirror country: Netherlands ( choose your country here ) 172 | Debian archive mirror: deb.debian.org or ftp.nl.debian.org 173 | ( read : http://deb.debian.org for more info about this new host. ) 174 | HTTP proxy information (blank for none): 175 | Use non-free software? Yes ( you might need (linux) firmware packages) 176 | Enable source repositories in APT? No 177 | Services to use: [*] security updates (from security.debian.org) 178 | [*] release updates 179 | [ ] backported software 180 | Now i did not enable backported software, we only enabled it, then its really really needed. 181 | 182 | - Select and install software 183 | Participate in the package usage survey? .. what the .. , why not.. it helps debian. you choose. 184 | ( and : This choice can be later modified by running "dpkg-reconfigure popularity-contest".) 185 | 186 | - Software selection 187 | SSH server 188 | Standard system utilities 189 | 190 | All other turn off, yes, even if you want apache or a print server, first the basics. 191 | 192 | - Install the GRUB boot loader on a hard disk 193 | Install the GRUB boot loader to the master boot record? Yes 194 | Device for boot loader installation: ( for me /dev/xvda ) you /dev/sda probely. 195 | Force GRUB installation to the EFI removable media path? No, ( i suggest, you keep the default ) 196 | 197 | - Finish the installation 198 | Is the system clock set to UTC? ( for me Yes ) you, i suggest, keep the default. 199 | 200 | - Installation complete 201 | Great, Continue, and you server reboots. 202 | 203 | - Login, sudo su - and we going to switch to systemd-networkd now. 204 | wget https://raw.githubusercontent.com/thctlo/debian-scripts/master/setup-systemd-networkd.sh 205 | bash setup-systemd-networkd.sh member 206 | 207 | ! Note again, its not setup/supported for IPv6!! (yet). 208 | - Follow the instructions. 209 | editor lan-member-dev-eno1.network # change the ip to static, the script tookover the DHCP ip. 210 | cp lan-member-dev-eno1.network /etc/systemd/network/ # copy the adjusted file to its needed folder for systemd. 211 | mv /etc/network/interfaces{,.backup} # backup the old interfaces file 212 | 213 | # Re-add the lo to interfaces 214 | cat /etc/network/interfaces.backup |head -n9>> /etc/network/interfaces 215 | # daemon.log shows ifquery wants it, so we add it. 216 | 217 | systemctl daemon-reload 218 | mv /etc/resolv.conf{,.backup} && ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf 219 | systemctl enable systemd-networkd 220 | systemctl restart systemd-networkd 221 | systemctl enable systemd-timesyncd 222 | systemctl restart systemd-timesyncd 223 | systemctl enable systemd-resolved 224 | systemctl restart systemd-resolved 225 | 226 | 227 | # If you need to change hostname and domainname, its now time todo it. 228 | # i dont recommend it doing after you installed more software and especially samba. 229 | # if you need a different hostname i suggest, use CNAME in the dns. 230 | # Just make sure your dns A and PTR record are correctly set. 231 | hostnamectl # verify hostname 232 | cat /etc/hosts # verify 233 | rgrep old-hostname /etc/* # verify.. 234 | 235 | # Setting a new hostname ( without domain ) 236 | hostnamectl set-hostname new-hostname 237 | sed -i 's/old-hostname/new-hostname/g' /etc/hosts 238 | 239 | # correct the IP if needed if you installed with DHCP ip. 240 | sed -i 's/127.0.1.1/new-IP/g' /etc/hosts 241 | 242 | # verify the ip in systemd-network 243 | cat /etc/systemd/network/lan-member-dev-eno1.network !! NOTE, eno1 is my interface, you might have a different one. 244 | editor /etc/systemd/network/lan-member-dev-eno1.network 245 | 246 | systemctl daemon-reload 247 | 248 | clear all logs in /var/log ( a dirty but effective quick clear.. ) 249 | cd /var/log 250 | for x in `ls` ; do > $x ; done 251 | !!! watch out with that, done on the wrong place and you can start over. 252 | 253 | 254 | reboot 255 | 256 | Login and verify all logs, we dont want to day any errors.. 257 | Clear the logs after you verified them. 258 | 259 | -------------------------------------------------------------------------------- /howtos/README.MD: -------------------------------------------------------------------------------- 1 | This folder gets a collection of samba howtos. 2 | ---------------------------------------------- 3 | 4 | These are tested on Debian Stretch, but should work on Jessie to. 5 | The howto collection wil be extended with the following things. 6 | 1. Base server install. 7 | 2. Samba AD DC. 8 | 3. Samba Member ( File server ) 9 | 4. Samba Member ( Cups Point and print Print server) 10 | 5. Samba Member ( Proxy server ) 11 | ( Work in progress are point 3. 4. 5. ) 12 | 13 | The files and setup order: 14 | 15 | * *stretch-base-1.0.txt* : Setup a minimal Debian server, with only ssh as base. 16 | I use this one for every server setup. 17 | * *stretch-base-1.1-checkup.txt* : Check you server before continueing. 18 | A must to make sure everyting is set ok, before other programmas are installed. 19 | * *stretch-base-2.0-samba-minimal-ad.txt* : Install Samba + Bind9_DLZ + ntp, a minimal setup. 20 | You should be able to copy past where needed, while your read this file, 21 | don't forget to change you REALM DNSDOMAIN and NTDOM. 22 | * *stretch-base-2.1-samba-minimal-ad-checks.txt* : a few minimal check for the AD DC setup. 23 | * *stretch-base-3.1-samba-member-debian-install.txt* : This is basicly a copy of the stretch-base-1.0.txt. 24 | Except, this one uses the first installed Samba AD DC server as primary NTP and DNS server. 25 | * *stretch-base-3.2-samba-member-debian-install-checkes.txt* : TODO 26 | * *stretch-base-3.3-samba-member-fileserver-rights-example.txt* : This start for some rights explained. 27 | -------------------------------------------------------------------------------- /howtos/stretch-base-1.0.txt: -------------------------------------------------------------------------------- 1 | 2 | Part 1.0 The basic Debian Stretch Install. 3 | 4 | Debian Stretch Install Basics. 5 | - Advanced Options 6 | - Expert install 7 | - Language 8 | - Language : English - English 9 | - Country, territory or area: other -> Europe -> Netherlands 10 | - Country to base default locale settings on: United States - en_US.UTF-8 11 | - Additional locales: ( not really needed, its easy to add later on when needed. ) 12 | 13 | - Access software for blind person.. skip 14 | 15 | - Configure keyboard 16 | - American/English 17 | 18 | - Detect and mount CDROM 19 | - usb-storage, ( keep default ) 20 | 21 | - Load installer components from CDROM 22 | - ( i switch to ssh later on, so i enable network-console ) 23 | 24 | - Detect network hardware 25 | 26 | - Configure the network 27 | - Auto-configure networking 28 | ! Yes, you can install with automatic, but then you need to correct other 29 | setting in the system so choose NO and setup a static ipnumber. 30 | server : 192.168.249.30/24 = 192.168.249.30/255.255.255.0 31 | Gateway : 192.168.249.1 32 | Nameserver: 8.8.8.8 8.8.4.4 33 | (the other AD DC DNS Nameservers: 192.168.249.212 192.168.249.211) 34 | Since this is a test server and it gets its own dns, set internet dns ipnumbers 35 | 36 | Check the info, and if ok, hit enter. 37 | 38 | - Configure the Hostname 39 | - Hostname : server1ad 40 | - Domainname: internal.example.com 41 | NO .local, NO .lan 42 | ( results in server1ad.internal.example.com as FQDN ) 43 | - Continue installation remotely using SSH. 44 | type your pass. ( user name is: installer ) 45 | ( login with ssh, and choose : Start installer (expert mode) ) 46 | 47 | - Set up users and passwords 48 | - Enable shadow passwords? Yes 49 | - Allow login as root? No ( i say No No No... NO ...... NO ) 50 | - Fullname new user: (What you want.) Linux Admin 51 | - Username for your account: linuxadmin 52 | - Password for the new user: (louis default) 53 | - Configure the clock 54 | - Set the clock using NTP? Yes 55 | - NTP server to use: ( choose stratum 1 server, ntp1.nl.net ) 56 | - Timezone : Europe/Amsterdam ( if you dont see you country/region go back to language, and set that correct. ) 57 | - Detect disks 58 | - Partition disks 59 | Manual (started, choose Guided - user entire disk. ) 60 | Select disk, Create Empty (msdos) table 61 | Select partition, Create new partition... (Stop and think.) 62 | Now, here the minimal i advice is 63 | / ( a samba AD DC, needed only 1.5GB for the complete OS install, set it to 8Gb as minimal ) 64 | /var/log ( if you get a log run, it can fillup you partion and damage a samba database, 1Gb-2Gb more the ok ) 65 | ( this example shows 6GB for / and 1Gb /var/log) 66 | New ( 6GB, Primary, beginning ) 67 | Use as : ext4 68 | mount point : / 69 | Mount option : (SSD, select discard) ( other keep default ) 70 | Label : OS_/ 71 | Reserved blocks : 5% 72 | Typical usage : standard ( partitions with only large files ( iso/mkv/mov ) choose largefile4 ( adviced 500Mb+ files ) 73 | Bootable flag : on 74 | Done setting up the partition 75 | 76 | New ( 1GB, Logical, beginning ) 77 | Use as : ext4 78 | mount point : (Enter Manualy) /var/log 79 | Mount option : (SSD, select discard) ( other optional, noatime ) 80 | Label : OS_/var/log 81 | Reserved blocks : 5% 82 | Typical usage : standard ( partitions with only large files ( iso/mkv/mov ) choose largefile4 ( adviced 500Mb+ files ) 83 | Bootable flag : on 84 | Done setting up the partition 85 | 86 | New ( 1,6GB, Logical, beginning ) 87 | Use as: swap area 88 | Done setting up the partition 89 | Finish partitioning and write changes to disk .. 90 | 91 | - Install the base system 92 | Kernel to install: 93 | linux-image-4.9.0-3-amd64 94 | linux-image-amd64 95 | 96 | If you choose linux-image-4.9.0-3-amd64, you stay at 4.9.0 from stable. 97 | If you choose linux-image-amd64, you keep following latest stable ( or backports) 98 | Personaly i choose linux-image-4.9.0-3-amd64, since i always keep the kernel where the system was installed with. 99 | a "save bet" on trying a older kernel if you hit problems on the road.. 100 | 101 | Drivers to include in the initrd: 102 | Now, generic is the best option 103 | if you know you are never going to move the server to other hardware, then targeted is an option. 104 | ( i did choose targeted since its a VM i use, and it save me some time. ) 105 | 106 | - Configure the package manager 107 | Scan another CD or DVD? No 108 | Use a network mirror? Yes 109 | Protocol for file downloads: http ( https is better, but easy to add later on. ) 110 | Debian archive mirror country: Netherlands 111 | Debian archive mirror: deb.debian.org or ftp.nl.debian.org 112 | ( read : http://deb.debian.org for more info about this new host. ) 113 | HTTP proxy information (blank for none): 114 | Use non-free software? Yes ( you might need (linux) firmware packages) 115 | Enable source repositories in APT? No 116 | Services to use: [*] security updates (from security.debian.org) 117 | [*] release updates 118 | [ ] backported software 119 | Now i did not enable backported software, we only enabled it, then its really really needed. 120 | 121 | - Select and install software 122 | Participate in the package usage survey? .. what the .. , why not.. it helps debian. you choose. 123 | ( and : This choice can be later modified by running "dpkg-reconfigure popularity-contest".) 124 | 125 | - Software selection 126 | SSH server 127 | standard system utilities 128 | 129 | All other turn off, yes, even if you want apache or a print server, first AD DC setup. ;-) 130 | 131 | - Install the GRUB boot loader on a hard disk 132 | Install the GRUB boot loader to the master boot record? Yes 133 | Device for boot loader installation: ( for me /dev/xvda ) you /dev/sda probely. 134 | Force GRUB installation to the EFI removable media path? No, ( i suggest, you keep the default ) 135 | 136 | - Finish the installation 137 | Is the system clock set to UTC? ( for me Yes ) you, i suggest, keep the default. 138 | 139 | - Installation complete 140 | Great, Continue, and you server reboots. 141 | 142 | -------------------------------------------------------------------------------- /howtos/stretch-base-1.1-checkup.txt: -------------------------------------------------------------------------------- 1 | 2 | Part 1.2 Debian Stretch Checks. 3 | 4 | - Debian Stretch Base install - Checkup 5 | Login with : linuxadmin 6 | (linuxadmin is already added to sudo, so change to root with sudo) 7 | sudo su - 8 | 9 | 10 | run som test, and compair your output. 11 | cat /etc/hosts 12 | 127.0.0.1 localhost 13 | 192.168.249.30 server1ad.internal.example.com server1ad 14 | 15 | # The following lines are desirable for IPv6 capable hosts 16 | ::1 localhost ip6-localhost ip6-loopback 17 | ff02::1 ip6-allnodes 18 | ff02::2 ip6-allrouters 19 | 20 | cat /etc/resolv.conf 21 | search internal.example.com 22 | nameserver 8.8.8.8 23 | nameserver 8.8.4.4 24 | 25 | hostname -s 26 | server1ad 27 | 28 | hostname -f 29 | server1ad.internal.example.com 30 | 31 | hostname -d 32 | internal.example.com 33 | 34 | hostname -i 35 | 192.168.249.30 36 | 37 | hostname -I 38 | 192.168.249.30 39 | 40 | ping www.google.com -c1 41 | PING www.google.com (108.177.119.106) 56(84) bytes of data. 42 | 64 bytes from 108.177.119.106 (108.177.119.106): icmp_seq=1 ttl=47 time=11.3 ms 43 | 44 | --- www.google.com ping statistics --- 45 | 1 packets transmitted, 1 received, 0% packet loss, time 0ms 46 | rtt min/avg/max/mdev = 11.379/11.379/11.379/0.000 ms 47 | 48 | # Not sure, so not tested (yet) 49 | #In above test, missing is "the ipv6 ipnumber and hostname in /etc/hosts" 50 | #If dns is setup correct, this should not be needed to add in /etc/hosts, but to be safe we could add it. 51 | #IPV6_IP=$(ifconfig | grep inet6 | grep -v "inet6 ::1" | awk '{ print $2 }') 52 | #echo $IPV6_IP $(hostname -f) $(hostname -s) >> /etc/hosts 53 | #Works: ping6 fe80::14fe:3eff:fe24:2e46%1 54 | #Works: ping6 fe80::14fe:3eff:fe24:2e46%2 55 | #Not : ping6 fe80::14fe:3eff:fe24:2e46 56 | 57 | #check what is started : 58 | systemctl status 59 | 60 | #export installed packages. 61 | dpkg --get-selections| grep install > base-1-install.txt 62 | 63 | #remove some not needed software: 64 | apt-get remove --purge laptop-detect os-prober -y 65 | 66 | #install some tools you might need. 67 | apt-get install --no-install-recommends mc zip bzip2 arj unrar -y 68 | 69 | # choose your favorite editor, what you like. 70 | # Since i install mc i use mcedit. nano is good second for me. 71 | select-editor 72 | 73 | -------------------------------------------------------------------------------- /howtos/stretch-base-2.0-samba-minimal-ad.txt: -------------------------------------------------------------------------------- 1 | 2 | Part 2.0 The "Samba AD DC" ONLY server setup with BIND9_DLZ 3 | 4 | Debian Stretch, the minimal things for a AD DC server. 5 | ( Tested on debian stretch samba 4.5.8 ) 6 | 7 | Now for an Samba AD DC server, we need the following. 8 | - Correct hostname and resolving ( see part-1-checkup ) 9 | - Correct time for the server and network 10 | - Internet 11 | 12 | now we install the following, and this setups the following. 13 | 14 | Samba AD DC 15 | BIND9 DNS (bind9_dlz) 16 | Time server 17 | 18 | # the needed packages 19 | #apt-get install samba winbind # For samba with Samba internal DNS 20 | # Or 21 | # apt-get install samba winbind bind9 # For samba with Bind BIND9_DLZ DNS 22 | # 23 | # I noticed attr is selected but not acl for the install, 24 | # so to make sure these are installed. 25 | #apt-get install attr acl 26 | # 27 | # if you want to ssh and/or have uid/gid resolving 28 | # ( adviced is yes, pleas install this. ) 29 | #apt-get install libnss-winbind libpam-winbind 30 | # 31 | # tools ( optional, but very handy to have them installed ) 32 | #apt-get install bind9utils ldb-tools 33 | 34 | # python-gpgme is added when you install a samba 4.6.x+ 35 | 36 | # smbclient is added also for the tests later on. 37 | 38 | # Now all in one go. 39 | apt-get install samba winbind acl bind9 libnss-winbind libpam-winbind \ 40 | ntp krb5-user bind9utils ldb-tools smbclient -y 41 | 42 | #### For the questions .. 43 | # Configuring Kerberos Authentication 44 | ### You kan keep the default ( DNS domain in caps ). (INTERNAL.EXAMPLE.COM) 45 | ### Just keep in mind DNS domain != REALM 46 | # Configuring Kerberos Authentication 47 | ### Empty is ok, just hit enter 48 | # Configuring Kerberos Authentication 49 | ### Empty is ok, just hit enter 50 | 51 | ############################################################################## 52 | Now its getting interesting and first we disble the things we dont need. 53 | 54 | lets stop all services first we are going to configure. 55 | systemctl stop samba smbd nmbd winbind samba-ad-dc bind9 ntp 56 | 57 | # See the status of the services: 58 | systemctl status samba smbd nmbd winbind samba-ad-dc bind9 ntp 59 | 60 | # disable the "member/standalone startups" 61 | systemctl mask samba smbd nmbd winbind 62 | systemctl disable samba smbd nmbd winbind 63 | 64 | # set samba-ad-dc ready to start, but DONT start it yet. 65 | systemctl unmask samba-ad-dc 66 | systemctl enable samba-ad-dc 67 | 68 | ### NTP Begin ( Part 1/2 ) 69 | cp /etc/ntp.conf{,.org-debian} 70 | 71 | # Now first setup the time server and make sure time is correct, 72 | # before we do something with samba. 73 | # 74 | # Disable the pool servers. 75 | sed -i 's/pool 0.debian.pool.ntp.org iburst/#pool 0.debian.pool.ntp.org iburst/g' /etc/ntp.conf 76 | sed -i 's/pool 1.debian.pool.ntp.org iburst/#pool 1.debian.pool.ntp.org iburst/g' /etc/ntp.conf 77 | sed -i 's/pool 2.debian.pool.ntp.org iburst/#pool 2.debian.pool.ntp.org iburst/g' /etc/ntp.conf 78 | sed -i 's/pool 3.debian.pool.ntp.org iburst/#pool 3.debian.pool.ntp.org iburst/g' /etc/ntp.conf 79 | 80 | # Enable a good NTP (stratum 1) server. 81 | # Found here : http://support.ntp.org/bin/view/Servers/StratumOneTimeServers 82 | # change ntp1.nl.net to a close ntp source ping/trace them and take the closed. 83 | sed -i 's/#server ntp.your-provider.example/server ntp1.nl.net/g' /etc/ntp.conf 84 | 85 | cat << EOF >> /etc/ntp.conf 86 | # 87 | # Optional, define which interface ntp could/should use. 88 | # Since SystemD, we dont have Predictable interface names anymore. 89 | # Info: https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ 90 | # run : ip a and check you interface name and change it. ( default = eth0 ) 91 | # Enable/disable what you want, its here as example for you. 92 | # Notice: if you run : ntpq -p or ntpstat ( apt-get install ntpstat ) 93 | # and you keep getting unsync messages, try disable-ing all the interface lines first and restart ntp 94 | # If ntp tries to connect to ipv6 and its disabled, it wont sync. 95 | # test: systemctl stop ntp && strace ntpq -pn ::1|& grep -i conn 96 | #interface listen lo 97 | #interface listen eth0 98 | #interface ignore wildcard 99 | #interface ignore ipv6 100 | # 101 | EOF 102 | systemctl restart ntp 103 | 104 | # create the ntp_signd folder, if not exist. 105 | if [ ! -d /var/lib/samba/ntp_signd/ ]; then 106 | mkdir -p /var/lib/samba/ntp_signd/ 107 | chmod 750 /var/lib/samba/ntp_signd 108 | chown root:ntp /var/lib/samba/ntp_signd 109 | fi 110 | # check the group name 111 | if [ "$(stat -c "%G" /var/lib/samba/ntp_signd/)" != "ntp" ]; then 112 | echo "Error incorrect group detected on /var/lib/samba/ntp_signd/, correcting now." 113 | chgrp ntp /var/lib/samba/ntp_signd 114 | fi 115 | # check owner/group 116 | if [ "$(stat -c "%a" /var/lib/samba/ntp_signd/)" -ne 750 ]; then 117 | echo "Error incorrect group rights detected on /var/lib/samba/ntp_signd/, correcting now." 118 | chmod 750 /var/lib/samba/ntp_signd 119 | else 120 | echo "folder : /var/lib/samba/ntp_signd already exists with correct rights (750)" 121 | fi 122 | 123 | 124 | # add the folder location to ntp.conf 125 | cat << EOF >> /etc/ntp.conf 126 | # 127 | ###### Needed for Samba 4 ###### 128 | # extra info, in the restrict -4 or -6 added mssntp. ( already done for you ) 129 | # Location of the samba ntp_signed directory 130 | ntpsigndsocket /var/lib/samba/ntp_signd 131 | # 132 | EOF 133 | 134 | # Note, if Jessie fails, remove the word "limited" from these lines. 135 | sed -i 's/restrict -4 default kod notrap nomodify nopeer noquery limited/restrict -4 default kod notrap nomodify nopeer noquery limited mssntp/g' /etc/ntp.conf 136 | sed -i 's/restrict -6 default kod notrap nomodify nopeer noquery limited/restrict -6 default kod notrap nomodify nopeer noquery limited mssntp/g' /etc/ntp.conf 137 | systemctl restart ntp 138 | systemctl status ntp 139 | ### NTP End 140 | 141 | 142 | #KERBEROS: Configure krb5.conf 143 | # Samba AD DC has krb5.conf in /var/lib/samba/private/ 144 | # I will use the system default /etc/krb5.conf and leave the samba version alone. 145 | 146 | # backup the old one. 147 | mv /etc/krb5.conf{,.org-debian} 148 | 149 | cat << EOF >> /etc/krb5.conf 150 | [libdefaults] 151 | default_realm = INTERNAL.EXAMPLE.com 152 | dns_lookup_kdc = true 153 | dns_lookup_realm = false 154 | forwardable = true 155 | proxiable = true 156 | ; ticket_lifetime = 24h 157 | ; renew_lifetime = 7d 158 | ; ccache_type = 4 159 | 160 | ; A note: This is not used for nfs4 but cifs uses it. 161 | ; for Windows 2003 162 | ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 163 | ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 164 | ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 165 | ; 166 | ; for Windows 2008 with AES 167 | default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 168 | default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 169 | permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 170 | 171 | EOF 172 | 173 | 174 | # Samba Provisioning 175 | # First, if you try to provision now, you get errors, due to the existing smb.conf 176 | mv /etc/samba/smb.conf{,.org-debian} 177 | 178 | # Cleanup some old things from the samba install. 179 | rm /var/cache/samba/printing/* 180 | rm /var/cache/samba/* 181 | rm /var/lib/samba/*.tdb 182 | 183 | # https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller 184 | # Read and try to understand why i setup with RFC2307 in AD ( members get idmap backend AD for all FILESERVERS ) 185 | # I'll explain this later on in the member setup. 186 | 187 | # With internal DNS 188 | #samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=SAMDOM.EXAMPLE.COM --domain=SAMDOM 189 | 190 | # With BIND9_DLZ 191 | # samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=BIND9_DLZ --realm=INTERNAL.EXAMPLE.COM --domain=INTERNAL 192 | 193 | #or, change the domain name, it does not have to be INTERNAL, so i keep this as guidance. 194 | samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=BIND9_DLZ --realm=INTERNAL.EXAMPLE.COM --domain=SAMBADOM 195 | # Few pointers whats in smb.conf 196 | # workgroup = --domain=SAMBADOM 197 | # realm = --realm=INTERNAL.EXAMPLE.COM 198 | # netbiosname = hostname -s ( in caps, and restristed to 15 characters.) 199 | 200 | Results in : 201 | Administrator password will be set randomly! 202 | Looking up IPv4 addresses 203 | Looking up IPv6 addresses 204 | No IPv6 address will be assigned 205 | Setting up share.ldb 206 | Setting up secrets.ldb 207 | Setting up the registry 208 | Setting up the privileges database 209 | Setting up idmap db 210 | Setting up SAM db 211 | Setting up sam.ldb partitions and settings 212 | Setting up sam.ldb rootDSE 213 | Pre-loading the Samba 4 and AD schema 214 | Adding DomainDN: DC=internal,DC=example,DC=com 215 | Adding configuration container 216 | Setting up sam.ldb schema 217 | Setting up sam.ldb configuration data 218 | Setting up display specifiers 219 | Modifying display specifiers 220 | Adding users container 221 | Modifying users container 222 | Adding computers container 223 | Modifying computers container 224 | Setting up sam.ldb data 225 | Setting up well known security principals 226 | Setting up sam.ldb users and groups 227 | Setting up self join 228 | Adding DNS accounts 229 | Creating CN=MicrosoftDNS,CN=System,DC=internal,DC=example,DC=com 230 | Creating DomainDnsZones and ForestDnsZones partitions 231 | Populating DomainDnsZones and ForestDnsZones partitions 232 | See /var/lib/samba/private/named.conf for an example configuration include file for BIND 233 | and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates 234 | Setting up sam.ldb rootDSE marking as synchronized 235 | Fixing provision GUIDs 236 | A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf 237 | Setting up fake yp server settings 238 | Once the above files are installed, your Samba4 server will be ready to use 239 | Admin password: %53CHg[AWR$FY.~91[F 240 | Server Role: active directory domain controller 241 | Hostname: server1ad 242 | NetBIOS Domain: SAMBADOM 243 | DNS Domain: internal.example.com 244 | DOMAIN SID: S-1-5-21-3821322978-3959480180-962995944 245 | 246 | 247 | # Backup the default sysvol rights and folder. 248 | mkdir -p /root/samba-backup/ 249 | getfacl /var/lib/samba/sysvol/ > /root/samba-backup/sysvol.acl 250 | tar cfz /root/samba-backup/sysvol.tar.gz --acls --xattrs /var/lib/samba/sysvol/ 251 | 252 | # In above you see the line : 253 | # A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf 254 | # You may ignore it, the /etc/krb5.conf file is used. 255 | # Note!! Do not symlink /var/lib/samba/private/krb5.conf to /etc/krb5.conf. 256 | # This may create some problems in the future. (keep you eys on the 4.7 release notes when released) 257 | 258 | #### Configure bind DNS for Samba AD BIND9_DLZ 259 | # https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server 260 | cp -R /etc/bind{,.org-debian} 261 | 262 | cat << EOF >> /etc/bind/named.conf.local 263 | // adding the dlopen ( Bind DLZ ) module for samba. 264 | // at install debian already sets the correct bind9.XX version in this file below. 265 | include "/var/lib/samba/private/named.conf"; 266 | 267 | EOF 268 | 269 | sed -i 's/auth-nxdomain no; # conform to RFC1035/auth-nxdomain yes; # conform to RFC1035 is no/g' /etc/bind/named.conf.options 270 | sed -i '/listen-on-v6/a \ \ \ \ \ \ \ \ tkey-gssapi-keytab \"\/var\/lib\/samba\/private\/dns.keytab\";' /etc/bind/named.conf.options 271 | sed -i '/listen-on-v6/a \ \ \ \ \ \ \ \ \/\/ https:\/\/wiki.samba.org\/index.php\/Dns-backend_bind' /etc/bind/named.conf.options 272 | sed -i '/listen-on-v6/a \ \ \ \ \ \ \ \ empty-zones-enable no;' /etc/bind/named.conf.options 273 | # change resolving to bind dns first. 274 | sed -i '/\/\/ forwarders/a \ \ \ \ \ \ \ \ forwarders { 8.8.8.8; 8.8.4.4; };' /etc/bind/named.conf.options 275 | 276 | # change resolv.conf ( we keep the second google dns as backup if bind fails to startup and you need internet. ) 277 | cp /etc/resolv.conf{,.org-debian} 278 | sed -i "s/nameserver 8.8.8.8/nameserver $(hostname -i)/g" /etc/resolv.conf 279 | 280 | # nsswitch.conf changes if you need to be able to login with ssh. ( winbind based logins ) 281 | sed -i 's/passwd: compat/passwd: compat winbind/g' /etc/nsswitch.conf 282 | sed -i 's/group: compat/group: compat winbind/g' /etc/nsswitch.conf 283 | and if this is done run : 284 | pam-auth-update 285 | 286 | # restart everything whats needed. 287 | systemctl restart bind9 ntp samba-ad-dc 288 | 289 | # Setup SePrivileges, you need these to make sure you Administrators have the needed rights where needed. 290 | # You need these to set your share and security rights from within Windows. 291 | ########### Adding SePrivileges 292 | # Here you have 2 choices, both work. 293 | # Personal i use : "BUILTIN\Administrators" this reflexs a windows server. 294 | # The samba wiki : "YOUR_NTDOM\Domain Admins" 295 | # You choose, If you use the "BUILTIN\Adminsitrators", then also set in smb.conf: winbind expand groups = 2 296 | # the default is winbind expand groups = 0, i preffer a minimal of 2. 297 | # Both have Pro's and Cons, the higher the number, the slower you samba gets in resolving groups. 298 | # ps. you can set both also if your unsure, just remember, NTDOM\Domain Admins is member of BUILTIN\Administrators 299 | # 300 | # You can only enable one of these two at once, if you want both groups, run it, change it and run it again. 301 | #SAMBA_DC_ADMIN_GROUP_CHOICE="BUILTIN\Administrators" 302 | #SAMBA_DC_ADMIN_GROUP_CHOICE="$(cat /etc/samba/smb.conf | grep workgroup | awk '{ print $NF}')\Domain Admins" 303 | 304 | # Your Administrator Password here 305 | # ! Note if you have a $ in it type it as \$ 306 | SAMBA_NT_ADMIN_PASS="PutYourPassword_here" 307 | # 308 | # ! keep the sleep lines, if its going to fast it errors.. 309 | # 310 | echo "${SAMBA_NT_ADMIN_PASS}"| kinit Administrator 311 | sleep 5 312 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeDiskOperatorPrivilege -UAdministrator 313 | sleep 5 314 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeTakeOwnershipPrivilege -UAdministrator 315 | sleep 5 316 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeBackupPrivilege -UAdministrator 317 | sleep 5 318 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeRestorePrivilege -UAdministrator 319 | sleep 5 320 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeRemoteShutdownPrivilege -UAdministrator 321 | sleep 5 322 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SePrintOperatorPrivilege -UAdministrator 323 | sleep 5 324 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeAddUsersPrivilege -UAdministrator 325 | sleep 5 326 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeDiskOperatorPrivilege -UAdministrator 327 | sleep 5 328 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeSecurityPrivilege -UAdministrator 329 | sleep 5 330 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeSystemtimePrivilege -UAdministrator 331 | sleep 5 332 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeShutdownPrivilege -UAdministrator 333 | sleep 5 334 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeDebugPrivilege -UAdministrator 335 | sleep 5 336 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeSystemEnvironmentPrivilege -UAdministrator 337 | sleep 5 338 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeSystemProfilePrivilege -UAdministrator 339 | sleep 5 340 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeProfileSingleProcessPrivilege -UAdministrator 341 | sleep 5 342 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeIncreaseBasePriorityPrivilege -UAdministrator 343 | sleep 5 344 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeLoadDriverPrivilege -UAdministrator 345 | sleep 5 346 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeCreatePagefilePrivilege -UAdministrator 347 | sleep 5 348 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeIncreaseQuotaPrivilege -UAdministrator 349 | sleep 5 350 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeChangeNotifyPrivilege -UAdministrator 351 | sleep 5 352 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeUndockPrivilege -UAdministrator 353 | sleep 5 354 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeManageVolumePrivilege -UAdministrator 355 | sleep 5 356 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeImpersonatePrivilege -UAdministrator 357 | sleep 5 358 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeCreateGlobalPrivilege -UAdministrator 359 | sleep 5 360 | echo "${SAMBA_NT_ADMIN_PASS}"| net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeEnableDelegationPrivilege -UAdministrator 361 | # and show if it worked. 362 | net rpc rights list "${SAMBA_DC_ADMIN_GROUP_CHOICE}" -U Administrator 363 | 364 | -------------------------------------------------------------------------------- /howtos/stretch-base-2.1-samba-minimal-ad-checks.txt: -------------------------------------------------------------------------------- 1 | 2 | Part 2.1 The Samba AD-DC checkups. 3 | 4 | If you have correctly setup you samba server with Part 1. 5 | Then all these commands now work without any problems. 6 | 7 | smbclient -L localhost -U% 8 | smbclient //localhost/netlogon -UAdministrator -c 'ls' 9 | 10 | host -t SRV _ldap._tcp.internal.example.com 11 | host -t SRV _kerberos._udp.internal.example.com 12 | host -t A server1ad.internal.example.com 13 | 14 | kinit administrator 15 | klist 16 | 17 | Some NTP tests. 18 | Run on linux : ntpq -qq Or ntpq -pn 127.0.0.1 or an other option is : apt-get install ntpstat and run run : ntpstat 19 | If you see errors, first thing you should check if the following. 20 | On which interfaces and ipnumbers is ntp running: netstat -taupn|grep udp|grep ntp 21 | And if you use the inteface lines, ( one or more ) interface listen .... and sync fails check if ntp is trying on ipv6. 22 | This command will tell you more about it: strace ntpq -pn ::1|& grep -i conn 23 | Then first disable the inteface lines and try again. 24 | 25 | -------------------------------------------------------------------------------- /howtos/stretch-base-3.1-samba-member-debian-install.txt: -------------------------------------------------------------------------------- 1 | 2 | Part 3.1, the Debian samba Member install 3 | ( tested on Debian Stretch, samba 4.5.8 ) 4 | 5 | This is basicly a copy of the server setup in stretch-base-1.0.txt 6 | The "Configure the network" part changed a bit. 7 | 8 | Debian Stretch Install Basics. 9 | - Advanced Options 10 | - Expert install 11 | - Language 12 | - Language : English - English 13 | - Country, territory or area: other -> Europe -> Netherlands 14 | - Country to base default locale settings on: United States - en_US.UTF-8 15 | - Additional locales: ( not really needed, its easy to add later on when needed. ) 16 | 17 | - Access software for blind person.. skip 18 | 19 | - Configure keyboard 20 | - American/English 21 | 22 | - Detect and mount CDROM 23 | - usb-storage, ( keep default ) 24 | 25 | - Load installer components from CDROM 26 | - ( i switch to ssh later on, so i enable network-console ) 27 | 28 | - Detect network hardware 29 | 30 | - Configure the network 31 | - Auto-configure networking 32 | ! Yes, you can install with automatic, but then you need to correct other 33 | setting in the system so choose NO and setup a static ipnumber. 34 | server : 192.168.249.31/24 = 192.168.249.30/255.255.255.0 35 | Gateway : 192.168.249.1 36 | Nameserver: 192.168.249.30 37 | 38 | ! Note, Make user you have the network settings correct. 39 | ! If you setup with DHCP, you need to change multiple things. 40 | ! This setup asums you setup with a STATIC IP number. 41 | 42 | Check the info, and if ok, hit enter. 43 | 44 | - Configure the Hostname 45 | - Hostname : client1 46 | - Domainname: internal.example.com 47 | NO .local, NO .lan 48 | ( results in client1.internal.example.com as FQDN ) 49 | - Continue installation remotely using SSH. 50 | type your pass. ( user name is: installer ) 51 | ( login with ssh, and choose : Start installer (expert mode) ) 52 | 53 | - Set up users and passwords 54 | - Enable shadow passwords? Yes 55 | - Allow login as root? No ( i say No No No... NO ...... NO ) 56 | - Fullname new user: (What you want.) Linux Admin 57 | - Username for your account: linuxadmin 58 | - Password for the new user: (louis default) 59 | - Configure the clock 60 | - Set the clock using NTP? Yes 61 | - NTP server to use: ( choose you Domain Controller as NTP server ) ip: 192.168.249.30 ( in this example ) 62 | - Timezone : Europe/Amsterdam ( if you dont see you country/region go back to language, and set that correct. ) 63 | - Detect disks 64 | - Partition disks 65 | Manual (started, choose Guided - user entire disk. ) 66 | Select disk, Create Empty (msdos) table 67 | Select partition, Create new partition... (Stop and think.) 68 | Now, here the minimal i advice is 69 | / ( a samba AD DC, needed only 1.5GB for the complete OS install, set it to 8Gb as minimal ) 70 | /var/log ( if you get a log run, it can fillup you partion and damage a samba database, 1Gb-2Gb more the ok ) 71 | ( this example shows 6GB for / and 1Gb /var/log) 72 | New ( 6GB, Primary, beginning ) 73 | Use as : ext4 74 | mount point : / 75 | Mount option : (SSD, select discard) ( other keep default ) 76 | Label : OS_/ 77 | Reserved blocks : 5% 78 | Typical usage : standard ( partitions with only large files ( iso/mkv/mov ) choose largefile4 ( adviced 500Mb+ files ) 79 | Bootable flag : on 80 | Done setting up the partition 81 | 82 | New ( 1GB, Logical, beginning ) 83 | Use as : ext4 84 | mount point : (Enter Manualy) /var/log 85 | Mount option : (SSD, select discard) ( other optional, noatime ) 86 | Label : OS_/var/log 87 | Reserved blocks : 5% 88 | Typical usage : standard ( partitions with only large files ( iso/mkv/mov ) choose largefile4 ( adviced 500Mb+ files ) 89 | Bootable flag : on 90 | Done setting up the partition 91 | 92 | New ( 1,6GB, Logical, beginning ) 93 | Use as: swap area 94 | Done setting up the partition 95 | Finish partitioning and write changes to disk .. 96 | 97 | - Install the base system 98 | Kernel to install: 99 | linux-image-4.9.0-3-amd64 100 | linux-image-amd64 101 | 102 | If you choose linux-image-4.9.0-3-amd64, you stay at 4.9.0 from stable. 103 | If you choose linux-image-amd64, you keep following latest stable ( or backports) 104 | Personaly i choose linux-image-4.9.0-3-amd64, since i always keep the kernel where the system was installed with. 105 | a "save bet" on trying a older kernel if you hit problems on the road. 106 | 107 | Drivers to include in the initrd: 108 | Now, generic is the best option 109 | if you know you are never going to move the server to other hardware, then targeted is an option. 110 | ( i did choose targeted since its a VM i use, and it save me some time. ) 111 | 112 | - Configure the package manager 113 | Scan another CD or DVD? No 114 | Use a network mirror? Yes 115 | Protocol for file downloads: http ( https is better, but easy to add later on. ) 116 | Debian archive mirror country: Netherlands 117 | Debian archive mirror: deb.debian.org or ftp.nl.debian.org 118 | ( read : http://deb.debian.org for more info about this new host. ) 119 | HTTP proxy information (blank for none): 120 | Use non-free software? Yes ( you might need (linux) firmware packages) 121 | Enable source repositories in APT? No 122 | Services to use: [*] security updates (from security.debian.org) 123 | [*] release updates 124 | [ ] backported software 125 | Now i did not enable backported software, we only enabled it, then its really really needed. 126 | 127 | - Select and install software 128 | Participate in the package usage survey? .. what the .. , why not.. it helps debian. you choose. 129 | ( and : This choice can be later modified by running "dpkg-reconfigure popularity-contest".) 130 | 131 | - Software selection 132 | SSH server 133 | standard system utilities 134 | 135 | All other turn off, yes, even if you want apache or a print server, first this Samba Member setup. ;-) 136 | 137 | - Install the GRUB boot loader on a hard disk 138 | Install the GRUB boot loader to the master boot record? Yes 139 | Device for boot loader installation: ( for me /dev/xvda ) you /dev/sda probely. 140 | Force GRUB installation to the EFI removable media path? No, ( i suggest, you keep the default ) 141 | 142 | - Finish the installation 143 | Is the system clock set to UTC? ( for me Yes ) you, i suggest, keep the default. 144 | 145 | - Installation complete 146 | Great, Continue, and you server reboots. 147 | 148 | -------------------------------------------------------------------------------- /howtos/stretch-base-3.2-samba-member-fileserver.txt: -------------------------------------------------------------------------------- 1 | 2 | Part 3.2 The "Samba MEMBER" (FILE-SERVER) server setup. 3 | ( Tested on Debian Stretch, samba 4.5.8 ) 4 | 5 | Now for an Samba member server, we need the following. 6 | - Correct hostname and resolving ( see part-1-checkup ) 7 | - Correct time for the server and network 8 | - Internet 9 | 10 | Now we install the following, and this setups the following. 11 | 12 | Samba (member) 13 | Time server (client) 14 | 15 | # the needed packages 16 | #apt-get install samba winbind # For samba with Samba internal DNS 17 | # Or 18 | # apt-get install samba winbind bind9 # For samba with Bind BIND9_DLZ DNS 19 | # 20 | # I noticed attr is selected but not acl for the install, 21 | # so to make sure these are installed. 22 | #apt-get install attr acl 23 | # 24 | # if you want to ssh and/or have uid/gid resolving 25 | # ( adviced is yes, pleas install this. ) 26 | #apt-get install libnss-winbind libpam-winbind 27 | # 28 | # tools ( optional, but very handy to have them installed ) 29 | #apt-get install bind9utils ldb-tools 30 | 31 | # python-gpgme is added when you install a samba 4.6.x+ 32 | 33 | # smbclient is added also for the tests later on. 34 | 35 | # Now all in one go. 36 | apt-get install samba winbind acl libnss-winbind libpam-winbind \ 37 | ntp krb5-user bind9utils ldb-tools smbclient -y 38 | 39 | #### For the questions .. 40 | # Configuring Kerberos Authentication 41 | ### You kan keep the default ( DNS domain in caps ). (INTERNAL.EXAMPLE.COM) 42 | ### Just keep in mind DNS domain != REALM 43 | # Configuring Kerberos Authentication 44 | ### Empty is ok, just hit enter 45 | # Configuring Kerberos Authentication 46 | ### Empty is ok, just hit enter 47 | 48 | ############################################################################## 49 | Now its getting interesting and first we disble the things we dont need. 50 | 51 | lets stop all services first we are going to configure. 52 | systemctl stop samba smbd nmbd winbind samba-ad-dc ntp 53 | 54 | # See the status of the services: 55 | systemctl status samba smbd nmbd winbind samba-ad-dc ntp 56 | 57 | # disable the "AD DC server startups" 58 | systemctl mask samba samba-ad-dc 59 | systemctl disable samba samba-ad-dc 60 | 61 | # set samba-ad-dc ready to start, but DONT start it yet. 62 | systemctl unmask smbd nmbd winbind 63 | systemctl enable smbd nmbd winbind 64 | systemctl stop smbd nmbd winbind 65 | 66 | ### NTP Begin ( Part 1/2 ) 67 | cp /etc/ntp.conf{,.org-debian} 68 | 69 | # Now first setup the time server and make sure time is correct, 70 | # before we do something with samba. 71 | # 72 | # Disable the pool servers. 73 | sed -i 's/pool 0.debian.pool.ntp.org iburst/#pool 0.debian.pool.ntp.org iburst/g' /etc/ntp.conf 74 | sed -i 's/pool 1.debian.pool.ntp.org iburst/#pool 1.debian.pool.ntp.org iburst/g' /etc/ntp.conf 75 | sed -i 's/pool 2.debian.pool.ntp.org iburst/#pool 2.debian.pool.ntp.org iburst/g' /etc/ntp.conf 76 | sed -i 's/pool 3.debian.pool.ntp.org iburst/#pool 3.debian.pool.ntp.org iburst/g' /etc/ntp.conf 77 | 78 | # For the Member server we point to the DC (1 or 2 or 3). 79 | # change YOUR_DC_NAME_OR_IP to the hostname of ip adres of your DC. 80 | sed -i 's/#server ntp.your-provider.example/server YOUR_DC_NAME_OR_IP/g' /etc/ntp.conf 81 | 82 | cat << EOF >> /etc/ntp.conf 83 | # 84 | # Optional, define which interface ntp could/should use. 85 | # Since SystemD, we dont have Predictable interface names anymore. 86 | # Info: https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames/ 87 | # run : ip a and check you interface name and change it. ( default = eth0 ) 88 | # Enable/disable what you want, its here as example for you. 89 | # Notice: if you run : ntpq -p or ntpstat ( apt-get install ntpstat ) 90 | # and you keep getting unsync messages, try disable-ing all the interface lines first and restart ntp 91 | # If ntp tries to connect to ipv6 and its disabled, it wont sync. 92 | # test: systemctl stop ntp && strace ntpq -pn ::1|& grep -i conn 93 | #interface listen lo 94 | #interface listen eth0 95 | #interface ignore wildcard 96 | #interface ignore ipv6 97 | # 98 | EOF 99 | systemctl restart ntp 100 | # and see if everything is running 101 | systemctl status ntp 102 | 103 | ### NTP End 104 | 105 | 106 | # KERBEROS: Configure krb5.conf 107 | # Samba MEMBER krb5.conf in /etc/krb5.conf 108 | 109 | # backup the old one. 110 | mv /etc/krb5.conf{,.org-debian} 111 | 112 | # Note!! Do not symlink /var/lib/samba/private/krb5.conf to /etc/krb5.conf. 113 | # This may create some problems in the future. (keep you eys on the 4.7 release notes when released) 114 | 115 | cat << EOF >> /etc/krb5.conf 116 | [libdefaults] 117 | default_realm = INTERNAL.EXAMPLE.COM 118 | dns_lookup_kdc = true 119 | dns_lookup_realm = false 120 | forwardable = true 121 | proxiable = true 122 | ; ticket_lifetime = 24h 123 | ; renew_lifetime = 7d 124 | ; ccache_type = 4 125 | ; 126 | ; Enable this one if you have a tight setup where only the user can enter the user home dir. 127 | ; You might need it with cifs mounts, nfs mounts 128 | ; ignore_k5login = true 129 | 130 | 131 | ; A note: This is not used for nfs4 but cifs uses it. 132 | ; for Windows 2003 133 | ; default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 134 | ; default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 135 | ; permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5 136 | ; 137 | ; for Windows 2008 with AES 138 | default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 139 | default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 140 | permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5 141 | 142 | EOF 143 | 144 | 145 | # Samba Member setup. 146 | # First, backup the original config. 147 | mv /etc/samba/smb.conf{,.org-debian} 148 | 149 | # Cleanup some old things from the samba install. 150 | rm /var/cache/samba/printing/* 151 | rm /var/cache/samba/* 152 | rm /var/lib/samba/*.tdb 153 | rm /var/lib/samba/private/*.tdb 154 | 155 | 156 | # https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 157 | # Read and try to understand why i setup with RFC2307 in AD ( members get idmap backend AD for all FILESERVERS ). 158 | cat << EOF >> /etc/samba/smb.conf 159 | # https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member 160 | # 161 | log level = 0 162 | 163 | # netbios name = By default this is "hostname -s" but in caps. 164 | realm = INTERNAL.EXAMPLE.COM 165 | workgroup = SAMBADOM 166 | security = ADS 167 | 168 | # set master browser for the network. 169 | # preffered + domain master = yes = guarantee master browser ( man smb.conf ) 170 | # ! There can only be ONE master browser. 171 | preferred master = no 172 | domain master = no 173 | 174 | dedicated keytab file = /etc/krb5.keytab 175 | kerberos method = secrets and keytab 176 | 177 | ## map id's outside to domain to tdb files. 178 | idmap config * : backend = tdb 179 | idmap config * : range = 3000-7000 180 | 181 | ## map ids from the domain the range may not overlap ! 182 | idmap config SAMBADOM : backend = ad 183 | idmap config SAMBADOM : schema_mode = rfc2307 184 | idmap config SAMBADOM : range = 10000-999999 185 | # idmap config SAMBADOM : unix_nss_info = yes # Only in Samba 4.6+ 186 | 187 | # Renew the kerberos tickets 188 | winbind refresh tickets = yes 189 | 190 | # Enable offline logins 191 | winbind offline logon = yes 192 | 193 | # User uid/Gid from AD. (rfc2307) 194 | winbind nss info = rfc2307 195 | 196 | # With default domain, wbinfo -u, yes = username, no is SAMBADOM\username 197 | winbind use default domain = yes 198 | winbind trusted domains only = no 199 | 200 | # Keep no in production, set yes when debugging, this slows down your samba. 201 | winbind enum users = no 202 | winbind enum groups = no 203 | 204 | # Check depth of nested groups, ! slows down you samba, if to much groups depth 205 | # Samba default is 0, i suggest a minimal of 2 in this setup, advices is 4. 206 | winbind expand groups = 4 207 | 208 | # User Administrator workaround, without it you are unable to set privileges 209 | # !Note: When using the AD ID mapping back end, do not set the uidNumber attribute for the domain administrator account. 210 | # If the account has the attribute set, the value overrides the local UID 0 of the root user and thus the mapping fails. 211 | username map = /etc/samba/samba_usermapping 212 | 213 | # disable usershares creating, when set empty no error log messages. 214 | usershare path = 215 | 216 | # Disable printing completely 217 | load printers = no 218 | printing = bsd 219 | printcap name = /dev/null 220 | disable spoolss = yes 221 | 222 | # For Windows ACL support on member file server, enabled globaly, OBLIGATED 223 | # For a mixed setup of rights, put this per share! 224 | vfs objects = acl_xattr 225 | map acl inherit = yes 226 | store dos attributes = yes 227 | 228 | # Share Setting Globally 229 | veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/ 230 | hide unreadable = yes 231 | 232 | ######## SHARE DEFINITIONS ################ 233 | ## 234 | [samba$] 235 | # Used for Administrative things only. 236 | browseable = yes 237 | path = /home/samba 238 | read only = no 239 | 240 | [profiles] 241 | # user profiles folder 242 | browseable = yes 243 | path = /home/samba/profiles 244 | read only = no 245 | acl_xattr:ignore system acl = yes 246 | 247 | [users] 248 | # user homedirs 249 | browseable = yes 250 | path = /home/samba/users 251 | read only = no 252 | acl_xattr:ignore system acl = yes 253 | 254 | [data] 255 | # data share for domain/company 256 | browseable = yes 257 | path = /home/samba/data 258 | read only = no 259 | 260 | EOF 261 | 262 | # Create these share folders 263 | mkdir -p /home/samba/{profiles,users,data} 264 | chmod 3771 /home/samba 265 | chmod 1777 /home/samba/profiles 266 | 267 | # ! Note, kerberos needs access in a users home to check 268 | chmod 1770 /home/samba/users 269 | # on the data folder we want creator owner and group. The group maps to "domain users" 270 | chmod 3770 /home/samba/data 271 | # as of this point dont do anything on linux, finish the install and use windows to setup acl. 272 | 273 | # To map the domain administrator to the local root account: 274 | cat << EOF > /etc/samba/samba_usermapping 275 | !root = SAMBADOM\Administrator SAMBADOM\administrator 276 | EOF 277 | 278 | # Resolving 279 | # change resolv.conf ( we keep the second google dns as backup if bind fails to startup and you need internet. ) 280 | sed -i "s/nameserver 8.8.8.8/nameserver 192.168.249.30/g" /etc/resolv.conf 281 | 282 | # Here samba JOIN the domain. 283 | # get a kerberos ticket. (dont destroy it after the join) 284 | kinit Administrator 285 | # and join the domain 286 | net ads join -k 287 | 288 | 289 | # nsswitch.conf changes if you need to be able to login with ssh. ( winbind based logins ) 290 | sed -i 's/passwd: compat/passwd: compat winbind/g' /etc/nsswitch.conf 291 | sed -i 's/group: compat/group: compat winbind/g' /etc/nsswitch.conf 292 | and if this is done run : 293 | pam-auth-update 294 | 295 | # Kerberos ssh logins. the basics.. 296 | # If you need to be able to login with ssh, just make sure that /etc/ssh/sshd_config 297 | # contains: 298 | 299 | GSSAPIAuthentication yes 300 | GSSAPIKeyExchange yes 301 | 302 | # this enables kerberos logins. 303 | # ! Note, by default on debian any user with uid 1000+ is able to login. 304 | 305 | # restart everything whats needed. 306 | systemctl restart ntp smbd nmbd winbind 307 | 308 | # check with wbinfo -u && wbinfo -g, you should see some usernames and groups. 309 | # and No, getent passwd administrator wil not and should not work! 310 | # in AD setup DONT assign an uid to Administrator. 311 | 312 | # Setup SePrivileges, you need these to make sure you Administrators have the needed rights where needed. 313 | # You need these to set your share and security rights from within Windows. 314 | ########### Adding SePrivileges 315 | # Here you have 2 choices, both work. 316 | # Personal i use : "BUILTIN\Administrators" this reflexs a windows server. 317 | # The samba wiki : "YOUR_NTDOM\Domain Admins" 318 | # You choose, If you use the "BUILTIN\Adminsitrators", then also set in smb.conf: winbind expand groups = 2 319 | # the default is winbind expand groups = 0, i preffer a minimal of 2. 320 | # Both have Pro's and Cons, the higher the number, the slower you samba gets in resolving groups. 321 | # ps. you can set both also if your unsure, just remember, NTDOM\Domain Admins is member of BUILTIN\Administrators 322 | # 323 | # You can only enable one of these two at once, if you want both groups, run it, change it and run it again. 324 | SAMBA_DC_ADMIN_GROUP_CHOICE="BUILTIN\Administrators" 325 | #SAMBA_DC_ADMIN_GROUP_CHOICE="$(cat /etc/samba/smb.conf | grep workgroup | awk '{ print $NF}')\Domain Admins" 326 | 327 | # Your Administrator Password here 328 | # ! Note if you have a $ in it type it as \$ 329 | SAMBA_NT_ADMIN_PASS="PutYourPassword_here" 330 | 331 | # 332 | # ! keep the sleep lines, if its going to fast it errors.. 333 | # we re-use the kerberos ticket. 334 | # 335 | if [ "$(net rpc rights list "${SAMBA_DC_ADMIN_GROUP_CHOICE}" -k -S $(hostname -f) | wc -l) -le 2 ]; then 336 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeDiskOperatorPrivilege -k -S $(hostname -f) 337 | sleep 5 338 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeTakeOwnershipPrivilege -UAdministrator 339 | sleep 5 340 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeBackupPrivilege -UAdministrator 341 | sleep 5 342 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeRestorePrivilege -UAdministrator 343 | sleep 5 344 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeRemoteShutdownPrivilege -UAdministrator 345 | sleep 5 346 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SePrintOperatorPrivilege -UAdministrator 347 | sleep 5 348 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeAddUsersPrivilege -UAdministrator 349 | sleep 5 350 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeDiskOperatorPrivilege -UAdministrator 351 | sleep 5 352 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeSecurityPrivilege -UAdministrator 353 | sleep 5 354 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeSystemtimePrivilege -UAdministrator 355 | sleep 5 356 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeShutdownPrivilege -UAdministrator 357 | sleep 5 358 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeDebugPrivilege -UAdministrator 359 | sleep 5 360 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeSystemEnvironmentPrivilege -UAdministrator 361 | sleep 5 362 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeSystemProfilePrivilege -UAdministrator 363 | sleep 5 364 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeProfileSingleProcessPrivilege -UAdministrator 365 | sleep 5 366 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeIncreaseBasePriorityPrivilege -UAdministrator 367 | sleep 5 368 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeLoadDriverPrivilege -UAdministrator 369 | sleep 5 370 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeCreatePagefilePrivilege -UAdministrator 371 | sleep 5 372 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeIncreaseQuotaPrivilege -UAdministrator 373 | sleep 5 374 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeChangeNotifyPrivilege -UAdministrator 375 | sleep 5 376 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeUndockPrivilege -UAdministrator 377 | sleep 5 378 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeManageVolumePrivilege -UAdministrator 379 | sleep 5 380 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeImpersonatePrivilege -UAdministrator 381 | sleep 5 382 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeCreateGlobalPrivilege -UAdministrator 383 | sleep 5 384 | net rpc rights grant "${SAMBA_DC_ADMIN_GROUP_CHOICE}" SeEnableDelegationPrivilege -UAdministrator 385 | # and show if it worked. 386 | net rpc rights list "${SAMBA_DC_ADMIN_GROUP_CHOICE}" -U Administrator 387 | else 388 | echo "SePrivileges already done for ${SAMBA_DC_ADMIN_GROUP_CHOICE}" 389 | fi 390 | 391 | # now destroy the ticket. 392 | kdestory 393 | # and reboot the server. 394 | reboot 395 | 396 | # when done, login as linuxadmin and go check all you logs. 397 | -------------------------------------------------------------------------------- /howtos/stretch-base-3.3-samba-member-fileserver-rights-example.txt: -------------------------------------------------------------------------------- 1 | 2 | Part 3.3, The "Samba MEMBER" (FILE-SERVER) server setup, what about the share and folder security. 3 | 4 | Debian Stretch, the minimal things for a MEMBER server. 5 | ( Tested on Debian Stretch Samba 4.5.8 ) 6 | 7 | By example. (This is a Work in Progress) 8 | ! Things may change here, im testing some different setups. 9 | 10 | 11 | ######## MEMBER SHARE DEFINITIONS ################ 12 | # READ: https://www.samba.org/samba/docs/man/manpages-3/vfs_acl_xattr.8.html 13 | # ! You must configure the share and security rights with a windows client when you set: acl_xattr:ignore system acl = yes 14 | # After setting this, makes sure, you have restarted samba, then configure the share and security rights. 15 | # (see: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs) 16 | # Best is to dont mix posix and Windows ACL settings in a share. ! 17 | # Setup the share as POSIX ACL or Windows ACL. 18 | # ( Not that it wont work, but it wil make your setup harder to maintain and debug ) 19 | # 20 | # Im asumming the following: 21 | # - Assed "Domain Users" a GID with ADUC. ( yes, win10 missing unix tab, i used Win 7+ADUC, or use samba-tool ) 22 | # - Domain users is the primary gid for every user. 23 | # - I used Backend AD, you.... 24 | # Read the Advantages and Disadvantages, then you choose. 25 | # https://wiki.samba.org/index.php/Idmap_config_ad 26 | # https://wiki.samba.org/index.php/Idmap_config_rid 27 | # 28 | # - mkdir -p /home/samba/{profiles,users,data} 29 | # - chmod 1751 /home/samba/ ( root:root ) (1751, Creator Owner (=root=>mapping_user=>SAMBADOM\Administrator) 30 | # 1751 explained. 31 | # 1 Creator Owner 32 | # 7 root ( maps to Administrator) 33 | # 5 root ( maps to BUILTIN\Administrators of which Domain Admins is a member) 34 | # 1 everyone ( everyone can enter this folder ) 35 | # 36 | # If you set your base rights in a subfolder, i suggest, 3770 37 | # 3 Creator Group, this is where "Domain Users" for all users comes in. 38 | # 7 (root) 39 | # 7 (BUILTIN\Administrators 40 | # 0 You dont want anyone enterint this folder. 41 | # Now root/Administrator creates a new folder in /home/samba/data/group1 42 | # Add a windows group (with or without uid) to /home/samba/data/group1 ( example: group name=data_group1 ) give it all but full controll. 43 | # You dont want users to modify your acls dont you, if you have such users, create a new group, data_group1_management 44 | # and give that one full control. 45 | # 46 | # ! So only Administrator (root) can create/assign rights to new folders in the samba$ ( a administrative share. ) 47 | # Now, login as SAMBADOM\Administrator with a domain joined PC, and setup your rights and folders in /home/samba 48 | # ( tip, drive map \\hostname.internal.example.com\samba$ ) 49 | # 50 | [samba$] 51 | # Used for Administrative things only. 52 | browseable = yes 53 | path = /home/samba 54 | read only = no 55 | 56 | [profiles] 57 | # user profiles folder 58 | browseable = yes 59 | path = /home/samba/profiles 60 | read only = no 61 | acl_xattr:ignore system acl = yes 62 | 63 | [users] 64 | # user homedirs 65 | browseable = yes 66 | path = /home/samba/users 67 | read only = no 68 | acl_xattr:ignore system acl = yes 69 | 70 | [data] 71 | # data share for domain/company 72 | browseable = yes 73 | path = /home/samba/data 74 | read only = no 75 | 76 | -------------------------------------------------------------------------------- /samba-check-SePrivileges.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This script does not modify anything, it shows the output of the SEPRIVILEGE members. 4 | # Version 1.1 5 | # Released : 7 Sept 2017 6 | # Updated : 20 May 2022, Thanks for Testing Rowland Penny. ;-) 7 | # Info: https://technet.microsoft.com/en-us/library/dn579255(v=ws.11).aspx#BKMK_PrintOperators 8 | # 9 | # Assigning Delegated Print Administrator and Printer Permission Settings in Windows Server 2008 R2 10 | # https://technet.microsoft.com/en-us/library/ee524015(v=ws.10).aspx 11 | 12 | 13 | # check samba verions since some paramater changes. 14 | FULL_VERSION="$(smbd -V|cut -d" " -f2 | sed 's/-Debian//g')" 15 | MAIN_VERSION="$(echo "$FULL_VERSION" | cut -d"." -f1)" 16 | MINOR_VERSION="$(echo "$FULL_VERSION" | cut -d"." -f2)" 17 | SUB_VERSION="$(echo "$FULL_VERSION" | cut -d"." -f3)" 18 | 19 | 20 | # Last check known SePrivilege 21 | SEPRIVILEGE="SeMachineAccountPrivilege \ 22 | SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege \ 23 | SeRemoteShutdownPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege \ 24 | SeDiskOperatorPrivilege SeSecurityPrivilege SeSystemtimePrivilege \ 25 | SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege \ 26 | SeSystemProfilePrivilege SeProfileSingleProcessPrivilege \ 27 | SeIncreaseBasePriorityPrivilege SeLoadDriverPrivilege \ 28 | SeCreatePagefilePrivilege SeIncreaseQuotaPrivilege SeChangeNotifyPrivilege \ 29 | SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege SeCreateGlobalPrivilege \ 30 | SeEnableDelegationPrivilege" 31 | 32 | echo "Version check for Samba : $MAIN_VERSION.$MINOR_VERSION.$SUB_VERSION" 33 | kinit Administrator 34 | if [ "${MINOR_VERSION}" -lt 15 ] 35 | then 36 | for sepriv in $SEPRIVILEGE 37 | do 38 | net rpc rights list privileges "$sepriv" -S "$(hostname -f)" --kerberos 39 | done 40 | elif [ "${MINOR_VERSION}" -ge 15 ] 41 | then 42 | for sepriv in $SEPRIVILEGE 43 | do 44 | net rpc rights list privileges "$sepriv" -S "$(hostname -f)" --use-kerberos=required -N 45 | done 46 | fi 47 | kdestroy 48 | -------------------------------------------------------------------------------- /samba-check-db-repl.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -v 2 | 3 | ## 4 | ## Version : 1.0.8 5 | ## release d.d. : 24-03-2015 6 | ## Author : L. van Belle 7 | ## E-mail : louis@van-belle.nl 8 | ## Copyright : Free as free can be, copy it, change it if needed. 9 | ## Sidenote : if you change things, please inform me 10 | ## ChangeLog : first release d.d. 23-03-2015 11 | ## 24-03-2015 : 1.0.2 few small changes, thanks Rowland for the suggestions. 12 | ## 22-04-2015 : 1.0.3 moved mailx part within check if an e-mail adres is used. 13 | ## 24-04-2015 : 1.0.4 added extra check, so if no is if found, you get an error message and not a python error. 14 | ## 21-11-2016 : 1.0.5 extra filter options. ( samba 4.5.x needs adjusting ) 15 | ## ( removed the . in the hostname resolving for the DCS, this was no error, but its more clear what people want to see ) 16 | ## 12-02-2018   : 1.0.6 fix the test for presence of "FAILURE" will be true even if the actual result is "successful". 17 | ## 13-02-2018   : 1.0.7 fix filter, variable was not used. optimized code, remove ^M. 18 | ## 30-01-2019 : 1.0.8 change filter defaults to whenChanged,dc,DC,cn,CN 19 | 20 | ## Samba database checker. ( samba 4.1-4.8 tested) 21 | ## This script wil check for error in the samba databases with samba-tool 22 | ## If needed adjust it to your os needs. 23 | 24 | ## !! Warning, samba 4.5.0 - 4.5.1 errors about cn CN ou OU differences. 25 | ## This is a samba bug : https://bugzilla.samba.org/show_bug.cgi?id=12399 26 | # you may need to adjust the filter options below. (SAMBA_LDAPCMD_FILTER) 27 | 28 | ## NOTICE !! This script does only work with samba DC's 29 | ## A samba DC + Windows DC wont work and is not tested, if you get that to work, 30 | ## please share the code ;-) 31 | 32 | ## Howto use it: 33 | ## Put it on any samba4 DC and run it. 34 | ## if you put it in a cron job, 35 | ## set the mail report adres and put in the password for Administrator 36 | ## and set the relayhost. 37 | ## Test it, by remove-ing the email adres at EMAIL_REPORT_ADRES 38 | ## and you get a console output of the checks. 39 | ## Thats it, enjoy.. 40 | ## All other settings are optional.. 41 | 42 | ## Only tested with user "Administrator".. best is not to change this. 43 | SAMBA_NT_ADMIN_USER="Administrator" 44 | ## if empty the script wil ask for the pass.. 45 | ## for running this with cron this is a must ! 46 | SAMBA_NT_ADMIN_PASS="" 47 | 48 | ## perform 2 checkes by default for the database replication 49 | ## keep both set to yes, thats the best. 50 | SAMBA_CHECKDB_WITH_DRS="yes" 51 | SAMBA_CHECKDB_WITH_LDAPCMD="yes" 52 | ## Filter non-synced attributes 53 | ## Change the filter to avoid mismatching, some items can be ignored. 54 | ## Some examples. : whenChanged,usnChanged,usnCreated,msDS-NcType,serverState 55 | ## add them with "," seperated. 56 | SAMBA_LDAPCMD_FILTER="whenChanged,dc,DC,cn,CN" 57 | 58 | # TODO, this one is not integrated yet! 59 | ## Compare single AD partitions on Domain Controller DC1 and DC2: 60 | ## You can compair also only one for more partitions in stead of the full DB. 61 | ## The options are : domain configuration schema dnsdomain dnsforest 62 | ## Keep empty for full DB compair, or space separated partition options. 63 | #SAMBA_LDAPCMD_PARTITIONS="" 64 | 65 | 66 | ## The email adress to report to. 67 | ## If you put an e-mail adres here the script wil also check for mail tools.. etc 68 | ## Email are only send when errors are found and no console output ! 69 | ## if you want console put, dont put any email address here.. 70 | EMAIL_REPORT_ADDRESS="" 71 | 72 | ## Normaly only e-mail are send when errors are found, or set yes for always email 73 | EMAIL_REPORT_ALWAYS="no" 74 | 75 | ## I use postfix as relay host. ( set to run on localhost only) 76 | ## Put here your mail relay host 77 | ## hostname or hostname-fqdn or ip or ip:port are ok. 78 | ## This is only used when NO sendmail program if found. 79 | POSTFIX_RELAY_HOST="" 80 | 81 | ## postfix wil be automatily setup for your. 82 | ## If you did already setup any mail server on the server or you are able to mail 83 | ## from this server with "mail" command, then this script does not install postfix. 84 | 85 | ## cleanup the log in /tmp 86 | ## can be handy if you want to review manualy. 87 | SETREMOVELOG="no" 88 | 89 | ## So you reached the end for the configure.. 90 | ## Set this one to yes.. and your good to go. 91 | CONFIGURED="no" 92 | 93 | 94 | ####################################################################### 95 | ## DONT CHANGE BELOW Please, if you make changes, please share them. # 96 | ####################################################################### 97 | 98 | ## hostname in single word, but you dont need to change this 99 | SETHOSTNAME="$(hostname -s)" 100 | ## domainname.tld, but if you installed correct, you dont need to change this 101 | SETDNSDOMAIN="$(hostname -d)" 102 | ## hostname.domainname.tld, but if you installed correct, you dont need to change this 103 | SETFQDN="$(hostname -f)" 104 | 105 | 106 | SETTPUT="$(which tput)" 107 | if [ -z "${SETTPUT}" ]; then 108 | echo "program tput not found, installing it now.. please wait" 109 | apt-get update > /dev/null 110 | apt-get install -y --no-install-recommends ncurses-bin > /dev/null 111 | fi 112 | 113 | RED="$(${SETTPUT} setaf 1)" 114 | NORMAL="$(${SETTPUT} sgr0)" 115 | GREEN="$(${SETTPUT} setaf 2)" 116 | YELLOW="$(${SETTPUT} setaf 3)" 117 | UNDERLINE="$(${SETTPUT} smul)" 118 | WHITE="$(${SETTPUT} setaf 7)" 119 | BOLD="$(${SETTPUT} bold)" 120 | 121 | message() { 122 | printf "%40s\n" "${WHITE}${BOLD}$*${NORMAL}" 123 | } 124 | good() { 125 | printf "%40s\n" "${GREEN}$*${NORMAL}" 126 | } 127 | error() { 128 | printf "%40s\n" "${RED}$*${NORMAL}" 129 | } 130 | warning() { 131 | printf "%40s\n" "${YELLOW}$*${NORMAL}" 132 | } 133 | warning_underline() { 134 | printf "%40s\n" "${YELLOW}${UNDERLINE}$*${NORMAL}" 135 | } 136 | 137 | check_run_as_sudo_root() { 138 | if ! [[ $EUID -eq 0 ]]; then 139 | error "This script should be run using sudo or by root." 140 | exit 1 141 | fi 142 | } 143 | configured_script() { 144 | if [ "${CONFIGURED}" = "no" ]; then 145 | error "####################################################" 146 | error "You need to configure this script first to run it. " 147 | echo " " 148 | error "exiting script now... " 149 | exit 0 150 | fi 151 | } 152 | 153 | configured_script 154 | check_run_as_sudo_root 155 | 156 | if [ $SAMBA_CHECKDB_WITH_DRS = "no" ] && [ ${SAMBA_CHECKDB_WITH_LDAPCMD} = "no" ] ; then 157 | error "When you set both SAMBA_CHECKBD... to NO.. then there is no point of running this script" 158 | error "Please set at least 1 of these checks to yes" 159 | error "exiting script now... " 160 | exit 0 161 | fi 162 | 163 | SET_SAMBATOOL="$(which samba-tool)" 164 | if [ -z "$SET_SAMBATOOL" ]; then 165 | error "No samba-tool tool found, this script wil exit now.. this.. I cant fix." 166 | exit 0 167 | fi 168 | 169 | SET_TR="$(which tr)" 170 | if [ -z "$SET_TR" ]; then 171 | warning "No tr tool found, running apt-get update and install coreutils, please wait.." 172 | apt-get update > /dev/null 173 | apt-get install -y --no-install-recommends coreutils > /dev/null 174 | sleep 0.5 175 | SET_TR="$(which tr)" 176 | fi 177 | 178 | ## get DC info 179 | DCS="$(host -t SRV _kerberos._udp."${SETDNSDOMAIN}" | awk '{print $NF}'| sed 's/.$//')" 180 | if [ -z "${DCS}" ]; then 181 | error "No Samba DCS found, host -t SRV _kerberos.udp.${SETDNSDOMAIN} returned nothing" 182 | error "exitting now..." 183 | exit 0 184 | fi 185 | 186 | #SAMBA_DC_FSMO=(${SET_SAMBATOOL} fsmo show | cut -d',' -f2 | head -n1 | cut -c4-100 | ${SET_TR} '[:upper:]' '[:lower:]') 187 | SAMBA_DC_FSMO=$(echo $(${SET_SAMBATOOL} fsmo show | cut -d"," -f2 | head -n1 | cut -c4-100) | ${SET_TR} '[:upper:]' '[:lower:]') 188 | SAMBA_DC1="${SAMBA_DC_FSMO}.${SETDNSDOMAIN}" 189 | if [ -z "${SAMBA_DC1}" ]; then 190 | error "No Samba DC Found with FSMO Roles, you might have dns problems" 191 | error "exitting now..." 192 | exit 0 193 | fi 194 | 195 | #SAMBA_DCS="$(echo ${DCS} | grep -v ${SAMBA_DC_FSMO})" 196 | SAMBA_DCS=$(echo "$DCS" | grep -v "${SAMBA_DC_FSMO}") 197 | if [ -z "${SAMBA_DCS}" ]; then 198 | error "No Samba DC's Found with, you might have dns problems" 199 | error "exitting now..." 200 | echo $SAMBA_DCS 201 | exit 0 202 | fi 203 | 204 | SAMBA_NT_DOMAINNAME="$($SET_SAMBATOOL domain info "${SAMBA_DC1}" | grep Netbios | cut -d":" -f2 | cut -c2-100)" 205 | if [ -z "${SAMBA_NT_DOMAINNAME}" ]; then 206 | error "No Samba NT DOMAIN Name found" 207 | error "exitting now..." 208 | exit 0 209 | fi 210 | 211 | if [ -z "${SAMBA_NT_ADMIN_PASS}" ]; then 212 | while [ "${SAMBA_NT_ADMIN_PASS}" = "" ]; do 213 | message "No password for user ${SAMBA_NT_DOMAINNAME}\\${SAMBA_NT_ADMIN_USER} was set in this script!" 214 | warning_underline "Please enter the password for ${SAMBA_NT_DOMAINNAME}\\${SAMBA_NT_ADMIN_USER} : " 215 | read -r -s -e "SAMBA_NT_ADMIN_PASS" 216 | done 217 | fi 218 | 219 | echo "${SAMBA_NT_ADMIN_PASS}" | kinit "${SAMBA_NT_ADMIN_USER}" > /dev/null 220 | 221 | 222 | SET_DEBCONF_SETSELECT="$(which debconf-set-selections)" 223 | if [ -z "${SET_DEBCONF_SETSELECT}" ]; then 224 | warning "No debconf-set-selections tool found, running apt-get update and install debconf , please wait.." 225 | apt-get update > /dev/null 226 | apt-get install -y --no-install-recommends debconf > /dev/null 227 | sleep 0.5 228 | SET_DEBCONF_SETSELECT="$(which debconf-set-selections)" 229 | fi 230 | 231 | if [ ! -z "${EMAIL_REPORT_ADDRESS}" ]; then 232 | SET_SENDMAIL="$(which sendmail)" 233 | if [ -z "${SET_SENDMAIL}" ]; then 234 | warning "No mailserver found, running apt-get update and installing postfix as smarthost, please wait.." 235 | ## these are the debian defaults for a "smarthost setup" 236 | echo "postfix postfix/main_mailer_type select Satellite system" | ${SET_DEBCONF_SETSELECT} 237 | echo "postfix postfix/mailname string ${SETFQDN}" | ${SET_DEBCONF_SETSELECT} 238 | echo "postfix postfix/relayhost string ${POSTFIX_RELAY_HOST}" | ${SET_DEBCONF_SETSELECT} 239 | apt-get update > /dev/null 240 | apt-get install -y --no-install-recommends postfix > /dev/null 241 | sleep 0.5 242 | SET_SENDMAIL="$(which sendmail)" 243 | postconf -e "mydestination = ${SETFQDN}, localhost, localhost.localdomain" 244 | postconf -e "inet_interfaces = 127.0.0.1" 245 | postconf -e "inet_protocols = ipv4" 246 | sleep 0.2 247 | service postfix restart 248 | fi 249 | SET_MAILTOOL="$(which mail)" 250 | if [ -z "$SET_MAILTOOL" ]; then 251 | warning "No mail tool found, running apt-get update and install heirloom-mailx, please wait.." 252 | apt-get update > /dev/null 253 | apt-get install -y --no-install-recommends heirloom-mailx > /dev/null 254 | sleep 0.5 255 | SET_MAILTOOL="$(which mail)" 256 | ${SET_MAILTOOL} -s "Test mail from script : check db" "${EMAIL_REPORT_ADDRESS}" < /etc/hosts 257 | fi 258 | fi 259 | 260 | 261 | ## always remove the log before running the script again. 262 | if [ "${SETREMOVELOG}" = "yes" ] || [ "${SETREMOVELOG}" = "no" ] ; then 263 | if [ -f /tmp/samba_ldapcmp_checkdb ]; then 264 | rm /tmp/samba_ldapcmp_checkdb 265 | fi 266 | if [ -f /tmp/samba_drs_showrepl ]; then 267 | rm /tmp/samba_drs_showrepl 268 | fi 269 | fi 270 | 271 | ## used for samba-tool drs showrepl 272 | ## expected success is depending on total of DC's. 273 | expected_success=0 274 | ## expected failure is always 0 275 | expected_failure=0 276 | for x in ${SAMBA_DCS}; do 277 | expected_success=$(( expected_success +=10 )) 278 | done 279 | 280 | if [ ! -z "${EMAIL_REPORT_ADDRESS}" ]; then 281 | if [ "${SAMBA_CHECKDB_WITH_LDAPCMD}" = "yes" ]; then 282 | for x in ${SAMBA_DCS}; do 283 | $SET_SAMBATOOL ldapcmp --filter="$(LDAPCMD_FILTER)" ldap://"${SAMBA_DC1}" ldap://"${x}" -d0 > /tmp/samba_ldapcmp_checkdb 2>&1 284 | if grep -q FAILURE /tmp/samba_ldapcmp_checkdb; then 285 | ${SET_MAILTOOL} -s "FAILURE ldapcmp between $SETDCFSMO and $x" "${EMAIL_REPORT_ADDRESS}" < /tmp/samba_ldapcmp_checkdb 286 | fi 287 | done 288 | fi 289 | if [ "${SAMBA_CHECKDB_WITH_DRS}" = "yes" ]; then 290 | ${SET_SAMBATOOL} drs showrepl -d0 > /tmp/samba_drs_showrepl 2>&1 291 | failure=$(grep -c "failed" /tmp/samba_drs_showrepl) 292 | success=$(grep -c "successful" /tmp/samba_drs_showrepl) 293 | for x in ${SAMBA_DCS} ; do 294 | if [ "${failure}" -ne "${expected_failure}" ]; then 295 | ${SET_MAILTOOL} -s "FAILURE: unexpected showrepl result between $SETDCFSMO and $x" $EMAIL_REPORT_ADDRESS < /tmp/samba_drs_showrepl 296 | fi 297 | if [ "${success}" -ne "${expected_success}" ]; then 298 | ${SET_MAILTOOL} -s "FAILURE: unexpected showrepl result between $SETDCFSMO and $x" $EMAIL_REPORT_ADDRESS < /tmp/samba_drs_showrepl 299 | fi 300 | done 301 | fi 302 | else 303 | message "Running with with console output" 304 | if [ "${SAMBA_CHECKDB_WITH_LDAPCMD}" = "yes" ]; then 305 | echo "Checking the DC_With_FSMO (${SAMBA_DC_FSMO}) with SAMBA DC: ${SAMBA_DCS}" 306 | for x in ${SAMBA_DCS}; do 307 | message "Running : ${SET_SAMBATOOL} ldapcmp --filter=\"${SAMBA_LDAPCMD_FILTER}\" ldap://$SAMBA_DC1 ldap://$x " 308 | message "Please wait.. this can take a while.." 309 | #${SET_SAMBATOOL} ldapcmp --filter="${SAMBA_LDAPCMD_FILTER}" ldap://"${SAMBA_DC1}" ldap://"${x}" -d0 > /tmp/samba_ldapcmp_checkdb 310 | ${SET_SAMBATOOL} ldapcmp --filter="${SAMBA_LDAPCMD_FILTER}" ldap://"$SAMBA_DC1" ldap://"${x}" -d0 > /tmp/samba_ldapcmp_checkdb 2>&1 311 | if grep -q FAILURE /tmp/samba_ldapcmp_checkdb; then 312 | warning "$(cat /tmp/samba_ldapcmp_checkdb)" 313 | else 314 | good "$(cat /tmp/samba_ldapcmp_checkdb)" 315 | fi 316 | done 317 | fi 318 | echo ".. Next check.. " 319 | if [ "${SAMBA_CHECKDB_WITH_DRS}" = "yes" ]; then 320 | message "Running : samba-tool drs showrepl" 321 | # ${SET_SAMBATOOL} drs showrepl -d0 2>&1 > /tmp/samba_drs_showrepl 322 | ${SET_SAMBATOOL} drs showrepl -d0 > /tmp/samba_drs_showrepl 2>&1 323 | failure="$(grep -c "failed" /tmp/samba_drs_showrepl)" 324 | success="$(grep -c "successful" /tmp/samba_drs_showrepl)" 325 | for x in ${SAMBA_DCS} ; do 326 | if [ "${failure}" -ne "${expected_failure}" ]; then 327 | error "failures don't match" 328 | fi 329 | if [ "${success}" -ne "${expected_success}" ]; then 330 | error "successes don't match" 331 | fi 332 | if [ "${failure}" -eq "${expected_failure}" ] && [ "${success}" -eq "${expected_success}" ]; then 333 | good "No errors found" 334 | fi 335 | done 336 | fi 337 | fi 338 | 339 | if [ "${EMAIL_REPORT_ALWAYS}" = "yes" ] && [ -n "${EMAIL_REPORT_ADDRESS}" ]; then 340 | #cat /tmp/samba_drs_showrepl | ${SET_MAILTOOL} -s "SAMBA CHECK DB : showrepl results" $EMAIL_REPORT_ADDRESS 341 | ${SET_MAILTOOL} -s "SAMBA CHECK DB : showrepl results" $EMAIL_REPORT_ADDRESS < /tmp/samba_drs_showrepl 342 | #cat /tmp/samba_ldapcmp_checkdb | ${SET_MAILTOOL} -s "SAMBA CHECK DB : ldapcmp results" $EMAIL_REPORT_ADDRESS 343 | ${SET_MAILTOOL} -s "SAMBA CHECK DB : ldapcmp results" $EMAIL_REPORT_ADDRESS < /tmp/samba_ldapcmp_checkdb 344 | fi 345 | 346 | if [ "${SETREMOVELOG}" = "yes" ]; then 347 | if [ -f /tmp/samba_ldapcmp_checkdb ]; then 348 | rm /tmp/samba_ldapcmp_checkdb 349 | fi 350 | if [ -f /tmp/samba_drs_showrepl ]; then 351 | rm /tmp/samba_drs_showrepl 352 | fi 353 | fi 354 | -------------------------------------------------------------------------------- /samba-check-set-sysvol.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | 3 | # Version=0.2 4 | 5 | # This program is tested on debian Stretch. 6 | # This program is tested on Devuan Jessie. 7 | # 8 | # ! ONLY FOR SAMBA AD DC 9 | # Where samba-tool sysvolreset is broke, this sets the correct rights. 10 | # The base for these rigths is Win2008R2 it's sysvol. 11 | 12 | # By Louis van Belle and Rowland Penny. 13 | # or 14 | # By Rowland Penny and Louis van Belle 15 | # ;-) 16 | 17 | 18 | # Some Defaults which should never change. 19 | # These are AD SIDs, so I have removed the 'SAMBA' 20 | DC_SERVER_OPERATORS="S-1-5-32-549" 21 | DC_ADMINISTRATORS="S-1-5-32-544" 22 | DC_SYSTEM="S-1-5-18" 23 | DC_AUTHENTICATED_USERS="S-1-5-11" 24 | 25 | # apply the change right now, or review it yourself first. 26 | APPLY_CHANGES_DIRECT="no" 27 | 28 | Check_Error () { 29 | if [ "$?" -ge 1 ]; then 30 | echo "error detected" 31 | echo "exiting now" 32 | exit 1 33 | fi 34 | } 35 | 36 | CMD_WBINFO="$(which wbinfo)" 37 | if [ -z "${CMD_WBINFO}" ]; then 38 | echo "Cannot find wbinfo." 39 | echo "Is the winbind package installed ?" 40 | echo "Cannot continue...Exiting." 41 | exit 1 42 | fi 43 | 44 | # Get path to sysvol from the running config. (debian/samba default: /var/lib/samba/sysvol 45 | DC_SYSVOL_PATH="$(echo "\n" | samba-tool testparm -v | grep sysvol | grep path | grep -v scripts | tail -1 | awk '{ print $NF }')" 46 | if [ ! -d "${DC_SYSVOL_PATH}" ]; then 47 | echo "Error, sysvol directory detected in your running config does not exist." 48 | echo "Exiting now, this is impossible, or this is not a AD DC server" 49 | exit 1 50 | fi 51 | 52 | # get info for BUILTIN\Server Operators 53 | Get_DC_SERVER_OPERATORS () { 54 | DC_SERVER_OPERATORS_SID2UID="$(${CMD_WBINFO} --sid-to-uid=$DC_SERVER_OPERATORS)" 55 | # result UID (example: 3000001 ) 56 | 57 | DC_SERVER_OPERATORS_UID2SID="$(${CMD_WBINFO} --uid-to-sid=$DC_SERVER_OPERATORS_SID2UID)" 58 | # result SID (uid2sid) (example: S-1-5-32-549 ) 59 | 60 | DC_SERVER_OPERATORS_GID2SID="$(${CMD_WBINFO} --gid-to-sid=$DC_SERVER_OPERATORS_SID2UID)" 61 | # result SID AGAIN (check) (gid2sid) (example: S-1-5-32-549 ) 62 | 63 | DC_SERVER_OPERATORS_SID2NAME="$(${CMD_WBINFO} --sid-to-name=$DC_SERVER_OPERATORS |rev|cut -c3-100|rev)" 64 | # result NAME (example: BUILTIN\Server Operators ) 65 | 66 | DC_SERVER_OPERATORS_NAME2SID=$(${CMD_WBINFO} --name-to-sid="$DC_SERVER_OPERATORS_SID2NAME"| rev|cut -c15-100|rev) 67 | # result SID (check) (name2sid) 68 | if [ "$DC_SERVER_OPERATORS_UID2SID" != "$DC_SERVER_OPERATORS_GID2SID" ]; then 69 | echo "Error, UID2SID and GID2SID are not matching, exiting now." 70 | exit 1 71 | fi 72 | if [ "${DC_SERVER_OPERATORS_NAME2SID}" != "${DC_SERVER_OPERATORS}" ]; then 73 | echo "Error, NAME2SID and DC_SERVER_OPERATORS are not matching, exiting now." 74 | echo "The circle check failed, exiting now. " 75 | exit 1 76 | fi 77 | SET_GPO_SERVER_OPER_UID="$DC_SERVER_OPERATORS_SID2UID" 78 | #SET_GPO_SERVER_OPER_GID="$DC_SERVER_OPERATORS_SID2NAME" 79 | } 80 | 81 | # get info for BUILTIN\Administrator 82 | Get_DC_ADMINISTRATORS () { 83 | DC_ADMINISTRATORS_SID2UID="$(${CMD_WBINFO} --sid-to-uid=$DC_ADMINISTRATORS)" 84 | DC_ADMINISTRATORS_UID2SID="$(${CMD_WBINFO} --uid-to-sid=$DC_ADMINISTRATORS_SID2UID)" 85 | DC_ADMINISTRATORS_GID2SID="$(${CMD_WBINFO} --gid-to-sid=$DC_ADMINISTRATORS_SID2UID)" 86 | DC_ADMINISTRATORS_SID2NAME="$(${CMD_WBINFO} --sid-to-name=$DC_ADMINISTRATORS |rev|cut -c3-100|rev)" 87 | DC_ADMINISTRATORS_NAME2SID=$(${CMD_WBINFO} --name-to-sid="$DC_ADMINISTRATORS_SID2NAME"| rev|cut -c15-100|rev) 88 | if [ "$DC_ADMINISTRATORS_UID2SID" != "$DC_ADMINISTRATORS_GID2SID" ]; then 89 | echo "Error, UID2SID and GID2SID are not matching, exiting now." 90 | exit 1 91 | fi 92 | if [ "${DC_ADMINISTRATORS_NAME2SID}" != "${DC_ADMINISTRATORS}" ]; then 93 | echo "Error, NAME2SID and DC_ADMINISTRATORS are not matching, exiting now." 94 | echo "The circle check failed, exiting now. " 95 | exit 1 96 | fi 97 | SET_GPO_ADMINISTRATORS_UID="$DC_ADMINISTRATORS_SID2UID" 98 | #SET_GPO_ADMINISTRATORS_GID="$DC_ADMINISTRATORS_SID2NAME" 99 | } 100 | 101 | # get info for NT Authority\SYSTEM 102 | Get_DC_SYSTEM () { 103 | DC_SYSTEM_SID2UID="$(${CMD_WBINFO} --sid-to-uid=$DC_SYSTEM)" 104 | DC_SYSTEM_UID2SID="$(${CMD_WBINFO} --uid-to-sid=$DC_SYSTEM_SID2UID)" 105 | DC_SYSTEM_GID2SID="$(${CMD_WBINFO} --gid-to-sid=$DC_SYSTEM_SID2UID)" 106 | #DC_SYSTEM_SID2NAME="$(${CMD_WBINFO} --sid-to-name=$DC_SYSTEM |rev|cut -c3-100|rev)" 107 | # name2sid does not work for SYSTEM 108 | if [ "$DC_SYSTEM_UID2SID" != "$DC_SYSTEM_GID2SID" ]; then 109 | echo "Error, UID2SID and GID2SID are not matching, exiting now." 110 | exit 1 111 | fi 112 | # I have rewritten the following 'if', you dont need to test both 113 | # they have been tested against each other above. 114 | #if [ "${DC_SYSTEM_GID2SID}" != "${DC_SYSTEM}" ]||[ "${DC_SYSTEM_UID2SID}" != "${DC_SYSTEM}" ] ; then 115 | if [ "${DC_SYSTEM_GID2SID}" != "${DC_SYSTEM}" ]; then 116 | echo "Error, GID2SID/UID2SID and DC_SYSTEM are not matching, exiting now." 117 | echo "The circle check failed, exiting now. " 118 | exit 1 119 | fi 120 | SET_GPO_SYSTEM_UID="$DC_SYSTEM_SID2UID" 121 | #SET_GPO_SYSTEM_GID="$DC_SYSTEM_SID2NAME" 122 | } 123 | 124 | # get info for NT Authority\Authenticated Users 125 | Get_DC_AUTHENTICATED_USERS () { 126 | DC_AUTHENTICATED_USERS_SID2UID="$(${CMD_WBINFO} --sid-to-uid=$DC_AUTHENTICATED_USERS)" 127 | DC_AUTHENTICATED_USERS_UID2SID="$(${CMD_WBINFO} --uid-to-sid=$DC_AUTHENTICATED_USERS_SID2UID)" 128 | DC_AUTHENTICATED_USERS_GID2SID="$(${CMD_WBINFO} --gid-to-sid=$DC_AUTHENTICATED_USERS_SID2UID)" 129 | #DC_AUTHENTICATED_USERS_SID2NAME="$(${CMD_WBINFO} --sid-to-name=$DC_AUTHENTICATED_USERS |rev|cut -c3-100|rev)" 130 | # name2sid does not work for Authenticated Users 131 | if [ "$DC_AUTHENTICATED_USERS_UID2SID" != "$DC_AUTHENTICATED_USERS_GID2SID" ]; then 132 | echo "Error, UID2SID and GID2SID are not matching, exiting now." 133 | exit 1 134 | fi 135 | # rewritten as per above function 136 | #if [ "${DC_AUTHENTICATED_USERS_GID2SID}" != "${DC_AUTHENTICATED_USERS}" ]||[ "${DC_AUTHENTICATED_USERS_UID2SID}" != "${DC_AUTHENTICATED_USERS}" ] ; then 137 | if [ "${DC_AUTHENTICATED_USERS_GID2SID}" != "${DC_AUTHENTICATED_USERS}" ]; then 138 | echo "Error, GID2SID/UID2SID and DC_AUTHENTICATED_USERS are not matching, exiting now." 139 | echo "The circle check failed, exiting now. " 140 | exit 1 141 | fi 142 | SET_GPO_AUTHEN_USERS_UID="$DC_AUTHENTICATED_USERS_SID2UID" 143 | #SET_GPO_AUTHEN_USERS_GID="$DC_AUTHENTICATED_USERS_SID2NAME" 144 | } 145 | 146 | # TODO (check/set) implement starting rights for sysvol (if not default ) 147 | # first, set the sysvol rights. 148 | # ( root:root ) 149 | # On A 2012R2 DC the owner & group are: O:BA G:SY 150 | # BA = BUILTIN\Administrators 151 | # SY = SYSTEM 152 | # ( Creator owner ) 153 | #chmod 1770 ${DC_SYSVOL_PATH} 154 | # ( creator group ) 155 | #chmod 2770 ${DC_SYSVOL_PATH} 156 | # ( creator owner and group ) 157 | #chmod 3770 ${DC_SYSVOL_PATH} 158 | 159 | #TODO(option,check/set), change share, include ignore system acl 160 | 161 | 162 | 163 | Create_DC_SYVOL_ACL_FILE () { 164 | Get_DC_SERVER_OPERATORS 165 | Get_DC_ADMINISTRATORS 166 | Get_DC_SYSTEM 167 | Get_DC_AUTHENTICATED_USERS 168 | 169 | RIGHTSFILE="default-rights-sysvol.acl" 170 | cat << EOF > "${RIGHTSFILE}" 171 | # file: ${DC_SYSVOL_PATH} 172 | # owner: root 173 | # group: root 174 | user::rwx 175 | user:root:rwx 176 | user:${SET_GPO_ADMINISTRATORS_UID}:rwx 177 | user:${SET_GPO_SERVER_OPER_UID}:r-x 178 | user:${SET_GPO_SYSTEM_UID}:rwx 179 | user:${SET_GPO_AUTHEN_USERS_UID}:r-x 180 | group::rwx 181 | group:${SET_GPO_ADMINISTRATORS_UID}:rwx 182 | group:${SET_GPO_SERVER_OPER_UID}:r-x 183 | group:${SET_GPO_SYSTEM_UID}:rwx 184 | group:${SET_GPO_AUTHEN_USERS_UID}:r-x 185 | mask::rwx 186 | other::--- 187 | default:user::rwx 188 | default:user:root:rwx 189 | default:user:${SET_GPO_ADMINISTRATORS_UID}:rwx 190 | default:user:${SET_GPO_SERVER_OPER_UID}:r-x 191 | default:user:${SET_GPO_SYSTEM_UID}:rwx 192 | default:user:${SET_GPO_AUTHEN_USERS_UID}:r-x 193 | default:group::--- 194 | default:group:${SET_GPO_ADMINISTRATORS_UID}:rwx 195 | default:group:${SET_GPO_SERVER_OPER_UID}:r-x 196 | default:group:${SET_GPO_SYSTEM_UID}:rwx 197 | default:group:${SET_GPO_AUTHEN_USERS_UID}:r-x 198 | default:mask::rwx 199 | default:other::--- 200 | EOF 201 | } 202 | 203 | Apply_DC_SYVOL_ACL_FILE () { 204 | setfacl -R -b --modify-file "${RIGHTSFILE}" "${DC_SYSVOL_PATH}" 205 | if [ "$?" -eq 0 ]; then 206 | rm -rf "${RIGHTSFILE}" 207 | echo " " 208 | else 209 | echo "An error occurred!" 210 | echo "See ${RIGHTSFILE}" 211 | echo "Exiting..." 212 | exit 1 213 | fi 214 | 215 | # and make sure your domain Admin and local adminsitrator always have access. 216 | setfacl -R -m default:user:root:rwx "${DC_SYSVOL_PATH}" 217 | setfacl -R -m default:group:"${SET_GPO_ADMINISTRATORS_UID}":rwx "${DC_SYSVOL_PATH}" 218 | } 219 | 220 | Show_Info () { 221 | cat <> "$LOGFILE" <> "$LOGFILE" < $LOGFILE 106 | 107 | HOSTNAME="$(hostname -s)" 108 | DOMAIN="$(hostname -d)" 109 | REALM="${DOMAIN^^}" 110 | FQDN="$(hostname -f)" 111 | IP="$(hostname -I)" 112 | 113 | # Base info. 114 | cat >> "$LOGFILE" <> "$LOGFILE" <> "$LOGFILE" <> $LOGFILE 169 | else 170 | cat >> "$LOGFILE" <> "$LOGFILE" 181 | cat >> "$LOGFILE" < /dev/null 2>&1 191 | if [ "$?" -ne 0 ]; then 192 | printf "WARNING: 'kinit Administrator' will fail, you need to fix this.\nUnable to verify DNS kerberos._tcp SRV records\n\n-----------\n\n" >> $LOGFILE 193 | else 194 | printf "Kerberos SRV _kerberos._tcp.${DOMAIN} record(s) verified ok, sample output:\n%s\n\n-----------\n\n" "$(nslookup -type=SRV _kerberos._tcp.${DOMAIN})" >> $LOGFILE 195 | 196 | for x in $(nslookup -type=NS "${DOMAIN}"|grep nameserver |awk -F"=" '{ print $NF }' >/dev/null) 197 | do 198 | nslookup -type=SRV _kerberos._tcp."${DOMAIN}" "${x}" > /dev/null 199 | status="$?" 200 | if [ "$status" -ne 0 ]; then 201 | printf "Error detecting the nameserver '$x' _kerberos._tcp.${DOMAIN} records\n\n-----------\n\n" >> $LOGFILE 202 | else 203 | printf "DNS NS records for the nameservers: ${x} in domain ${DOMAIN} verified ok\n%s\n\n-----------\n\n" "$(nslookup -type=NS "${DOMAIN}"|grep nameserver |awk -F"=" '{ print $NF }')" >> $LOGFILE 204 | fi 205 | done 206 | fi 207 | 208 | # Initialize the Administrator 209 | kinit Administrator 2> /dev/null 210 | if [ "$?" -ne 0 ]; then 211 | printf "'kinit Administrator' password checked failed.\nWrong password or kerberos REALM problems.\n\n-----------\n\n" >> "$LOGFILE" 212 | else 213 | printf "'kinit Administrator' checked successfully.\n\n-----------\n\n" >> "$LOGFILE" 214 | # Remove Administrators kerberos ticket. 215 | kdestroy 216 | fi 217 | 218 | SMBCONF='smb.conf' 219 | DCOUNT=0 220 | for deamon in samba smbd nmbd winbindd 221 | do 222 | pgrep -xl $deamon > /dev/null 2>&1 223 | ret="$?" 224 | case $ret in 225 | 1) continue 226 | ;; 227 | 0) [[ $deamon == samba ]] && DCOUNT=$((DCOUNT+1)) 228 | [[ $deamon == smbd ]] && DCOUNT=$((DCOUNT+2)) 229 | [[ $deamon == nmbd ]] && DCOUNT=$((DCOUNT+3)) 230 | [[ $deamon == winbindd ]] && DCOUNT=$((DCOUNT+5)) 231 | ;; 232 | esac 233 | done 234 | 235 | case $DCOUNT in 236 | 0) cat >> "$LOGFILE" <> "$LOGFILE" <> "$LOGFILE" <> "$LOGFILE" </dev/null) 269 | ROLE="${ROLE^^}" 270 | if [ "$ROLE" = "ADS" ]; then 271 | cat >> "$LOGFILE" <> $LOGFILE 284 | SMBCONF=/etc/samba/smb.conf 285 | fi 286 | fi 287 | fi 288 | ;; 289 | 7) ROLE="$(testparm -s --parameter-name='security' 2>/dev/null)" 290 | ROLE="${ROLE^^}" 291 | if [ "$ROLE" = "ADS" ]; then 292 | printf "Samba is running as a Unix domain member\n\n-----------\n" >> $LOGFILE 293 | UDM=1 294 | SMBCONF=$(smbd -b | grep 'CONFIGFILE' | awk '{print $NF}') 295 | fi 296 | ;; 297 | 8) cat >> "$LOGFILE" <> "$LOGFILE" <> "$LOGFILE" < /dev/null)" 342 | else 343 | SERVER_ROLE="$(testparm -s --parameter-name="server role" 2> /dev/null)" 344 | fi 345 | 346 | if [ -e "${USERMAP}" ]; then 347 | if [ "$UDM" = "1" ]; then 348 | MAPCONTENTS=$(cat "$USERMAP") 349 | cat >> "$LOGFILE" << EOF 350 | Running as Unix domain member and user.map detected. 351 | 352 | Contents of $USERMAP 353 | 354 | $MAPCONTENTS 355 | 356 | Server Role is set to : $SERVER_ROLE 357 | 358 | ----------- 359 | 360 | EOF 361 | elif [ "$ADDC" = "1" ]; then 362 | cat >> "$LOGFILE" <> "$LOGFILE" <> "$LOGFILE" <> "$LOGFILE" <> "$LOGFILE" <> "$LOGFILE" <> "$LOGFILE" <> "$LOGFILE" <> "$LOGFILE" <> "$LOGFILE" <> "$LOGFILE" <> "$LOGFILE" <> "$LOGFILE" <> "$LOGFILE" <> "$LOGFILE" <> "$LOGFILE" <> "$LOGFILE" <> "$LOGFILE" <> "$LOGFILE" <> $LOGFILE 517 | if [ -d /etc/bind ]; then 518 | CHECK_PACKAGES="${CHECK_PACKAGES}|bind9" 519 | 520 | Check_file_exists "/etc/bind/named.conf" 521 | Check_file_exists "/etc/bind/named.conf.options" 522 | Check_file_exists "/etc/bind/named.conf.local" 523 | Check_file_exists "/etc/bind/named.conf.default-zones" 524 | 525 | echo "Samba DNS zone list check : " >> $LOGFILE 526 | 527 | zonelist="$(samba-tool dns zonelist "${FQDN}" -P)" 528 | zones="$(echo "${zonelist}" | grep '[p]szZoneName' | awk '{print $NF}' | tr '\n' ' ')" 529 | while read -r -d ' ' zone 530 | do 531 | zonetest=$(grep -r "${zone}" /etc/bind | grep -v dpkg-dist) 532 | if [ -n "${zonetest}" ]; then 533 | found=$((found+1)) 534 | fi 535 | 536 | if [ "${found}" -gt 0 ]; then 537 | cat >> "$LOGFILE" <> "$LOGFILE" 549 | fi 550 | done <<< "${zones}" 551 | cat >> "$LOGFILE" <> "$LOGFILE" 573 | else 574 | # this should only be the Samba named.conf 575 | # test for 'samba' in $file path 576 | if [[ $file == *samba* ]]; then 577 | # is the right path ? 578 | if [ -f "$file" ]; then 579 | continue 580 | else 581 | printf "incorrect Samba 'named.conf' path '%s' set in %s" "$file" "$named_file" >> "$LOGFILE" 582 | fi 583 | else 584 | printf "unknown 'include' file '%s' in %s" "$file" "$named_file" >> "$LOGFILE" 585 | fi 586 | fi 587 | done 588 | done 589 | cat >> "$LOGFILE" <> "$LOGFILE" <> "$LOGFILE" < /dev/null | date +%FT%T) 619 | printf "\nTime on the DC with PDC Emulator role is: %s\n\n" "$pdc_emulator_time" >> "$LOGFILE" 620 | pdc_emulator_secs=$(echo "$pdc_emulator_time" | date +%s) 621 | 622 | local_time=$(net time system -S "${FQDN}" 2> /dev/null | date +%FT%T) 623 | printf "\nTime on this computer is: %s\n\n" "$local_time" >> "$LOGFILE" 624 | local_time_secs=$(echo "$local_time" | date +%s) 625 | 626 | time_diff="$((pdc_emulator_secs - local_time_secs))" 627 | if [ "$time_diff" -gt 300 ] || [ "$time_diff" -lt -300 ]; then 628 | printf "Error, the time difference between servers is too great.\n\n-----------\n" >> "$LOGFILE" 629 | else 630 | printf "\nTime verified ok, within the allowed 300sec margin.\nTime offset is currently : %s seconds\n\n-----------\n" "${time_diff}" >> "$LOGFILE" 631 | fi 632 | else 633 | pdc_emulator_time=$(echo $(net time system -S "${pdc_emulator}") 2> /dev/null | date +%FT%T) 634 | printf "\nThis is the DC with the PDC Emulator role and time is: %s\n\n-----------\n" "$pdc_emulator_time" >> "$LOGFILE" 635 | fi 636 | 637 | # TODO..add more checks.. 638 | 639 | running=$(dpkg -l | grep -E "${CHECK_PACKAGES}") 640 | cat >> "$LOGFILE" < /dev/null 26 | apt-get install -y --no-install-recommends ncurses-bin > /dev/null 27 | fi 28 | 29 | RED=$(${SETTPUT} setaf 1) 30 | NORMAL=$(${SETTPUT} sgr0) 31 | GREEN=$(${SETTPUT} setaf 2) 32 | YELLOW=$(${SETTPUT} setaf 3) 33 | UNDERLINE=$(${SETTPUT} smul) 34 | WHITE=$(${SETTPUT} setaf 7) 35 | BOLD=$(${SETTPUT} bold) 36 | 37 | message() { 38 | printf "%40s\n" "${WHITE}${BOLD}$@${NORMAL}" 39 | } 40 | good() { 41 | printf "%40s\n" "${GREEN}$@${NORMAL}" 42 | } 43 | error() { 44 | printf "%40s\n" "${RED}$@${NORMAL}" 45 | } 46 | warning() { 47 | printf "%40s\n" "${YELLOW}$@${NORMAL}" 48 | } 49 | warning_underline() { 50 | printf "%40s\n" "${YELLOW}${UNDERLINE}$@${NORMAL}" 51 | } 52 | 53 | check_run_as_sudo_root() { 54 | if ! [[ $EUID -eq 0 ]]; then 55 | error "This script should be run using sudo or by root." 56 | exit 1 57 | fi 58 | } 59 | configured_script() { 60 | if [ "${CONFIGURED}" = "no" ]; then 61 | error "####################################################" 62 | error "You need to configure this script first to run it. " 63 | echo " " 64 | error "exiting script now... " 65 | exit 0 66 | fi 67 | } 68 | 69 | configured_script 70 | check_run_as_sudo_root 71 | 72 | DOWNCOUNTER=1 73 | UPCONTER=1 74 | 75 | echo "Tool for createing lots DNS records" 76 | echo "A few questions" 77 | read -p "What is the name of the dns zone to add to ( example: $SETDNSDOMAIN ) : " SET_INPUT_ZONE 78 | read -p "What is the IP range ( example : $(ip route|grep -v default | cut -d"/" -f1) ) : " SET_INPUT_IP_RANGE 79 | read -p "What is the hostname without numbers ( example input : printer ) results in printer-NR : " SET_INPUT_PREHOSTNAME 80 | read -p "Enter the start IP 1-254: " DOWNCOUNTER 81 | UPCOUNTER=$(( $DOWNCOUNTER +1 )) 82 | read -p "Enter the end IP ${UPCOUNTER}-254: " UPCOUNTER 83 | read -p "Enable PTR ( type: yes or no ) : " SET_PTR 84 | 85 | 86 | if [ $DOWNCOUNTER -ge $UPCOUNTER ]; then 87 | echo "error, your start is higher or equal then the end ip" 88 | exit 0 89 | fi 90 | 91 | ## get DC's 92 | DCS=$(host -t SRV _kerberos._udp.${SETDNSDOMAIN} | awk '{print $NF}') 93 | SAMBA_DC1=$(echo "$DCS" | sed -n 1p) 94 | SAMBA_DC2=$(echo "$DCS" | sed -n 2p) 95 | ## get the ip of the DC's 96 | if [ -z "${SAMBA_DC1}" ] && [ -z "${SAMBA_DC2}" ]; then 97 | echo "Could not obtain an ipaddress for any AD DC.. Exiting" 98 | exit 1 99 | fi 100 | if [ -z "${SAMBA_DC2}" ]; then 101 | SAMBA_DC1_IP=$(host -t A ${SAMBA_DC1} | awk '{print $NF}') 102 | SAMBA_DC2_IP="" 103 | else 104 | SAMBA_DC1_IP=$(host -t A ${SAMBA_DC1} | awk '{print $NF}') 105 | SAMBA_DC2_IP=$(host -t A ${SAMBA_DC2} | awk '{print $NF}') 106 | fi 107 | 108 | 109 | SAMBA_NT_DOMAINNAME=$(samba-tool domain info ${SAMBA_DC1} | grep Netbios | cut -d":" -f2 | cut -c2-100) 110 | SAMBA_NT_ADMIN_USER="Administrator" 111 | SAMBA_NT_ADMIN_PASS="" 112 | 113 | if [ -z "${SAMBA_NT_ADMIN_PASS}" ]; then 114 | while [ "${SAMBA_NT_ADMIN_PASS}" = "" ]; do 115 | read -s -e -p "Please enter the password for ${SAMBA_NT_DOMAINNAME}\Administrator : " SAMBA_NT_ADMIN_PASS 116 | done 117 | fi 118 | 119 | echo ${SAMBA_NT_ADMIN_PASS} | kinit Administrator 120 | 121 | REVERSEZONE=$(echo $SET_INPUT_IP_RANGE | awk 'BEGIN { FS = "." } ; { print $3"."$2"."$1}') 122 | IPRANGE3=$(echo $SET_INPUT_IP_RANGE | awk 'BEGIN { FS = "." } ; { print $1"."$2"."$3}') 123 | 124 | 125 | UPCOUNTER=$(( $UPCOUNTER +1 )) 126 | until [ $DOWNCOUNTER -eq $UPCOUNTER ]; 127 | do 128 | echo -n "Adding IP ${IPRANGE3}.${DOWNCOUNTER} : " 129 | samba-tool dns add ${SAMBA_DC1} ${SET_INPUT_ZONE} ${SET_INPUT_PREHOSTNAME}-${DOWNCOUNTER} A ${IPRANGE3}.${DOWNCOUNTER} -k 130 | sleep 0.5 131 | if [ "${SET_PTR}" = "yes" ]; then 132 | echo -n "Trying to create the reverse zone" 133 | samba-tool zonecreate add ${SAMBA_DC1} ${REVERSEZONE}.in-addr.arpa -k 134 | echo -n "Adding PTR ${SET_INPUT_PREHOSTNAME}-${DOWNCOUNTER}.${SET_INPUT_ZONE} : " 135 | samba-tool dns add ${SAMBA_DC1} ${REVERSEZONE}.in-addr.arpa ${DOWNCOUNTER} PTR ${SET_INPUT_PREHOSTNAME}-${DOWNCOUNTER}.${SET_INPUT_ZONE} -k 136 | sleep 0.5 137 | fi 138 | DOWNCOUNTER=$(( $DOWNCOUNTER +1 )) 139 | done 140 | 141 | unset SAMBA_NT_ADMIN_PASS 142 | kdestroy 143 | -------------------------------------------------------------------------------- /samba-fix-userhome-recursive.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | V="0.5-B1" 4 | 5 | # Changelog 0.5 : Added, reset all ACL's and rights and re-apply them. 6 | # This is needed to make sure the owner is set correctly. 7 | # With old data, the owner can be a non-exising UID. 8 | 9 | # This script is use and tested on a Debian Buster Samba MEMBER 10 | # This is tested with an AD Backend setup. 11 | # https://wiki.samba.org/index.php/Idmap_config_ad 12 | # 13 | # This script will create and setup and configure a basic but secure Samba setup 14 | # ! Not tested on AD-DC's (yet) 15 | # ! Not tested with RID backends. (yet) 16 | # 17 | 18 | # Copyright (C) Louis van Belle 2020 19 | 20 | # This program is free software; you can redistribute it and/or modify 21 | # it under the terms of the GNU General Public License as published by 22 | # the Free Software Foundation; either version 3 of the License, or 23 | # (at your option) any later version. 24 | # 25 | # This program is distributed in the hope that it will be useful, 26 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 27 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 28 | # GNU General Public License for more details. 29 | # 30 | # You should have received a copy of the GNU General Public License 31 | # along with this program. If not, see . 32 | 33 | # Intro 34 | # This script is/can be used, as an addon, to the samba-setup-share-folders.sh 35 | # This is a simple script to re-apply the rights for the user homedir recusively. 36 | # 37 | # When you move/migrating or setup clean or whatever, you can use this to fix 38 | # some rights. After you copied as Administrator, the user is missing its rights 39 | # on/in there subfolders/files in the homedirs. 40 | # The user needs a UID and "Domain Users" needs a gid, preffered before you run it. 41 | 42 | # It tries to use the USER_SDDL from the samba-setup-share-folders.sh script. 43 | # If its not detected, then it will use the same defaults after all. 44 | # It tried to detect the path for the homedirs automaticly. 45 | # if it finds a folder and a mathing user with SID, it will apply the rights. 46 | # any newly created folder by the user in the userhome dir will and up with the 47 | # rights : (POSIX) username:"domain users" 48 | # Example, a folder created by the user in his homedir. 49 | 50 | # getfacl TESTING/ 51 | ## file: TESTING/ 52 | ## owner: username 53 | ## group: domain\040users 54 | ## flags: -s- 55 | #user::rwx 56 | #user:username:rwx 57 | #group::r-x 58 | #group:domain\040users:r-x 59 | #group:domain\040admins:rwx 60 | #mask::rwx 61 | #other::--- 62 | #default:user::rwx 63 | #default:user:username:rwx 64 | #default:group::r-x 65 | #default:group:domain\040users:r-x 66 | #default:group:domain\040admins:rwx 67 | #default:mask::rwx 68 | #default:other::--- 69 | 70 | 71 | #### Variables 72 | # Enable auto-creating user homedir. 73 | AUTO_CREATE_USERHOME="yes" 74 | 75 | # Add the words that can be detected with getent passwd username 76 | # and you dont want these userfolders to be created. 77 | SKIP_USERFILTER="Administrator|dns|remote|sftp|sddl" 78 | 79 | # You can define the path to the users shared foldere here. 80 | SAMBA_SHARE_USERS="/srv/samba/users" 81 | 82 | #### Code 83 | # Code starts here, it should not be needed to asjust things below here. 84 | 85 | # Pickup the current location. 86 | START_FOLDER="$(pwd)" 87 | SCRIPT_NAME=$(basename "$0") 88 | 89 | 90 | 91 | # Get the path to where the user folders are from the config files. 92 | if [ -z "$SAMBA_SHARE_USERS" ] 93 | then 94 | if [ -z "${1}" ] 95 | then 96 | SAMBA_SHARE_USERS="$(grep path /etc/samba/*.conf |grep users |grep "path = /" |awk '{ print $NF }' |tail -n1)" 97 | # did we find the needed settings. 98 | if [ -z "$SAMBA_SHARE_USERS" ] 99 | then 100 | echo "error, unable to detect the users share folder, exiting now." 101 | echo "This might happing if the users share isn't called users." 102 | echo "rerun the script: ${SCRIPT_NAME} /path/to/samba/users" 103 | exit 1 104 | fi 105 | else 106 | SAMBA_SHARE_USERS="${1}" 107 | fi 108 | fi 109 | 110 | 111 | if [ ! -d "${SAMBA_SHARE_USERS}/" ] 112 | then 113 | echo "error, unable to detect the users share folder in variable : SAMBA_SHARE_USERS" 114 | echo "rerun the script: ${SCRIPT_NAME} /path/to/samba/users" 115 | exit 1 116 | else 117 | echo "Detected userhomedir basefolder as : ${SAMBA_SHARE_USERS}/" 118 | fi 119 | 120 | # cd into dir the samba/users folder or exit 121 | cd "${SAMBA_SHARE_USERS}" || exit 1 122 | 123 | # Pre-Create the user homedirs fo all users found with wbinfo -u 124 | if [ "${AUTO_CREATE_USERHOME}" = "yes" ] 125 | then 126 | for AutoUserHome in $(wbinfo -u) 127 | do 128 | TEST_INFO_USER="$(getent passwd "${AutoUserHome}"|grep -Ev "${SKIP_USERFILTER}")" 129 | if [ -z "${TEST_INFO_USER}" ] 130 | then 131 | echo "WARNING user ${AutoUserHome} not created. No RFC2307 or removed with SKIP_USERFILTER" 132 | elif [ ! -d "${AutoUserHome}/" ] 133 | then 134 | mkdir "${AutoUserHome}" 135 | fi 136 | done 137 | unset TEST_INFO_USER 138 | unset AutoUserHome 139 | fi 140 | 141 | for FindUser in $(ls -d * |grep -Ev "${SCRIPT_NAME}|${SKIP_USERFILTER}") 142 | do 143 | # Get the SID of the user. 144 | NAME2SID="$(wbinfo --name-to-sid "${FindUser}" |awk '{ print $1 }')" 145 | if [ ! -z "${NAME2SID}" ] 146 | then 147 | echo "#1###############################" 148 | echo "Found User: ${FindUser}, SID: ${NAME2SID}" 149 | if [ -d "${FindUser}" ] 150 | then 151 | echo "#1###############################" 152 | echo "Folder : ${FindUser} detected correctly, apply-ing new rights" 153 | 154 | # Remove old ACL's. 155 | echo "Removing old ACL's for: ${FindUser}" 156 | setfacl --recursive --remove-all "${SAMBA_SHARE_USERS}/${FindUser}" 157 | 158 | # Make sure we removed Other (everyone) from all files and folders. 159 | echo "Recursively removing access for other (everyone) for: ${FindUser}" 160 | chmod -R o-rwx "${SAMBA_SHARE_USERS}/${FindUser}/" 161 | 162 | # Set basic POSIX Rights 163 | # set all owner rights to root:root (= Administrator:Domain Admins ) 164 | # without it, migrated files might still have there old UID/GIDs on them. 165 | echo "Re-apply root:root on the user homedir (recursivly) for: ${FindUser}" 166 | chown -R root:root "${SAMBA_SHARE_USERS}/${FindUser}" 167 | 168 | # We set the user files and subfolders like how that SDDL is setup. 169 | echo "Re-apply ${FindUser}:domain users on CONTENT IN the user homedir for: ${FindUser}" 170 | chown -R "${FindUser}":"domain users" "${SAMBA_SHARE_USERS}/${FindUser}/" 171 | 172 | # restore owner:group defaults 173 | echo "Recursively re-apply-ing rights 770 access for: ${FindUser}" 174 | chmod -R 770 "${SAMBA_SHARE_USERS}/${FindUser}/" 175 | 176 | # Set the correct right on the folder. 177 | echo "Re-apply SDDL with samba-tool for user: ${FindUser}" 178 | samba-tool ntacl set "O:S-1-22-1-0G:S-1-22-2-0D:AI(A;OICI;0x001301bf;;;${NAME2SID})(A;ID;0x001200a9;;;S-1-22-2-0)(A;OICIIOID;0x001200a9;;;CG)(A;OICIID;0x001f01ff;;;LA)(A;OICIID;0x001f01ff;;;DA)" "${SAMBA_SHARE_USERS}/${FindUser}" 179 | 180 | # but we cant set recursive with samba-tool. (as far i found), so we use setfacl. 181 | echo "Recursivly re-apply with setfacl enforceing user defaults for user: ${FindUser}" 182 | setfacl --recursive --modify user:"${FindUser}":rwX,default:user:"${FindUser}":rwX "${SAMBA_SHARE_USERS}/${FindUser}/" 183 | 184 | else 185 | echo "#2# ERROR ############################" 186 | echo "Error, Userfolder ${SAMBA_SHARE_USERS}/${FindUser} was not detected, skipping!" 187 | fi 188 | else 189 | echo "#3# ERROR ############################" 190 | echo "Userfolder: ${FindUser} exist but unable to find user SID, skipping." 191 | fi 192 | done 193 | 194 | cd "${START_FOLDER}" || exit 1 195 | -------------------------------------------------------------------------------- /samba-info.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | ## 4 | ## Version : 1.1.0 5 | ## release d.d. : 20-12-2017 6 | ## Author : L. van Belle 7 | ## E-mail : louis@van-belle.nl 8 | ## Copyright : Free as free can be, copy it, change it if needed. 9 | ## Sidenote : if you change things, please inform me 10 | 11 | # This script checks you setup for the basic settings. 12 | # 13 | 14 | BLACK=$(tput setaf 0) 15 | RED=$(tput setaf 1) 16 | GREEN=$(tput setaf 2) 17 | YELLOW=$(tput setaf 3) 18 | LIME_YELLOW=$(tput setaf 190) 19 | POWDER_BLUE=$(tput setaf 153) 20 | BLUE=$(tput setaf 4) 21 | MAGENTA=$(tput setaf 5) 22 | CYAN=$(tput setaf 6) 23 | WHITE=$(tput setaf 7) 24 | BRIGHT=$(tput bold) 25 | NORMAL=$(tput sgr0) 26 | UNDERLINE=$(tput smul) 27 | 28 | error() { 29 | printf "%40s\n" "${RED}$@${NORMAL}" 30 | } 31 | 32 | warning() { 33 | printf "%40s\n" "${YELLOW}$@${NORMAL}" 34 | } 35 | 36 | warning_underline() { 37 | printf "%40s\n" "${YELLOW}${UNDERLINE}$@${NORMAL}" 38 | } 39 | 40 | check_run_as_sudo_root() { 41 | if ! [[ $EUID -eq 0 ]]; then 42 | error "This script should be run using sudo or by root." 43 | exit 1 44 | fi 45 | } 46 | 47 | # 48 | ######## LEAVE THESE HERE AND DONT CHANGE THESE 3 !!!!!! 49 | ## hostname in single word, but you dont need to change this 50 | SETHOSTNAME=`hostname -s` 51 | ## domainname.tld, but if you installed correct, you dont need to change this 52 | SETDNSDOMAIN=`hostname -d` 53 | ## hostname.domainname.tld, but if you installed correct, you dont need to change this 54 | SETFQDN=`hostname -f` 55 | ## the ip of the server, if you resolv.conf is correctly setup. 56 | SETSERVERIP1=`hostname -i` 57 | SETSERVERIP2=`hostname -I` 58 | if [ "${SETSERVERIP1}" = "${SETSERVERIP2}" ]; then 59 | SETSERVERIP="${SETSERVERIP1}" 60 | else 61 | SETSERVERIP="${SETSERVERIP2}" 62 | fi 63 | 64 | ################################################################## 65 | 66 | ## DONT CHANGE BELOW Please 67 | 68 | check_run_as_sudo_root 69 | 70 | # Added -H now it also works for a member server. ( thanks Roy Eastwood for reporting ) 71 | SAMBA_DC_FSMO=$(samba-tool fsmo show -H ldap://${SETDNSDOMAIN} | cut -d"," -f2 | head -n1 | cut -c4-100) 72 | SAMBA_DC_FSMO_SITE=$(samba-tool fsmo show -H ldap://${SETDNSDOMAIN} | cut -d"," -f4 | head -n1 | cut -c4-100) 73 | SAMBA_DC_NC=$(samba-tool fsmo show -H ldap://${SETDNSDOMAIN} | cut -d"," -f7,8,9| head -n1) 74 | 75 | ## get DC's 76 | DCS=$(host -t SRV _kerberos._udp.${SETDNSDOMAIN} | awk '{print $NF}'| sed 's/.$//') 77 | SAMBA_DC1=$(echo "$DCS" | sed -n 1p) 78 | SAMBA_DC2=$(echo "$DCS" | sed -n 2p) 79 | ## get the ip of the DC's 80 | if [ -z "${SAMBA_DC1}" ] && [ -z "${SAMBA_DC2}" ]; then 81 | echo "Could not obtain an ipaddress for any AD DC.. Exiting" 82 | exit 1 83 | fi 84 | if [ -z "${SAMBA_DC2}" ]; then 85 | SAMBA_DC1_IP=$(host -t A ${SAMBA_DC1} | awk '{print $NF}') 86 | SAMBA_DC2_IP="" 87 | else 88 | SAMBA_DC1_IP=$(host -t A ${SAMBA_DC1} | awk '{print $NF}') 89 | SAMBA_DC2_IP=$(host -t A ${SAMBA_DC2} | awk '{print $NF}') 90 | fi 91 | 92 | 93 | SAMBA_NT_DOMAINNAME=$(samba-tool domain info ${SAMBA_DC1} | grep Netbios | cut -d":" -f2 | cut -c2-100) 94 | SAMBA_KERBEROS_NAME=$(cat /etc/krb5.conf | grep default_realm | cut -d"=" -f2 | cut -c2-100) 95 | 96 | # 97 | echo "This script was tested with Debian Jessie and Stretch" 98 | echo "Server info: detected (command and where to look)" 99 | echo "This server hostname = ${SETHOSTNAME} (hostname -s and /etc/hosts and DNS server)" 100 | echo "This server FQDN (hostname) = ${SETFQDN} (hostname -f and /etc/hosts and DNS server)" 101 | echo "This server primary dnsdomain = ${SETDNSDOMAIN} (hostname -d and /etc/resolv.conf and DNS server)" 102 | echo "This server IP address(ses) = ${SETSERVERIP} (hostname -i (-I) and /etc/networking/interfaces and DNS server" 103 | echo "The DC with FSMO roles = ${SAMBA_DC_FSMO} (samba-tool fsmo show)" 104 | echo "The DC (with FSMO) Site name = ${SAMBA_DC_FSMO_SITE} (samba-tool fsmo show)" 105 | echo "The Default Naming Context = ${SAMBA_DC_NC} (samba-tool fsmo show)" 106 | echo "The Kerberos REALM name used = ${SAMBA_KERBEROS_NAME} (kinit and /etc/krb5.conf and resolving)" 107 | 108 | if [ -z "${SAMBA_DC2}" ]; then 109 | SAMBA_DC1_IP=$(host -t A ${SAMBA_DC1} | awk '{print $NF}') 110 | echo "The IP address of DC ${SAMBA_DC1} = ${SAMBA_DC1_IP}" 111 | else 112 | SAMBA_DC1_IP=$(host -t A ${SAMBA_DC1} | awk '{print $NF}') 113 | SAMBA_DC2_IP=$(host -t A ${SAMBA_DC2} | awk '{print $NF}') 114 | echo "The IP address of DC ${SAMBA_DC1} = ${SAMBA_DC1_IP}" 115 | echo "The IP address of DC ${SAMBA_DC2} = ${SAMBA_DC2_IP}" 116 | fi 117 | -------------------------------------------------------------------------------- /samba-setup-checkup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This script is use to get system info so we can use this to make an ultimate checkup script. 4 | 5 | # 6 | # If new things are added, create 3 functions. 7 | # function get_, get info 8 | # function check_, run the checkup againt the info (get_) and (show_) output. 9 | # function show_, show info 10 | 11 | # try to keep the functions clear. 12 | # get_host_ : involves only host related info, like hostnames and ipnumbers and resolving. 13 | # get_samba_ : involves only samba related info, 14 | # get_etc_ : involves only configuration files 15 | # Note! 16 | # for example : get_etc_samba_smbconf should not be get_samba_etc_smbconf 17 | # get_samba_ should only show output of a running samba and test. 18 | # like get_samba_fsmo 19 | 20 | # the script needs root or sudo to get all info. 21 | if [ "$EUID" -ne 0 ] 22 | then echo "Please run as root, or use sudo. Exiting now..." 23 | exit 1 24 | fi 25 | 26 | # ToDo 1: Get all system info and show system info. 27 | 28 | # set some colors to outline Ok Warn en errors more. 29 | BLACK=$(tput setaf 0) 30 | RED=$(tput setaf 1) 31 | GREEN=$(tput setaf 2) 32 | YELLOW=$(tput setaf 3) 33 | LIME_YELLOW=$(tput setaf 190) 34 | POWDER_BLUE=$(tput setaf 153) 35 | BLUE=$(tput setaf 4) 36 | MAGENTA=$(tput setaf 5) 37 | CYAN=$(tput setaf 6) 38 | WHITE=$(tput setaf 7) 39 | BRIGHT=$(tput bold) 40 | NORMAL=$(tput sgr0) 41 | UNDERLINE=$(tput smul) 42 | 43 | function good { 44 | # printf "%40s\n" "${GREEN}$@${NORMAL}" 45 | printf "${GREEN}$@${NORMAL}\n" 46 | } 47 | 48 | function error { 49 | printf "${RED}$@${NORMAL}\n" 50 | } 51 | 52 | function warning { 53 | printf "${YELLOW}$@${NORMAL}\n" 54 | } 55 | 56 | function warning_underline { 57 | printf "%40s\n" "${YELLOW}${UNDERLINE}$@${NORMAL}" 58 | } 59 | 60 | function check_run_as_sudo_root { 61 | if ! [[ $EUID -eq 0 ]]; then 62 | error "This script should be run using sudo or by root." 63 | exit 1 64 | fi 65 | } 66 | 67 | function check_error { 68 | if [ $? -eq 0 ]; then 69 | good "Ok" 70 | elif [ $? -ge 1 ]; then 71 | error "Error" 72 | fi 73 | } 74 | 75 | function check_etc_hosts { 76 | # count lines with the servers hostname 77 | CHECK_ETC_HOSTS1=$(cat /etc/hosts | grep $HOST_NAME_SHORT | wc -l ) 78 | # count lines with the servers hostname and detected ipnumber 79 | CHECK_ETC_HOSTS2=$(cat /etc/hosts | grep $HOST_NAME_SHORT | grep $HOST_IP| wc -l ) 80 | # check if FQDN is in position 2 in the detected line. 81 | CHECK_ETC_HOSTS3=$(cat /etc/hosts | grep $HOST_NAME_SHORT | grep $HOST_IP| cut -d" " -f2) 82 | # check if host does not contain 127.0.1.1 due to dhcp IPnumber at OS install. 83 | CHECK_ETC_HOSTS_LOCALHOST1=$(cat /etc/hosts | grep $HOST_NAME_SHORT | grep 127.0.1.1 | wc -l ) 84 | if [ $CHECK_ETC_HOSTS_LOCALHOST1 -eq 1 ]; then 85 | warning "Detected ip withing localhost range, asuming server install with DHCP enabled." 86 | warning "You /etc/hosts contains : $HOST_NAME_SHORT and/or $HOST_NAME_FQDN with ip 127.0.1.1" 87 | warning "expected was : $HOST_IP $HOST_NAME_FQDN $HOST_NAME_SHORT" 88 | # the next check show what we expect to have. 89 | fi 90 | if [ $CHECK_ETC_HOSTS1 -eq $CHECK_ETC_HOSTS2 ]; then 91 | if [ $CHECK_ETC_HOSTS3 != $HOST_NAME_FQDN ]; then 92 | error "Possible error detected in /etc/hosts, mismatch FQDN and detected IP $HOST_IP for the host." 93 | warning "expected was : $HOST_IP $HOST_NAME_FQDN $HOST_NAME_SHORT" 94 | fi 95 | fi 96 | } 97 | 98 | function get_host_info { 99 | # Get all info of the server. 100 | # short hostname (single word) 101 | HOST_NAME_SHORT="$(hostname -s)" 102 | # the domainname of the host (something.example.com) 103 | HOST_NAME_DOMAIN="$(hostname -d)" 104 | # Fully Qualified hostname 105 | HOST_NAME_FQDN="$(hostname -f)" 106 | 107 | # the server ipnumbers, check for multiple interfaces. 108 | HOST_IP1="$(hostname -i)" 109 | HOST_IP2="$(hostname -I)" 110 | HOST_GATEWAY=$(ip route | grep default | cut -d" " -f3) 111 | 112 | if [ $HOST_IP1 = $HOST_IP2 ]; then 113 | HOST_IP="${HOST_IP1}" 114 | HOST_PRIMARY_INTERFACE="$(ip route | grep ${HOST_IP} | cut -d" " -f3)" 115 | HOST_IP2="Only one interface detected" 116 | else 117 | echo "TODO, not finished" 118 | echo "Detected multiple ipnumbers" 119 | # multiple ipnumbers detected, get primary interfaces 120 | HOST_PRIMARY_INTERFACE="$(ip route | grep ${HOST_IP} | cut -d" " -f3)" 121 | # set ipadres of primary interface. 122 | HOST_IP= 123 | # check if primary ip adres is in range 10. 172.16. 192.168. 124 | fi 125 | 126 | # Resolv.conf info. 127 | HOST_RESOLV_DOMAIN="$(cat /etc/resolv.conf | grep domain)" 128 | HOST_RESOLV_SEARCH="$(cat /etc/resolv.conf | grep search)" 129 | 130 | # count nameservers 131 | HOST_RESOLV_NAMESERV_COUNTER=$(cat /etc/resolv.conf | grep nameserver| wc -l) 132 | if [ $HOST_RESOLV_NAMESERV_COUNTER -eq 1 ]; then 133 | HOST_RESOLV_NAMESERV1="$(cat /etc/resolv.conf | grep nameserver| head -n1 | cut -d" " -f2)" 134 | HOST_ 135 | fi 136 | if [ $HOST_RESOLV_NAMESERV_COUNTER -eq 2 ]; then 137 | HOST_RESOLV_NAMESERV1="$(cat /etc/resolv.conf | grep nameserver| head -n1 | cut -d" " -f2)" 138 | HOST_RESOLV_NAMESERV2="$(cat /etc/resolv.conf | grep nameserver| tail -n1 | cut -d" " -f2)" 139 | fi 140 | 141 | if [ $HOST_RESOLV_NAMESERV_COUNTER -eq 3 ]; then 142 | HOST_RESOLV_NAMESERV3="$(cat /etc/resolv.conf | grep nameserver| tail -n1 | cut -d" " -f2)" 143 | else 144 | HOST_RESOLV_NAMESERV3="" 145 | fi 146 | } 147 | 148 | function show_host_info { 149 | echo "HOST_NAME_SHORT: ${HOST_NAME_SHORT}" 150 | # the domainname of the host (something.example.com) 151 | echo "HOST_NAME_DOMAIN: ${HOST_NAME_DOMAIN}" 152 | # Fully Qualified hostname 153 | echo "HOST_NAME_FQDN: ${HOST_NAME_FQDN}" 154 | 155 | # the server ipnumbers, check for multiple interfaces. 156 | echo "HOST_IP1: ${HOST_IP1}" 157 | echo "HOST_IP2: ${HOST_IP2}" 158 | echo "HOST_GATEWAY: ${HOST_GATEWAY}" 159 | echo "HOST_PRIMARY_INTERFACE: ${HOST_PRIMARY_INTERFACE}" 160 | 161 | # Resolv.conf info. 162 | echo "HOST_RESOLV_DOMAIN: ${HOST_RESOLV_DOMAIN}" 163 | echo "HOST_RESOLV_SEARCH: ${HOST_RESOLV_SEARCH}" 164 | 165 | # nameservers 166 | #echo "HOST_RESOLV_NAMESERV_COUNTER: ${HOST_RESOLV_NAMESERV_COUNTER}" 167 | echo "HOST_RESOLV_NAMESERV1: ${HOST_RESOLV_NAMESERV1}" 168 | echo "HOST_RESOLV_NAMESERV2: ${HOST_RESOLV_NAMESERV2}" 169 | echo "HOST_RESOLV_NAMESERV3: ${HOST_RESOLV_NAMESERV3}" 170 | 171 | } 172 | 173 | function check_host_info { 174 | get_host_info 175 | # check if hostname setup is correct. 176 | local HOSTNAME_SHORT_WITH_DOMAIN="$HOST_NAME_SHORT.${HOST_NAME_DOMAIN}" 177 | echo -n "Check hostnames : " 178 | if [ $HOSTNAME_SHORT_WITH_DOMAIN = $HOST_NAME_FQDN ]; then 179 | good "Ok" 180 | else 181 | warning "Mismatch in hostname definitions" 182 | echo "please check : " 183 | show_host_info 184 | fi 185 | unset HOSTNAME_SHORT_WITH_DOMAIN 186 | 187 | check_etc_hosts 188 | 189 | echo "Checking detected host ipnumbers from resolv.conf and default gateway" 190 | check_host_ip 191 | } 192 | 193 | function check_host_ip { 194 | # check resolving and check for internet. 195 | if [ ! -z ${HOST_GATEWAY} ]; then 196 | echo -n "Ping gateway ip : " 197 | check_ping ${HOST_GATEWAY} 198 | warning "Warning, no ping to gateway, this might be firewalled." 199 | warning "check you internet connection, AD DNS might need it." 200 | fi 201 | if [ ! -z ${HOST_RESOLV_NAMESERV1} ]; then 202 | echo -n "ping nameserver1: " 203 | check_ping ${HOST_RESOLV_NAMESERV1} 204 | fi 205 | if [ ! -z ${HOST_RESOLV_NAMESERV2} ]; then 206 | echo -n "ping nameserver2: " 207 | check_ping ${HOST_RESOLV_NAMESERV2} 208 | fi 209 | if [ ! -z ${HOST_RESOLV_NAMESERV3} ]; then 210 | echo -n "ping nameserver3: " 211 | check_ping ${HOST_RESOLV_NAMESERV3} 212 | fi 213 | echo -n "Check ping google dns : " 214 | check_ping 8.8.8.8 215 | warning "Warning, no ping to internet dns 8.8.8.8, this might be firewalled." 216 | warning "Check you internet connection, AD DNS might need it." 217 | } 218 | 219 | function check_ping { 220 | echo -n "$1 : " 221 | ping -q -c1 $1 >/dev/null 222 | check_error 223 | } 224 | 225 | function get_samba_base_info { 226 | SAMBA_SERVER_ROLE="$(samba-tool testparm --parameter-name="server role" 2>/dev/null | tail -1)" 227 | SAMBA_SERVER_SERVICES="$(samba-tool testparm --parameter-name="server services" 2>/dev/null | tail -1)" 228 | SAMBA_DCERPC_ENDPOINT_SERVERS="$(samba-tool testparm --parameter-name="dcerpc endpoint servers" 2>/dev/null | tail -1)" 229 | } 230 | function show_samba_base_info { 231 | echo "SAMBA_SERVER_ROLE: ${SAMBA_SERVER_ROLE}" 232 | echo "SAMBA_SERVER_SERVICES: ${SAMBA_SERVER_SERVICES}" 233 | echo "SAMBA_DCERPC_ENDPOINT_SERVERS: ${SAMBA_DCERPC_ENDPOINT_SERVERS}" 234 | } 235 | function get_samba_build_info { 236 | # create array of variables from the installed samba version. 237 | #GET_SMB_CFG_ARRAY=($(smbd -b | grep ": /" | sed 's/\ //g' | sed 's/:/=/g')) 238 | #debug#declare -p $GET_SMB_CFG_ARRAY 239 | WHICH_SMBD=$(which smbd) 240 | WHICH_NMBD=$(which nmbd) 241 | WHICH_SAMBA=$(which samba) 242 | WHICH_SAMBA_ADDC=$(which samba-ad-dc) 243 | WHICH_WINBIND=$(which winbind) 244 | 245 | # set empty variable, used in test imported variable 246 | Builtusing="" 247 | 248 | for detect_samba_bin in $WHICH_SMBD $WHICH_NMBD $WHICH_SAMBA $WHICH_SAMBA_ADDC $WHICH_WINBIND ; do 249 | if [ -f $detect_samba_bin ]; then 250 | $detect_samba_bin -b | grep ": /" | sed 's/\ //g' | sed 's/:/=/g' > /tmp/samba-buildvar.output 251 | # import variables 252 | source /tmp/samba-buildvar.output 253 | # remove imported file 254 | rm /tmp/samba-buildvar.output 255 | # import only once, break for statment 256 | break 257 | else 258 | warning "Detected $detect_samba_bin but not found with test -f." 259 | warning "This is possible with for example a winbind only install, continue testing." 260 | fi 261 | done 262 | unset detect_samba_bin 263 | 264 | # test files and folders, and show rights group and owner. 265 | for check_file_owner in $CONFIGFILE $LMHOSTSFILE $SMB_PASSWD_FILE ; do 266 | echo "Checking file owner.. " 267 | if [ -f $check_file_owner ]; then 268 | ls -l $check_file_owner | awk '{ print $1,$3,$4,"\t",$9 }' 269 | else 270 | warning "Missing file $check_file_owner" 271 | fi 272 | done 273 | unset check_file_owner 274 | 275 | for check_dir_owner in $BINDIR $CACHEDIR $LIBDIR $LOCKDIR $LOGFILEBASE $MODULESDIR $PIDDIR $PRIVATE_DIR $SBINDIR $STATEDIR ; do 276 | if [ -d $check_dir_owner ]; then 277 | ls -ld $check_dir_owner | awk '{ print $1,$3,$4,"\t",$9 }' 278 | else 279 | warning "Missing folder $check_dir_owner" 280 | fi 281 | done 282 | unset check_dir_owner 283 | 284 | } 285 | 286 | function get_samba_fsmo { 287 | SAMBA_DC_FSMO=$(samba-tool fsmo show | cut -d"," -f2 | head -n1 | cut -c4-100) 288 | SAMBA_DC_FSMO_SITE=$(samba-tool fsmo show | cut -d"," -f4 | head -n1 | cut -c4-100) 289 | SAMBA_DC_NC=$(samba-tool fsmo show | cut -d"," -f7,8,9 | head -n1) 290 | 291 | ## detect multiple DC's if there are more. 292 | SAMBA_DCS=$(host -t SRV _kerberos._udp.${HOST_NAME_DOMAIN} | awk '{print $NF}'| sed 's/.$//') 293 | SAMBA_DC1=$(echo "$SAMBA_DCS" | sed -n 1p) 294 | SAMBA_DC2=$(echo "$SAMBA_DCS" | sed -n 2p) 295 | echo "DCS ${SAMBA_DCS}" 296 | echo "DC1 ${SAMBA_DC1}" 297 | echo "DC2 ${SAMBA_DC2}" 298 | ## get the ip of the DC's 299 | if [ -z "${SAMBA_DC1}" ] && [ -z "${SAMBA_DC2}" ]; then 300 | echo "Could not obtain an ipaddress for any AD DC.. Exiting" 301 | exit 1 302 | fi 303 | 304 | SAMBA_NT_DOMAINNAME=$(samba-tool domain info ${SAMBA_DC1} | grep Netbios | cut -d":" -f2 | cut -c2-100) 305 | SAMBA_KERBEROS_NAME=$(cat /etc/krb5.conf | grep default_realm | cut -d"=" -f2 | cut -c2-100) 306 | 307 | echo "Samba AD DC info: = detected (command and where to look)" 308 | echo "This server hostname = ${HOST_NAME_SHORT} (hostname -s and /etc/hosts and DNS server)" 309 | echo "This server FQDN (hostname) = ${HOST_NAME_FQDN} (hostname -f and /etc/hosts and DNS server)" 310 | echo "This server primary dnsdomain = ${HOST_NAME_DOMAIN} (hostname -d and /etc/resolv.conf and DNS server)" 311 | echo "This server IP address(ses) = ${HOST_IP1} ${HOST_IP2} (hostname -i (-I) and /etc/networking/interfaces and DNS server" 312 | echo "The DC with FSMO roles = ${SAMBA_DC_FSMO} (samba-tool fsmo show)" 313 | echo "The DC (with FSMO) Site name = ${SAMBA_DC_FSMO_SITE} (samba-tool fsmo show)" 314 | echo "The Default Naming Context = ${SAMBA_DC_NC} (samba-tool fsmo show)" 315 | echo "The Kerberos REALM name used = ${SAMBA_KERBEROS_NAME} (kinit and /etc/krb5.conf and resolving)" 316 | if [ -z "${SAMBA_DC2}" ]; then 317 | SAMBA_DC1_IP=$(host -t A ${SAMBA_DC1} | awk '{print $NF}') 318 | echo "The Ipadres of DC ${SAMBA_DC1} = ${SAMBA_DC1_IP}" 319 | else 320 | SAMBA_DC1_IP=$(host -t A ${SAMBA_DC1} | awk '{print $NF}') 321 | SAMBA_DC2_IP=$(host -t A ${SAMBA_DC2} | awk '{print $NF}') 322 | echo "The Ipadres of DC ${SAMBA_DC1} = ${SAMBA_DC1_IP}" 323 | echo "The Ipadres of DC ${SAMBA_DC2} = ${SAMBA_DC2_IP}" 324 | fi 325 | 326 | 327 | } 328 | 329 | 330 | # check host info, show when errors are found. 331 | check_host_info 332 | 333 | 334 | # samba build related info 335 | get_samba_build_info 336 | 337 | 338 | get_samba_fsmo 339 | 340 | get_samba_base_info 341 | show_samba_base_info 342 | 343 | -------------------------------------------------------------------------------- /samba-setup-share-folders.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | V="0.8-B6" 4 | 5 | # This script is use and tested on a Debian Buster Samba MEMBER 6 | # This is tested with and AD Backend. 7 | # https://wiki.samba.org/index.php/Idmap_config_ad 8 | # 9 | # This script will create and setup and configure a basic but secure Samba setup 10 | # ! Not tested on AD-DC's (yet) 11 | # ! Not tested with RID backends. (yet) 12 | # 13 | 14 | # 15 | # BEFORE YOU RUN THIS SCRIPT, THERE ARE A FEW OBLIGATED THINGS TODO FIRST. 16 | # 1) The group "Domain Uses" MUST have a GID assigned. 17 | # 2) There might be more points .. ;-) if i have them, they will be added here. 18 | 19 | # Copyright (C) Louis van Belle 2021 20 | # Special thanks to : 21 | # Rowland Penny @samba.org 22 | # Robert E. Wooden @donelsontrophy.com 23 | # 24 | # This program is free software; you can redistribute it and/or modify 25 | # it under the terms of the GNU General Public License as published by 26 | # the Free Software Foundation; either version 3 of the License, or 27 | # (at your option) any later version. 28 | # 29 | # This program is distributed in the hope that it will be useful, 30 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 31 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 32 | # GNU General Public License for more details. 33 | # 34 | # You should have received a copy of the GNU General Public License 35 | # along with this program. If not, see . 36 | 37 | 38 | # Into 39 | # The script will create some default folders and setup rights and a shares.conf files 40 | # which can be used to setup your server shares. 41 | # This setup also assumes your running this on a DOMAIN MEMBER. 42 | # Below is has been tested on a Debian Buster with Samba 4.12.5 43 | 44 | # Adviced, if you "DISK" is /dev/sdaX and your mounting it in /somefolder 45 | # You always create a subfolder and you put your data in that. 46 | # Dont use the disk its root. like dont mount /dev/sdaX into /samba 47 | # use mount it for example in /srv and create the folder samba. 48 | # And sure it works, but if you setting up more advanced, it will bite you. 49 | # We try to setup as compatible as we can. 50 | 51 | # Adjust the below variables to your needs. 52 | # Read the text in the functions why. (todo, make this part better.) 53 | 54 | ## The folder for all your Samba/Windows stuff. 55 | ## Default created with root:root 4775 rights. ( see tekst in: function SambaRootFolder) 56 | SAMBA_BASEFOLDER="/srv/samba" 57 | # Override the default rights for the samba base folder. (empty=default 4775) 58 | SAMBA_BASEFOLDER_CHMOD="" 59 | 60 | ## The share name for "companydata" the folder with all you company data. 61 | SAMBA_SHARE_COMPDATA="companydata" 62 | # Override the default rights for the users folder (empty=default 3750) 63 | SAMBA_SHARE_COMPDATA_CHMOD="" 64 | 65 | ## The share name for and will contain all the \"windows\" users there homedirs. 66 | SAMBA_SHARE_USERS="users" 67 | # Override the default rights for the users folder (empty=default 2750) 68 | SAMBA_SHARE_USERS_CHMOD="" 69 | 70 | ## The share name with will contain all \"windows\" users there profiles. 71 | SAMBA_SHARE_USERSPROFILES="profiles" 72 | # Override the default rights for the profile folder (empty=default 1750) 73 | SAMBA_SHARE_USERSPROFILES_CHMOD="" 74 | 75 | ## The share with will be open for all Domain Users. 76 | ## Adminstrators control the Share/Folder rights, 77 | ## Domain Users can create/write folders/files here. 78 | SAMBA_SHARE_COMPPUBLIC="public" 79 | # Override the default rights for the profile folder (empty=default 4770) 80 | SAMBA_SHARE_COMPPUBLIC_CHMOD="" 81 | 82 | ####### Dont adjust below here, should not be needed. ######## 83 | ## Program Variables 84 | SAMBA_BASE="${SAMBA_BASEFOLDER}" 85 | SAMBA_BASE_CHMOD="${SAMBA_BASEFOLDER_CHMOD:-4775}" 86 | SAMBA_COMPDATA_CHMOD="${SAMBA_SHARE_COMPDATA_CHMOD:-3750}" 87 | SAMBA_USERS_CHMOD="${SAMBA_SHARE_USERS_CHMOD:-2750}" 88 | SAMBA_USERSPROFILES_CHMOD="${SAMBA_SHARE_USERSPROFILES_CHMOD:-1750}" 89 | SAMBA_COMPPUBLIC_CHMOD="${SAMBA_SHARE_COMPPUBLIC_CHMOD:-4770}" 90 | 91 | # clear screen 92 | clear 93 | 94 | ## Program functions 95 | function SambaRootFolder(){ 96 | # Finished. 97 | INFO=" This is the Administrative share for admins or folder managers only. 98 | # 99 | # Group Everyone needs read-execute on /srv/samba or you cant enter the server (\\server.fqdn ) 100 | # 4775: 4=creator owner and creator group, where creator group is always and 101 | # end up in \"Domain Users\" (primary group) when your windows users write files on the share. 102 | # Only Administrator or \"Domain Admins\" members are allowed to create folders here. 103 | # The underlaying folder will be the samba shares your \"domain users\" will be using. 104 | # (or add a folder manager group for it.) 105 | # The !root = DOM\Administrator DOM\administrator, makes this work, so dont forget the usermapping file in smb.conf 106 | ########################################################" 107 | 108 | if [ ! -d "${SAMBA_BASE}" ] 109 | then 110 | install -oroot -groot -m"${SAMBA_BASE_CHMOD}" -d "${SAMBA_BASE}" 111 | echo "########################################################" 112 | echo " Notice, creating ${SAMBA_BASE} with rights ${SAMBA_BASE_CHMOD}" 113 | echo " This share can be accessed as Administrator or as a member of Domain Admins share: \\\\$(hostname -f)\samba\$" 114 | echo "${INFO}" 115 | echo 116 | 117 | else 118 | echo "########################################################" 119 | echo " Warning: ${SAMBA_BASE} already exist" 120 | echo " Try to accesse the share as Adminsitrator or as a member of Domain Admins share: \\\\$(hostname -f)\samba\$" 121 | echo " And verify if this share is set as [samba\$] in smb.conf" 122 | echo 123 | echo "${INFO}" 124 | echo 125 | fi 126 | unset INFO 127 | } 128 | 129 | function SambaShare_companydata(){ 130 | # Finished. 131 | INFO=" This is the Administrative share for the companydata. 132 | # 133 | # Company Data, This one uses \"Domain Users\" (primary group) and is used to allow all \"Domain Users\" 134 | # to modify the data, we assume you are creating department groups and folders. 135 | # accessing these folders needs (example) to me a member of \"groupX\" and created files are owned by group \"Domain Users\" 136 | # This way folders are protected and everybody can read/write in it, depending if you member of GroupX or not. 137 | # 138 | # Example in samba/Windows Explorer \\server.fqdn\companydata. 139 | # The members of Domain Admins, can create the subfolder and set the needed rights on these subfolders. 140 | # \\\\server.fqdn\companydata\dep1, security group dep1. 141 | # \\\\server.fqdn\companydata\dep2, security group dep2. 142 | # rights, 3750 is base, 3Creater Group. 7user(root) 5group(root) 0(world/everyone) 143 | # The \"!root = NTDOM\Administrator NTDOM\administrator\", makes this work, so dont forget the usermapping file in smb.conf 144 | # Administrator or a member of Domain Admins/Foldermanagers, will be needed to create the subfolder. 145 | # Folder managers needs to be setup by yourself, the script does not do it for you. 146 | # 147 | # Setup the departments folders, all groups needs a GID, assign these BEFORE you assign the rights.!!! 148 | # And assign \"Domain Users \" a GID, this is strongly adviced/obligated in my optinion. 149 | # wbinfo --name-to-sid groupname_here 150 | # Add the output (SID) of the above command here in this, replace PUT_THE_SID_HERE 151 | # 152 | # run : samba-tool ntacl set \"O:S-1-22-1-0G:S-1-22-2-0D:AI(A;OICI;0x001301bf;;;PUT_THE_SID_HERE)(A;ID;0x001200a9;;;S-1-22-2-0)(A;OICIIOID;0x001200a9;;;CG)(A;OICIID;0x001f01ff;;;LA)(A;OICIID;0x001f01ff;;;DA)\" \"${SAMBA_BASE}/${SAMBA_SHARE_COMPDATA}/department1\" 153 | # 154 | # verify the rights (as user NTDOM\Administrator) on the security tab in Windows Explorer and test. 155 | # An example can be : samba-tool ntacl set \"O:S-1-22-1-0G:S-1-22-2-0D:AI(A;OICI;0x001301bf;;;\$(wbinfo --name-to-sid department1_HERE |awk '{ print \$1 }'))(A;ID;0x001200a9;;;S-1-22-2-0)(A;OICIIOID;0x001200a9;;;CG)(A;OICIID;0x001f01ff;;;LA)(A;OICIID;0x001f01ff;;;DA)\" \"/srv/samba/${SAMBA_SHARE_COMPDATA}/department1/\" 156 | ########################################################" 157 | if [ ! -d "${SAMBA_BASE}/${SAMBA_SHARE_COMPDATA}" ] 158 | then 159 | ## With folder OWNER Administrator : O:LAG:S-1-22-2-0D:PAI(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DU) 160 | ## With folder OWNER root : O:S-1-22-1-0G:S-1-22-2-0D:PAI(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DU) 161 | ## Default is set to : Administrator 162 | COMPDATA_SDDL="O:LAG:S-1-22-2-0D:PAI(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DU)" 163 | #COMPDATA_SDDL="O:S-1-22-1-0G:S-1-22-2-0D:PAI(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DU)" 164 | 165 | install -oroot -groot -m"${SAMBA_COMPDATA_CHMOD}" -d "${SAMBA_BASE}/${SAMBA_SHARE_COMPDATA}" 166 | samba-tool ntacl set "${COMPDATA_SDDL}" "${SAMBA_BASE}/${SAMBA_SHARE_COMPDATA}" 167 | 168 | echo "########################################################" 169 | echo " Notice, creating ${SAMBA_BASE}/${SAMBA_SHARE_COMPDATA} with rights ${SAMBA_COMPDATA_CHMOD}" 170 | echo " This share can be accessed as Administrator or as a member of Domain Users share: \\\\$(hostname -f)\\${SAMBA_SHARE_COMPDATA}" 171 | echo 172 | echo "${INFO}" 173 | echo 174 | else 175 | echo "########################################################" 176 | echo " Warning: ${SAMBA_BASE}/${SAMBA_SHARE_COMPDATA} already exist." 177 | echo " Try to accesse the share as Adminsitrator or as a member of Domain Admins share: \\\\$(hostname -f)\\${SAMBA_SHARE_COMPDATA}" 178 | echo " And verify if this share is set as [${SAMBA_SHARE_COMPDATA}] in smb.conf" 179 | echo 180 | echo "${INFO}" 181 | echo 182 | fi 183 | unset INFO 184 | unset COMPDATA_SDDL 185 | } 186 | 187 | function SambaShare_users(){ 188 | # Finished. 189 | INFO=" User folder setup. 190 | # The rights are already setup for you. Review these from within a Windows Client. 191 | # You can now set in ADUC \\\\server.fqdn\users\%username% for the homedir drive mapping 192 | # The new created folder from ADUC, wil get username:root add default rights. 193 | # Only the user and Adminstrator(s) are allowed in an user there home folder. 194 | # 195 | # If you make the HomeDir Private for the user only. ( so not by root accessable ). 196 | # And if you use kerberos auth with NFS(v4), you might need to add this to 197 | # #/etc/krb5.conf in [libdefaults] 198 | # # Source: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/1484262 199 | # # ignore the attempt to read $HOME/.k5login by or running services (as root) 200 | # # The Automounter needs it, dont forget adding the nfs/spn to the keytab file. 201 | # ignore_k5login = true 202 | # 203 | # More info : https://wiki.samba.org/index.php/User_Home_Folders 204 | ########################################################" 205 | 206 | if [ ! -d "${SAMBA_BASE}/${SAMBA_SHARE_USERS}" ] 207 | then 208 | ## With folder OWNER Administrator : O:LAG:S-1-22-2-0D:PAI(A;;0x001200a9;;;BU)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;BA) 209 | ## With folder OWNER root : O:S-1-22-1-0G:S-1-22-2-0D:PAI(A;;0x001200a9;;;BU)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;BA) 210 | ## Default is set to : Administrator 211 | USER_SDDL="O:LAG:S-1-22-2-0D:PAI(A;;0x001200a9;;;BU)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;BA)" 212 | #USER_SDDL="O:S-1-22-1-0G:S-1-22-2-0D:PAI(A;;0x001200a9;;;BU)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;BA)" 213 | 214 | install -oroot -groot -m"${SAMBA_USERS_CHMOD}" -d "${SAMBA_BASE}/${SAMBA_SHARE_USERS}" 215 | samba-tool ntacl set "${USER_SDDL}" "${SAMBA_BASE}/${SAMBA_SHARE_USERS}" 216 | 217 | echo "########################################################" 218 | echo " Notice, creating ${SAMBA_BASE}/${SAMBA_SHARE_USERS} with rights ${SAMBA_USERS_CHMOD}" 219 | echo " Set in ADUC USERHOME DRIVELETTER: \\\\$(hostname -f)\\${SAMBA_SHARE_USERS}\%username%" 220 | echo 221 | echo "${INFO}" 222 | echo 223 | else 224 | echo "########################################################" 225 | echo " Warning: ${SAMBA_BASE}/${SAMBA_SHARE_USERS} already exist." 226 | echo " Try to accesse the share as Adminsitrator or as a member of Domain Admins share: \\\\$(hostname -f)\\${SAMBA_SHARE_USERS}" 227 | echo " And verify if this share is set as [${SAMBA_SHARE_USERS}] in smb.conf" 228 | echo 229 | echo "${INFO}" 230 | echo 231 | fi 232 | unset INFO 233 | unset USER_SDDL 234 | } 235 | 236 | function SambaShare_profiles(){ 237 | INFO=" This is the share setup for the Windows Users (and optional computer ) there profiles 238 | # Profile folder setup, there is a setup for the user profiles AND computer profiles. 239 | # for the computer profiles please read also this link. 240 | # https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-4-optionally-create-a-gpo-for-roaming-user-profiles 241 | # 242 | # Note, \"Domain Users\" is used in this setup, the link of Microsoft above used a different group because it shows the setup for computer profiles. 243 | # Both work, you can change this later if needed and/or add it, if added, you most probely want to change this setup also a little bit. 244 | # Just follow the Microsoft link 245 | # 246 | # Domain users include also all computer, but in cased you dont want that (think laptops), setup as above link suggested. 247 | # Replace \"Domain Users\" for the assigned security group and dont forget to add the users and the computers. 248 | # 249 | # This samba-tool command will result in whats shown here: 250 | # More info : https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles 251 | ########################################################" 252 | 253 | if [ ! -d "${SAMBA_BASE}/${SAMBA_SHARE_USERSPROFILES}" ] 254 | then 255 | ## With folder OWNER Administrator : O:LAG:S-1-22-2-0D:PAI(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;DA)(A;;0x00100025;;;DU) 256 | ## With folder OWNER root : O:S-1-22-1-0G:S-1-22-2-0D:PAI(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;DA)(A;;0x00100025;;;DU) 257 | ## Default is set to : Adminisitrator 258 | PROFILE_SDDL="O:LAG:S-1-22-2-0D:PAI(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;DA)(A;;0x00100025;;;DU)" 259 | #PROFILE_SDDL="O:S-1-22-1-0G:S-1-22-2-0D:PAI(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;DA)(A;;0x00100025;;;DU)" 260 | 261 | install -oroot -groot -m"${SAMBA_USERSPROFILES_CHMOD}" -d "${SAMBA_BASE}/${SAMBA_SHARE_USERSPROFILES}" 262 | samba-tool ntacl set "${PROFILE_SDDL}" "${SAMBA_BASE}/${SAMBA_SHARE_USERSPROFILES}" 263 | 264 | echo "########################################################" 265 | echo " Notice, creating ${SAMBA_BASE}/${SAMBA_SHARE_USERSPROFILES} with rights ${SAMBA_USERPROFILES_CHMOD}" 266 | echo " Set in ADUC USERPROFILE: \\\\$(hostname -f)\\${SAMBA_SHARE_USERSPROFILES}\%username%" 267 | echo 268 | echo "${INFO}" 269 | echo 270 | else 271 | echo "########################################################" 272 | echo " Warning: ${SAMBA_BASE}/${SAMBA_SHARE_USERSPROFILES} already exist." 273 | echo " Try to accesse the share as Adminsitrator or as a member of Domain Admins share: \\\\$(hostname -f)\\${SAMBA_SHARE_USERSPROFILES}" 274 | echo " And verify if this share is set as [${SAMBA_SHARE_USERSPROFILES}] in smb.conf" 275 | echo 276 | echo "${INFO}" 277 | echo 278 | fi 279 | unset INFO 280 | unset PROFILE_SDDL 281 | } 282 | 283 | function SambaShare_public(){ 284 | INFO=" Public folder setup. 285 | # 286 | # By default \"Domain users\" are allowed to read/write create files and folders. 287 | # By default \"Domain Admins\" Full control. 288 | # Pretty simple setup ;-) 289 | # More info : https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs 290 | ########################################################" 291 | 292 | if [ ! -d "${SAMBA_BASE}/${SAMBA_SHARE_COMPPUBLIC}" ] 293 | then 294 | ## With folder OWNER Administrator : O:LAG:S-1-22-2-0D:PAI(A;OICI;0x001301bf;;;DU)(A;;0x001200a9;;;WD)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01ff;;;DA) 295 | ## With folder OWNER root : O:S-1-22-1-0G:S-1-22-2-0D:PAI(A;OICI;0x001301bf;;;DU)(A;;0x001200a9;;;WD)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01ff;;;DA) 296 | ## Default is set to : Adminisitrator 297 | COMPPUBLIC_SDDL="O:LAG:S-1-22-2-0D:PAI(A;OICI;0x001301bf;;;DU)(A;;0x001200a9;;;WD)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01ff;;;DA)" 298 | #COMPPUBLIC_SDDL="O:S-1-22-1-0G:S-1-22-2-0D:PAI(A;OICI;0x001301bf;;;DU)(A;;0x001200a9;;;WD)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01ff;;;DA)" 299 | 300 | install -oroot -groot -m"${SAMBA_COMPPUBLIC_CHMOD}" -d "${SAMBA_BASE}/${SAMBA_SHARE_COMPPUBLIC}" 301 | samba-tool ntacl set "O:S-1-22-1-0G:S-1-22-2-0D:PAI(A;OICI;0x001301bf;;;DU)(A;;0x001200a9;;;WD)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01ff;;;DA)" "${SAMBA_BASE}/${SAMBA_SHARE_COMPPUBLIC}" 302 | echo "########################################################" 303 | echo 304 | echo "${INFO}" 305 | echo 306 | else 307 | echo "########################################################" 308 | echo " Warning: ${SAMBA_BASE}/${SAMBA_SHARE_COMPPUBLIC} already exist." 309 | echo " Try to accesse the share as Adminsitrator or as a member of Domain Admins share: \\\\$(hostname -f)\\${SAMBA_SHARE_USERSPROFILES}" 310 | echo " And verify if this share is set as [${SAMBA_SHARE_USERSPROFILES}] in smb.conf" 311 | echo 312 | echo "${INFO}" 313 | echo 314 | fi 315 | unset INFO 316 | unset COMPPUBLIC_SDDL 317 | } 318 | 319 | function SambaSharesAll(){ 320 | # File you can include in smb.conf 321 | echo "[samba\$] 322 | # Hidden share for Adminstrator and \"Domain Admins\" members/Folder managers 323 | # By default \"Domain Admins\" are allowed to read/write 324 | path = ${SAMBA_BASE} 325 | browseable = yes 326 | read only = no 327 | 328 | [${SAMBA_SHARE_COMPDATA}] 329 | # main share for all company data. 330 | path = ${SAMBA_BASE}/${SAMBA_SHARE_COMPDATA} 331 | browseable = yes 332 | read only = no 333 | 334 | [${SAMBA_SHARE_USERSPROFILES}] 335 | # Windows user profiles, Used for/by windows only share. 336 | # Add a $ on the end to hide the share-name. 337 | # By default \"Domain users\" are allowed to read/write 338 | # https://www.samba.org/samba/docs/current/man-html/vfs_acl_xattr.8.html 339 | # Optional, yes and windows defaults are: no/posix 340 | # acl_xattr:ignore system acls = [yes|no] 341 | # acl_xattr:default acl style = [posix|windows|everyone] 342 | path = ${SAMBA_BASE}/${SAMBA_SHARE_USERSPROFILES} 343 | browseable = yes 344 | read only = no 345 | 346 | [${SAMBA_SHARE_USERS}] 347 | # Samba/Windows User homedirs. 348 | # By default the User (And root/Administrator/Domain Admins) are allowed to read/write 349 | path = ${SAMBA_BASE}/${SAMBA_SHARE_USERS} 350 | browseable = yes 351 | read only = no 352 | 353 | [${SAMBA_SHARE_COMPPUBLIC}] 354 | # A public share. 355 | # By default \"Domain users\" are allowed to read/write 356 | path = ${SAMBA_BASE}/${SAMBA_SHARE_COMPPUBLIC} 357 | browseable = yes 358 | read only = no 359 | " > /etc/samba/smb-shares.conf 360 | 361 | echo "Share examples can be found here: /etc/samba/smb-shares.conf" 362 | echo "You can include this by adding : include = /etc/samba/smb-shares.conf to your smb.conf" 363 | echo "And reload/restart samba : systemctl restart/reload smbd winbind" 364 | echo 365 | } 366 | 367 | SambaRootFolder 368 | SambaShare_companydata 369 | SambaShare_users 370 | SambaShare_profiles 371 | SambaShare_public 372 | SambaSharesAll 373 | -------------------------------------------------------------------------------- /samba-with-nfsv4.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ## 3 | ## Version : 1.0.3 4 | ## release d.d. : 05-11-2015 5 | ## Author : L. van Belle 6 | ## E-mail : louis@van-belle.nl 7 | ## Copyright : Free as free can be, copy it, change it if needed. 8 | ## Sidenote : if you change please inform me 9 | ## ChangeLog : 15-6-2015: small bug fix for running this on debian jessie 10 | ## ChangeLog 1.0.2 : 7-8-2015: changed /etc/exports file remove gss/krb5, see https://wiki.debian.org/NFS/Kerberos 11 | ## ChangeLog 1.0.3 : changed idmap.conf to map the servername to user root. 12 | ## : With this modification, kerberos ssh with dedicated mounted home dirs works. 13 | ## : added nfs mount fix for Debian Jessie. 14 | ## !! ROOT, without kerberos ticket !! CAN NOT ACCESS USER DIRS !! 15 | 16 | ## This script wil setup the Samba user dirs over NFS with kerberos auth. 17 | ## Howto use it. 18 | ## run it with parameter "server" or "client" 19 | ## like sudo ./scriptname server or sudo ./scriptname client 20 | ## DONT run this script server and client on the same server ! 21 | 22 | ## set the nfs export paths.. 23 | ## you cannot set /home here, not tested in this script. 24 | ## the users must be a separated folder 25 | ## this path wil be used for client and server setup 26 | SAMBA_USERS_HOMEDIR="/home/users" 27 | 28 | ## NFS V4 needed settings 29 | ## Put here there server name where the exports are. ( the NFS server ) 30 | ## This is the server where you did setup the "server" setting. 31 | ## put the FQDN Name here, like server.internal.domain.tld 32 | ## THIS MUST BE THE NAME USED IN DNS for kerberos auth to work. 33 | NFSD_V4_SERVERNAME="hostname.internal.domain.tld" 34 | 35 | ## The nfs exports folder 36 | ## these 2 result in /exports/users in the script 37 | NFSD_V4_EXPORTS_PATH="/exports" 38 | 39 | ## it should not be needed to change this one. 40 | ## this matches with the SAMBA_USERS_HOMEDIR variable 41 | NFSD_V4_EXPORTS_USERS_PATH="/users" 42 | 43 | ## Your network where clients are connecting from. 44 | ## for now only 1 network is supported. 45 | ## if left empty we wil use your network extracted from ip adres, range /24 46 | ## example : 192.168.1.0/24" 47 | NFSD_V4_NETWORK="" 48 | 49 | ## Use a dedicated mount for the users or automount. 50 | ## Options : dedicated or automount 51 | ## a dedicated mount is setup in fstab 52 | ## for mulpliple users use dedicated, only for ssh logins use auto. 53 | NFS_CLIENT_MOUNT_USERS="dedicated" 54 | 55 | # Enable ssh kerberos enable logins 56 | SSHD_KERBEROS_ENABLED="yes" 57 | 58 | ## change this one to yes to start the script. 59 | CONFIGURED="no" 60 | 61 | ################### FUNCTIONS ############################# 62 | 63 | SET_SCRIPT_RUN_DATE_TIME=`date +%Y-%m-%d-%H_%m` 64 | 65 | SETTPUT=`which tput` 66 | if [ -z ${SETTPUT} ]; then 67 | echo "program tput not found, installing it now.. please wait" 68 | apt-get update > /dev/null 69 | apt-get install -y --no-install-recommends ncurses-bin > /dev/null 70 | fi 71 | 72 | RED=$(${SETTPUT} setaf 1) 73 | NORMAL=$(${SETTPUT} sgr0) 74 | GREEN=$(${SETTPUT} setaf 2) 75 | YELLOW=$(${SETTPUT} setaf 3) 76 | UNDERLINE=$(${SETTPUT} smul) 77 | WHITE=$(${SETTPUT} setaf 7) 78 | BOLD=$(${SETTPUT} bold) 79 | 80 | function message() { 81 | printf "%40s\n" "${WHITE}${BOLD}$@${NORMAL}" 82 | } 83 | function good() { 84 | printf "%40s\n" "${GREEN}$@${NORMAL}" 85 | } 86 | function error() { 87 | printf "%40s\n" "${RED}$@${NORMAL}" 88 | } 89 | function warning() { 90 | printf "%40s\n" "${YELLOW}$@${NORMAL}" 91 | } 92 | function warning_underline() { 93 | printf "%40s\n" "${YELLOW}${UNDERLINE}$@${NORMAL}" 94 | } 95 | function _apt_update_upgrade() { 96 | message "Please wait, running update and upgrade" 97 | apt-get update > /dev/null 98 | apt-get upgrade -y 2&> /dev/null 99 | echo " " 100 | } 101 | function _apt_install() { 102 | apt-get install -y $1 > /dev/null 103 | } 104 | 105 | function _apt_install_norecommends() { 106 | apt-get install -y --no-install-recommends $1 > /dev/null 107 | } 108 | function _apt_available() { 109 | if [ `apt-cache search $1 | grep -o "$1" | uniq | wc -l` = "1" ]; then 110 | good "Package is available : $1" 111 | PACKAGE_INSTALL="1" 112 | else 113 | error "Package $1 is NOT available for install" 114 | error "We can not continue without this package..." 115 | error "Exitting now.." 116 | exit 0 117 | fi 118 | } 119 | function _package_install { 120 | _apt_available $1 121 | if [ "${PACKAGE_INSTALL}" = "1" ]; then 122 | if [ "$(dpkg-query -l $1 | tail -n1 | cut -c1-2)" = "ii" ]; then 123 | warning "package is already_installed: $1" 124 | else 125 | message "installing package : $1, please wait.." 126 | _apt_install $1 127 | sleep 0.5 128 | fi 129 | fi 130 | } 131 | 132 | function _package_install_no_recommends { 133 | _apt_available $1 134 | if [ "${PACKAGE_INSTALL}" = "1" ]; then 135 | if [ "$(dpkg-query -l $1 | tail -n1 | cut -c1-2)" = "ii" ]; then 136 | warning "package is already_installed: $1" 137 | else 138 | message "installing package : $1, please wait.." 139 | _apt_install_norecommends $1 140 | sleep 0.5 141 | fi 142 | fi 143 | } 144 | 145 | function _check_run_as_sudo_root() { 146 | if ! [[ $EUID -eq 0 ]]; then 147 | error "This script should be run using sudo or by root." 148 | exit 1 149 | fi 150 | } 151 | function _configured_script() { 152 | if [ "${CONFIGURED}" = "no" ]; then 153 | error "####################################################" 154 | error "You need to configure this script first to run it. " 155 | error " " 156 | error "exiting script now... " 157 | exit 0 158 | fi 159 | } 160 | function _check_folder_exists() { 161 | if [ ! -d $1 ] ; then 162 | message "Creating folder: $1" 163 | mkdir -p $1 164 | fi 165 | } 166 | function _backup_file() { 167 | if [ ! -f $1.backup ] ; then 168 | message "Creating Backup of file: $1" 169 | cp $1 $1.backup 170 | fi 171 | } 172 | function _backup_file_date() { 173 | if [ ! -f $1.${SET_SCRIPT_RUN_DATE_TIME}.backup ] ; then 174 | message "Creating Backup of file: $1 (date include in filename)" 175 | cp $1 $1.${SET_SCRIPT_RUN_DATE_TIME}.backup 176 | fi 177 | } 178 | function _backup_folder() { 179 | if [ ! -d $1.backup ] ; then 180 | message "Creating Backup of folder: $1" 181 | cp -R $1 $1.backup 182 | fi 183 | } 184 | function _backup_folder_date() { 185 | if [ ! -d $1.${SET_SCRIPT_RUN_DATE_TIME}.backup ] ; then 186 | message "Creating Backup of folder: $1 (date include in foldername)" 187 | cp -R $1 $1.${SET_SCRIPT_RUN_DATE_TIME}.backup 188 | fi 189 | } 190 | 191 | ########################## CODE ######################### 192 | 193 | _configured_script 194 | _check_run_as_sudo_root 195 | 196 | ############################################################# 197 | ######## LEAVE THESE HERE AND DONT CHANGE THESE 4 !!!!!! 198 | ## hostname in single word, but you dont need to change this 199 | SETHOSTNAME=`hostname -s` 200 | ## domainname.tld, but if you installed correct, you dont need to change this 201 | SETDNSDOMAIN=`hostname -d` 202 | ## hostname.domainname.tld, but if you installed correct, you dont need to change this 203 | SETFQDN=`hostname -f` 204 | ## server ip, if /etc/hosts is setup correct. 205 | SETSERVERIP=`hostname -i` 206 | SETSERVERIPNET=`hostname -i| cut -d"." -f1,2,3` 207 | ############################################################## 208 | 209 | #### Specific NFS setup setting 210 | SETHOSTNAME_CAPS=`echo ${SETHOSTNAME^^}` 211 | ## Samba general setting 212 | SAMBA_KERBEROS_REALM=`echo ${SETDNSDOMAIN^^}` 213 | 214 | ################################################################## 215 | 216 | NFS_SETUP="$1" 217 | 218 | if [ -z "${NFS_SETUP}" ]; then 219 | error "You need to run the script with server or client parameter" 220 | error "Example ./setup-samba-home-nfs-server.sh server" 221 | error "Exitting now.. " 222 | exit 0 223 | fi 224 | 225 | if [ "${NFS_SETUP}" = "server" ] || [ "${NFS_SETUP}" = "client" ]; then 226 | if [ "${NFS_SETUP}" = "server" ]; then 227 | good "Setting up NFS Server support" 228 | 229 | _package_install nfs-kernel-server 230 | service nfs-kernel-server stop 231 | service nfs-common stop 232 | _check_folder_exists "${NFSD_V4_EXPORTS_PATH}/${NFSD_V4_EXPORTS_USERS_PATH}" 233 | 234 | _backup_file_date /etc/krb5.keytab 235 | 236 | _backup_file /etc/fstab 237 | if [ `cat /etc/fstab | grep 'NFSv4: Setup'| wc -l` = "0" ]; then 238 | message "NFSv4: Setup fstab for NFS v4 with kerberos support" 239 | echo "${SAMBA_USERS_HOMEDIR} "${NFSD_V4_EXPORTS_PATH}${NFSD_V4_EXPORTS_USERS_PATH}" none bind 0 0" >> /etc/fstab 240 | mount -a 241 | else 242 | warning "fstab was already setup for NFSv4, checking if mounted.." 243 | if `df | grep "${NFSD_V4_EXPORTS_PATH}${NFSD_V4_EXPORTS_USERS_PATH}" | wc -l` = "0" ]; then 244 | mount -a 245 | else 246 | warning "${NFSD_V4_EXPORTS_PATH}${NFSD_V4_EXPORTS_USERS_PATH} was already mounted" 247 | fi 248 | fi 249 | 250 | _backup_file /etc/exports 251 | message "Setup of /etc/exports" 252 | if [ ${NFSD_V4_NETWORK} = "" ]; then 253 | NFSD_V4_NETWORK="${SETSERVERIPNET}.0/24" 254 | fi 255 | 256 | if [ `cat /etc/exports | grep "${NFSD_V4_EXPORTS_PATH}${NFSD_V4_EXPORTS_USERS_PATH}" | wc -l` = "0" ]; then 257 | cat << EOF > /etc/exports 258 | # 'fsid=0' designates this path as the nfs4 root 259 | # 'crossmnt' is necessary to properly expose the paths 260 | # 'no_subtree_check' is specified to get rid of warning messages 261 | # about the default value changing. This is the default value 262 | ${NFSD_V4_EXPORTS_PATH} ${NFSD_V4_NETWORK}(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=krb5) 263 | ${NFSD_V4_EXPORTS_PATH}${NFSD_V4_EXPORTS_USERS_PATH} ${NFSD_V4_NETWORK}(rw,sync,no_subtree_check,sec=krb5) 264 | EOF 265 | else 266 | warning "The file : /etc/exports was already setup" 267 | fi 268 | 269 | _backup_file /etc/idmapd.conf 270 | if [ `cat /etc/idmapd.conf | grep "Method = nsswitch" | wc -l` = "0" ]; then 271 | message "Setup of /etc/idmapd.conf" 272 | cat << EOF >> /etc/idmapd.conf 273 | 274 | [Translation] 275 | 276 | Method = nsswitch 277 | 278 | EOF 279 | else 280 | warning "The file : /etc/idmapd.conf was already setup" 281 | fi 282 | 283 | _backup_file /etc/default/nfs-kernel-server 284 | message "Setup of /etc/default/nfs-kernel-server" 285 | if [ `cat /etc/default/nfs-kernel-server | grep "NEED_SVCGSSD=yes" | wc -l` = "0" ]; then 286 | sed -i 's/NEED_SVCGSSD=""/NEED_SVCGSSD="yes"/g' /etc/default/nfs-kernel-server 287 | else 288 | warning "The file : /etc/default/nfs-kernel-server was already setup" 289 | fi 290 | 291 | _backup_file /etc/default/nfs-common 292 | message "Setup of /etc/default/nfs-common" 293 | if [ `cat /etc/default/nfs-kernel-server | grep "NEED_GSSD" | wc -l` = "0" ]; then 294 | sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common 295 | sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common 296 | sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common 297 | else 298 | warning "The file : /etc/default/nfs-common was already setup" 299 | fi 300 | message "Exporting exports" 301 | exportfs -r 302 | sleep 0.5 303 | 304 | message " " 305 | good "The basic setup of the NFS server is done" 306 | message " " 307 | warning "Now you need to add the nfs SPN to this servers name." 308 | warning "Run the following commands on one of your DC's" 309 | warning "samba-tool spn add nfs/${SETFQDN} ${SETHOSTNAME_CAPS}\$" 310 | warning "samba-tool spn add nfs/${SETFQDN}@${SAMBA_KERBEROS_REALM} ${SETHOSTNAME_CAPS}\$" 311 | warning "samba-tool domain exportkeytab --principal=nfs/${SETFQDN} keytab.${SETHOSTNAME_CAPS}-nfs" 312 | message " " 313 | warning "When above is done, you need to copy the keytab file keytab.${SETHOSTNAME_CAPS}-nfs to the server ${SETHOSTNAME_CAPS}" 314 | warning "Now you need to merge te original keytab file and keytab.${SETHOSTNAME_CAPS}-nfs on server ${SETHOSTNAME_CAPS}" 315 | message " " 316 | message "Stop the samba services:" 317 | message "for x in \`ls /etc/init.d/sernet-*\` ; do \$x stop ; done" 318 | message " " 319 | message "Merging the keytab files" 320 | message "Now type the following on server ${SETHOSTNAME_CAPS}: " 321 | message "ktutil (hit enter)" 322 | message "rkt /etc/krb5.keytab (hit enter)" 323 | message "rkt /PATH_TO_THE_NEW_KEYTABFILE/keytab.${SETHOSTNAME_CAPS}-nfs" 324 | message "list ( hit enter and check the output, is nfs listed?) " 325 | message "wkt /etc/krb5.keytab" 326 | message "quit" 327 | message "chmod 600 /etc/krb5.keytab" 328 | message "chown root:root /etc/krb5.keytab" 329 | message "Now the keytab file is setup for NFS server support." 330 | message "Now you can startup the nfs server on ${SETHOSTNAME_CAPS}" 331 | message "run : service nfs-kernel-server start" 332 | message "run : service nfs-common restart" 333 | message "And test with : mount -t nfs4 ${SETFQDN}:${NFSD_V4_EXPORTS_USERS_PATH} /mnt -o sec=krb5 " 334 | message "if it works, umount with : umount /mnt" 335 | message "and start samba services again" 336 | message "for x in \`ls /etc/init.d/sernet-*\` ; do \$x start ; done" 337 | message " " 338 | warning " !! Both server and client need nfs spn's " 339 | fi 340 | 341 | ############################################ NFS CLIENT SETUP ####################################################### 342 | if [ "${NFS_SETUP}" = "client" ]; then 343 | good "Setting up NFS Client support" 344 | # FOR THE OTHER SERVERS /Client servers. 345 | 346 | _package_install nfs-common 347 | _package_install rpcbind 348 | service nfs-common stop 349 | _check_folder_exists "${SAMBA_USERS_HOMEDIR}" 350 | 351 | _backup_file /etc/idmapd.conf 352 | if [ `cat /etc/idmapd.conf | grep 'Method = nsswitch' | wc -l` = "0" ]; then 353 | message "Setup of /etc/idmapd.conf" 354 | cat << EOF > /etc/idmapd.conf 355 | [General] 356 | 357 | Verbosity = 0 358 | Pipefs-Directory = /run/rpc_pipefs 359 | 360 | # set your own domain here, if id differs from FQDN minus hostname 361 | # Domain = localdomain 362 | Domain = ${SETDNSDOMAIN} 363 | Local-Realm = ${SAMBA_KERBEROS_REALM} 364 | 365 | [Mapping] 366 | 367 | Nobody-User = nobody 368 | Nobody-Group = nogroup 369 | 370 | [Translation] 371 | Method = static,nsswitch 372 | GSS-Methods = static,nsswitch 373 | 374 | [Static] 375 | ${SETHOSTNAME_CAPS}\$@${SAMBA_KERBEROS_REALM} = root 376 | host/${SETFQDN}@${SAMBA_KERBEROS_REALM} = root 377 | nfs/${SETFQDN}@${SAMBA_KERBEROS_REALM} = root 378 | nfs/${SETFQDN}@ = root 379 | 380 | EOF 381 | else 382 | warning "The file : /etc/idmapd.conf was already setup" 383 | fi 384 | 385 | if [ ${NFS_CLIENT_MOUNT_USERS} = "dedicated" ]; then 386 | if [ `cat /etc/fstab | grep 'NFS V4 Client Users'| wc -l` = "0" ] || [ `cat /etc/auto.master | grep 'NFS V4 Client Users automount'| wc -l` = "0" ]; then 387 | _backup_file /etc/fstab 388 | echo "## NFS V4 Client Users mount" >> /etc/fstab 389 | echo "${NFSD_V4_SERVERNAME}:${NFSD_V4_EXPORTS_USERS_PATH} ${SAMBA_USERS_HOMEDIR} nfs4 sec=krb5 0 0" >> /etc/fstab 390 | else 391 | warning "NFS V4 Client setup was already done" 392 | fi 393 | fi 394 | if [ ${NFS_CLIENT_MOUNT_USERS} = "automount" ]; then 395 | if [ `cat /etc/fstab | grep 'NFS V4 Client Users'| wc -l` = "0" ] || [ `cat /etc/auto.master | grep 'NFS V4 Client Users automount'| wc -l` = "0" ]; then 396 | _package_install autofs 397 | service autofs stop 398 | #_backup_file /etc/auto.master 399 | _check_folder_exists /etc/auto.master.d 400 | echo "## NFS V4 Client Users automount" >> /etc/auto.master.d/user-home.autofs 401 | echo "* ${NFSD_V4_SERVERNAME}:${NFSD_V4_EXPORTS_USERS_PATH}\/\&" >> /etc/auto.master.d/user-home.autofs 402 | echo "user-home automount file can be found here : /etc/auto.master.d/user-home.autofs" 403 | else 404 | warning "NFS V4 Client setup was already done, see /etc/auto.master.d/user-home.autofs" 405 | fi 406 | fi 407 | message " " 408 | good "The setup of the NFS Client is done" 409 | message " " 410 | warning "Now you need to add the nfs SPN to this client server name." 411 | warning "Run the following commands on one of your DC's" 412 | warning "samba-tool spn add nfs/${SETFQDN} ${SETHOSTNAME_CAPS}\$" 413 | warning "samba-tool spn add nfs/${SETFQDN}@${SAMBA_KERBEROS_REALM} ${SETHOSTNAME_CAPS}\$" 414 | warning "samba-tool domain exportkeytab --principal=nfs/${SETFQDN} keytab.${SETHOSTNAME_CAPS}-nfs" 415 | message " " 416 | warning "When above is done, you need to copy the keytab file keytab.${SETHOSTNAME_CAPS}-nfs to the nfs client ${SETHOSTNAME_CAPS}" 417 | warning "Now you need to merge te original keytab file and keytab.${SETHOSTNAME_CAPS}-nfs on client ${SETHOSTNAME_CAPS}" 418 | message " " 419 | message "Stop the samba services:" 420 | message "SERNET SAMBA: for x in \`ls /etc/init.d/sernet-*\` ; do \$x stop ; done" 421 | message "DEBIAN SAMBA: for x in \`ls /etc/init.d/samba\` ; do \$x stop ; done" 422 | message " " 423 | message "Merging the keytab files" 424 | message "Now type the following on server ${SETHOSTNAME_CAPS}: " 425 | message "ktutil (hit enter)" 426 | message "rkt /etc/krb5.keytab (hit enter)" 427 | message "rkt /PATH_TO_THE_NEW_KEYTABFILE/keytab.${SETHOSTNAME_CAPS}-nfs" 428 | message "list ( hit enter and check the output, is nfs listed?) " 429 | message "wkt /etc/krb5.keytab" 430 | message "quit" 431 | message "chmod 600 /etc/krb5.keytab" 432 | message "chown root:root /etc/krb5.keytab" 433 | message "Now the keytab file is setup for NFS server support." 434 | message "Now you can startup the nfs client on ${SETHOSTNAME_CAPS}" 435 | message "run : service nfs-common start" 436 | message "And test with : mount -t nfs4 ${NFSD_V4_SERVERNAME}:${NFSD_V4_EXPORTS_USERS_PATH} ${SAMBA_USERS_HOMEDIR} -o sec=krb5 " 437 | message "and start samba services again" 438 | message "SERNET SAMBA: for x in \`ls /etc/init.d/sernet-*\` ; do \$x start ; done" 439 | message "DEBIAN SAMBA: for x in \`ls /etc/init.d/samba\` ; do \$x start ; done" 440 | message " " 441 | warning " !! Both server and client need nfs spn's " 442 | fi 443 | 444 | if [ ${SSHD_KERBEROS_ENABLED} = "yes" ]; then 445 | message "Enable kerborised ssh logins" 446 | _package_install_no_recommends ssh-krb5 libpam-krb5 447 | pam-auth-update --package --force 448 | sed -i '/#GSSAPICleanupCredentials yes/aGSSAPIStoreCredentialsOnRekey yes # If your version supports this/' /etc/ssh/sshd_config 449 | sed -i '/#GSSAPICleanupCredentials yes/aGSSAPIKeyExchange yes # If your version supports this/' /etc/ssh/sshd_config 450 | sed -i 's/#GSSAPICleanupCredentials yes/GSSAPICleanupCredentials yes/g' /etc/ssh/sshd_config 451 | sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication yes/g' /etc/ssh/sshd_config 452 | service ssh restart 453 | fi 454 | 455 | if [ ! -e /etc/systemd/system/nfs-common.service.d/remote-fs-pre.conf ] ; then 456 | echo "Fixing NFS mount on boot with systemd" 457 | mkdir -p /etc/systemd/system/nfs-common.service.d 458 | cat << EOF > /etc/systemd/system/nfs-common.service.d/remote-fs-pre.conf 459 | [Unit] 460 | Before=remote-fs-pre.target 461 | Wants=remote-fs-pre.target 462 | 463 | EOF 464 | fi 465 | 466 | else 467 | error "No server of client variable input" 468 | error "Exiting now. " 469 | fi 470 | --------------------------------------------------------------------------------