Add Ubuntu Samba file server installation script
This commit is contained in:
Johan
parent
f0da46e9ba
commit
5f89c625e3
170
BashScripts/install-fileserver-as-dc-member.sh
Normal file
170
BashScripts/install-fileserver-as-dc-member.sh
Normal file
@ -0,0 +1,170 @@
|
||||
# Install using: sudo su -c "bash <(wget -qO- /url/to/install-fileserver-as-dc-member.sh)"
|
||||
|
||||
# Make sure script is ran as root
|
||||
if [[ $EUID -ne 0 ]]; then
|
||||
exec sudo /bin/bash "$0" "$@"
|
||||
fi
|
||||
read -e -p "Enter DC administrator username: " -i $(logname) ADMINUSER
|
||||
read -e -p "Enter realm: " -i "myspace.local" DCREALM
|
||||
read -e -p "Enter workgroup: " -i "MYSPACE" WORKGROUP
|
||||
read -e -p "Enter fileserver hostname: " -i "ubuntulabb" FSHOSTNAME
|
||||
read -e -p "Enter dc hostname: " -i "dc1" DCHOSTNAME
|
||||
read -e -p "Enter dc/dns IP: " -i "192.168.0.9" DNSIP
|
||||
|
||||
apt install -y samba
|
||||
apt install -y realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
|
||||
hostnamectl set-hostname ${FSHOSTNAME,,}.${DCREALM,,}
|
||||
|
||||
systemctl disable systemd-resolved.service
|
||||
systemctl stop systemd-resolved.service
|
||||
# systemctl status systemd-resolved.service
|
||||
|
||||
# Update /etc/resolv.conf with DC as nameserver
|
||||
sed -i -E "s/nameserver .*?/nameserver $DNSIP/" /etc/resolv.conf
|
||||
|
||||
realm discover ${DCREALM,,}
|
||||
realm join -U $ADMINUSER ${DCREALM,,}
|
||||
realm list
|
||||
|
||||
# Update /usr/share/pam-configs/mkhomedir
|
||||
sed -i -E "s/Default:.*?/Default: yes/" /usr/share/pam-configs/mkhomedir
|
||||
sed -i -E "s/Priority:.*?/Priority: 900/" /usr/share/pam-configs/mkhomedir
|
||||
sed -i -E "s/Session-Interactive-Only:.*?//" /usr/share/pam-configs/mkhomedir
|
||||
# sed -i '/Session-Interactive-Only:.*?/d' /usr/share/pam-configs/mkhomedir
|
||||
|
||||
pam-auth-update
|
||||
# pam-auth-update --enable mkhomedir
|
||||
|
||||
systemctl restart sssd
|
||||
# systemctl status sssd
|
||||
|
||||
id $ADMINUSER@${DCREALM,,}
|
||||
|
||||
realm permit --all
|
||||
mkdir -p /var/fileshare/data
|
||||
chmod -R uga+rwx /var/fileshare/
|
||||
|
||||
echo "%domain\ admins@${DCREALM,,} ALL=(ALL) ALL">/etc/sudoers.d/domain-admins
|
||||
|
||||
apt -y install winbind libpam-winbind libnss-winbind krb5-config
|
||||
|
||||
sudo tee /etc/krb5.conf > /dev/null <<EOL
|
||||
[libdefaults]
|
||||
default_realm = ${DCREALM^^}
|
||||
dns_lookup_realm = true
|
||||
dns_lookup_kdc = true
|
||||
ticket_lifetime = 24h
|
||||
renew_lifetime = 7d
|
||||
forwardable = true
|
||||
|
||||
[realms]
|
||||
${DCREALM^^} = {
|
||||
kdc = ${DCHOSTNAME,,}.${DCREALM,,}
|
||||
admin_server = ${DCHOSTNAME,,}.${DCREALM,,}
|
||||
default_domain = ${DCREALM,,}
|
||||
}
|
||||
|
||||
[domain_realm]
|
||||
.${DCREALM,,} = ${DCREALM^^}
|
||||
${DCREALM,,} = ${DCREALM^^}
|
||||
EOL
|
||||
|
||||
sudo tee /etc/nsswitch.conf > /dev/null <<EOL
|
||||
passwd: compat winbind
|
||||
group: compat winbind
|
||||
shadow: compat winbind
|
||||
|
||||
hosts: files dns
|
||||
networks: files
|
||||
|
||||
protocols: db files
|
||||
services: db files
|
||||
ethers: db files
|
||||
rpc: db files
|
||||
|
||||
netgroup: nis
|
||||
EOL
|
||||
|
||||
sudo tee /etc/pam.d/common-session > /dev/null <<EOL
|
||||
session [default=1] pam_permit.so
|
||||
session requisite pam_deny.so
|
||||
session required pam_permit.so
|
||||
session optional pam_umask.so
|
||||
session required pam_unix.so
|
||||
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
|
||||
session required pam_winbind.so
|
||||
session optional pam_sss.so
|
||||
session optional pam_systemd.so
|
||||
EOL
|
||||
|
||||
sudo tee /etc/pam.d/common-session-noninteractive > /dev/null <<EOL
|
||||
session [default=1] pam_permit.so
|
||||
session requisite pam_deny.so
|
||||
session required pam_permit.so
|
||||
session optional pam_umask.so
|
||||
session required pam_unix.so
|
||||
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
|
||||
session required pam_winbind.so
|
||||
session optional pam_winbind.so
|
||||
EOL
|
||||
|
||||
sudo tee /etc/samba/smb.conf > /dev/null <<EOL
|
||||
[global]
|
||||
workgroup = ${WORKGROUP^^}
|
||||
realm = ${DCREALM,,}
|
||||
security = ads
|
||||
encrypt passwords = yes
|
||||
idmap config * : backend = tdb
|
||||
idmap config * : range = 3000-7999
|
||||
idmap config ${DCREALM,,} : backend = rid
|
||||
idmap config ${DCREALM,,} : range = 10000-999999
|
||||
template homedir = /home/%U
|
||||
template shell = /bin/bash
|
||||
winbind use default domain = true
|
||||
winbind offline logon = false
|
||||
|
||||
[data]
|
||||
comment = Samba File Server Share
|
||||
path = /var/fileshare/data
|
||||
browsable = yes
|
||||
guest ok = yes
|
||||
read only = no
|
||||
create mask = 777
|
||||
force create mode = 777
|
||||
directory mask = 777
|
||||
force directory mode = 777
|
||||
valid users = "@${WORKGROUP^^}\domain users"
|
||||
# force user = root
|
||||
# force group = root
|
||||
writeable = yes
|
||||
# admin users = root
|
||||
oplocks = yes
|
||||
# valid users = @"${DCREALM,,}+Domain Users"
|
||||
[/data]
|
||||
EOL
|
||||
|
||||
sudo tee /etc/security/pam_winbind.conf > /dev/null <<EOL
|
||||
[global]
|
||||
debug = no
|
||||
EOL
|
||||
|
||||
echo "Rejoining domain..."
|
||||
# kinit $ADMINUSER@${DCREALM,,}
|
||||
net ads join -U $ADMINUSER -S ${DCHOSTNAME,,}.${DCREALM,,}
|
||||
|
||||
# systemctl restart smbd
|
||||
smbcontrol smbd reload-config
|
||||
systemctl restart winbind
|
||||
|
||||
# Clear Winbind cache
|
||||
service winbind stop
|
||||
service smbd stop
|
||||
net cache flush
|
||||
rm /var/lib/samba/*.tdb
|
||||
service smbd start
|
||||
service winbind start
|
||||
|
||||
echo "Found admin user:"
|
||||
getent passwd ${WORKGROUP^^}\\$ADMINUSER
|
||||
echo "Found domain users:"
|
||||
wbinfo --domain-users
|
||||
Loading…
x
Reference in New Issue
Block a user