Author Topic: [Desarrollo] Bash Script Samba-AD-DC Bind9_DLZ Backend  (Read 2038 times)

JLLEWELYN

  • Zen Monk
  • **
  • Posts: 65
  • Karma: +5/-0
    • View Profile
[Desarrollo] Bash Script Samba-AD-DC Bind9_DLZ Backend
« on: August 15, 2018, 07:36:33 am »
Descripción: Script Bash como alternativa para crear un servidor Samba Directorio Activo, Controlador de Dominio DNS Bind9_DLZ Backend para Ubuntu Server 18.04 LTS.
Nota: En desarrollo, solo para pruebas, no intente usar en entorno producción.

Primero identifiquemos los interfaz de red:
Code: [Select]
ip -o link show | awk -F': ' '{print $2}'

resultado:
Code: [Select]
lo
enp4s0
enp4s1
enp6s0
wlp5s0

edite /etc/netplan/01-netcfg.yaml para configurar los adaptadores de red, el nombre de cada adaptador puede ser diferente en su equipo.

ejemplo:
Code: [Select]
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    enp6s0:
      dhcp4: no
      addresses: [192.168.1.2/24]
      gateway4: 192.168.1.1
      nameservers:
              search: [savidoca.com]
              addresses: [192.168.1.1,192.168.1.2]

    enp4s0:
      dhcp4: yes
      dhcp6: yes
    enp4s1:
      dhcp4: yes
      dhcp6: yes
    wlp5s0:
      dhcp4: yes
      dhcp6: yes

aplicar cambios
Code: [Select]
sudo netplan apply


Esta en desarrollo.
Samba-ad-dc_DNS-Backend.sh
pastebin: https://pastebin.com/LK6vfKpT
Code: [Select]
#!/bin/bash
# Autor: John Llewelyn
# Description: Instalar Samba Directorio Activo, Controlador de Dominio Bind9_DLZ DNS Backend
echo 'Configure la contraseña root'
sudo passwd root
clear
read -p 'Introduzca el nombre de host, ejemplo [ servidor ]: ' hostname
clear
read -p 'Introduzca el nombre de dominio, ejemplo [ savidoca.com ]: ' domain
clear
read -p 'Introduzca el nombre de grupo de trabajo, ejemplo [ SAVIDOCA ]: ' workgroup
clear
read -p 'Introduzca la direccion IP de su red, ejemplo [ 192.168.1.0/24 ]: ' network
clear
read -p 'Introduzca la direccion IP broadcast de su red, ejemplo [ 192.168.1.255 ]: ' broadcast
clear
read -p 'Introduzca la direccion IP del AD DC, ejemplo [ 192.168.1.2 ]: ' ipaddress
clear
read -p 'Introduzca la direccion IP de su gateway, ejemplo [ 192.168.1.1 ]: ' gw
clear
read -p 'Introduzca la direccion IP inversa de su AD DC, ejemplo: [ 1.168.192 ]: ' reverse
clear
read -p 'Introduzca las direcciones DNS reenviadores para su AD DC, ejemplo: [ 8.8.8.8;8.8.4.4; ] ' forwarders
clear
read -sp 'Introduzca la contraseña para AD: ' password
clear
echo el nombre de tu host es: $hostname
echo el nombre de dominio es: $domain
echo el nombre de tu grupo de trabajo es: $workgroup
echo el esquema de la tu red es: $network
echo el broadcast de tu red es: $broadcast
echo la direccion ip de tu AD DC es: $ipaddress
echo la direccion ip de tu gateway es: $gw
echo la direccion inversa de tu dominio es: $reverse.in-addr.arpa.
echo la direcciones DNS reenviadores son: $forwarders
read -p "Esta seguro que estos son los datos correctos? " -n 1 -r
echo    # (optional) move to a new line
if [[ ! $REPLY =~ ^[Yy]$ ]]
then
    exit 1
fi
clear
# Ajustes hostname, resolvconf, hosts, acl, attr
sudo hostnamectl set-hostname "$hostname"
sudo bash -c 'echo -e "nameserver $ipaddress\ndomain $domain" > /etc/resolvconf/resolv.conf.d/tail'
sudo chmod 644 /etc/resolvconf/resolv.conf.d/tail
sudo resolvconf -u
sudo bash -c 'echo -e "127.0.0.1 localhost localhost.localdomain\n$ipaddress $hostname $hostname.$domain\n# The following lines are desirable for IPv6 capable hosts\n::1 ip6-localhost ip6-loopback\nfe00::0 ip6-localnet\nff00::0 ip6-mcastprefix\nff02::1 ip6-allnodes\nff02::2 ip6-allrouters\nff02::3 ip6-allhosts" > /etc/hosts'
sudo sed -i.old -r '/[ \t]\/[ \t]/{s/(ext4[\t ]*)([^\t ]*)/\1\2,user_xattr,acl,barrier=1/}' /etc/fstab
sudo mount -a -o remount,rw /

# Instalando samba, krb5, winbind, bind9, chrony, openssl
sudo apt install acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user krb5-config krb5-locales bind9 bind9utils bind9-doc binutils ldb-tools chrony openssl isc-dhcp-server -y

# Preparando Servicio samba-ad-dc
sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo systemctl unmask samba-ad-dc
sudo rm -f /etc/samba/smb.conf
sudo rm -f /var/run/samba/*.[t,l]db
sudo rm -f /var/lib/samba/*.[t,l]db
sudo rm -f /var/cache/samba/*.[t,l]db
sudo rm -f /var/lib/samba/private/*.[t,l]db
sudo rm -r /var/lib/samba/sysvol/*
# provisionando ad-dc
sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=BIND9_DLZ --realm=$domain --domain=$workgroup --function-level=2008_R2 --adminpass=$password

# Ajustes krb5.conf
sudo rm -f /etc/krb5.conf
sudo ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
sudo sed -i "/dns_lookup_kdc = true/a \        rdns = no" /var/lib/samba/private/krb5.conf

# Ajustes smb.conf
sudo sed -i "/[global]/a         security = auto" /etc/samba/smb.conf
sudo sed -i "/security = auto/a allow dns updates = secure only" /etc/samba/smb.conf
sudo sed -ri 's/server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate/server services = -dns/g' /etc/samba/smb.conf
sudo sed -i "/workgroup = $workgroup/a /n# dns forwarder = $ipaddress" /etc/samba/smb.conf
sudo sed -i "/dns forwarder = /a # interfaces = " /etc/samba/smb.conf
sudo sed -i "/interfaces = /a # bind interfaces only = yes" /etc/samba/smb.conf
sudo sed -i "/idmap_ldb:use rfc2307 = yes/a n\ # Default idmap config for local BUILTIN accounts and groups\n idmap config * : backend = tdb\n idmap config * : range = 3000-7999" /etc/samba/smb.conf
sudo sed -i "/idmap config * : range = /a n\ # idmap config for the $workgroup domain\n idmap config $workgroup:backend = ad\n idmap config $workgroup:schema_mode = rfc2307\n idmap config $workgroup:range = 10000-999999" /etc/samba/smb.conf
sudo sed -i "/idmap config $workgroup:range = /a n\ idmap config $workgroup: unix_nss_info = yes\n idmap config $workgroup: unix_primary_group = yes" /etc/samba/smb.conf
sudo sed -i "/unix_primary_group = /a n\ # Template settings for login shell and home directory\n template shell = /bin/bash\n template homedir = /home/%U" /etc/samba/smb.conf
sudo sed -i "/template homedir/a n\ winbind enum users = yes\n winbind enum groups = yes\n winbind use default domain = yes\n winbind use default domain = yes\n winbind offline logon = no\n winbind cache time = 300\n winbind nss info = rfc2307" /etc/samba/smb.conf
sudo sed -i "/winbind nss info = /a n\ server signing = auto\n# server role check:inhibit = yes\n# dsdb:schema update allowed = yes\n# drs:max object sync = 1200\n# kernel share modes = yes\n# client use spnego = yes\n# client NTLMv2 auth = yes\n# client min protocol = SMB2\n# client max protocol = SMB3\n# server min protocol = SMB2\n# server max protocol = SMB3\n restrict anonymous = 2\n map to guest = Never" /etc/samba/smb.conf
sudo sed -i "/map to guest/a n\log level = 3" /etc/samba/smb.conf
sudo sed -i "/log level/a log file = /var/log/samba/samba.log" /etc/samba/smb.conf
sudo sed -i "/log file/a max log size = 100000" /etc/samba/smb.conf
sudo sed -i "/max log size/a \n# Configuring LDAP over SSL (LDAPS)\ntls enabled = yes\ntls keyfile = tls/samba.key\ntls certfile = tls/samba.crt\ntls cafile = " /etc/samba/smb.conf
sudo sed -i "/tls cafile/a n\# printing = CUPS" /etc/samba/smb.conf
sudo sed -i "/printing = /a n\# include = /etc/samba/shares.conf\n# include = /etc/samba/profiles.conf\n# include = /etc/samba/printers.conf" /etc/samba/smb.conf
# Incompleto falta modificar 1 linea.

# Roaming Windows User Profiles
sudo bash -c 'echo -e "[profiles]\n        comment = Users profiles\n        path = /srv/samba/profiles/\n        browseable = No\n        read only = No\n        force create mode = 0600\n        force directory mode = 0700\n        csc policy = disable\n        store dos attributes = yes\n        vfs objects = acl_xattr" >> /etc/samba/profiles.conf'
sudo mkdir -p /srv/samba/profiles/
sudo chgrp -R "Domain Users" /srv/samba/profiles/
sudo chmod 1750 /srv/samba/profiles/

# Creando /etc/samba/shares.conf
sudo bash -c 'echo -e "[homes]\n    comment = Directorios de usuario\n    path = /home/%S\n    read only = no\n    browseable = no\n    create mask = 0611\n    directory mask = 0711\n    vfs objects = acl_xattr full_audit\n    full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename\n    full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename" >> /etc/samba/shares.conf'

# Creando /etc/samba/printers.conf
sudo bash -c 'echo -e "[printers]\n       path = /var/spool/samba/\n       printable = yes" >> /etc/samba/printers.conf'
mkdir -p /var/spool/samba/
chmod 1777 /var/spool/samba/
# smbcontrol all reload-config

# Ajustes windbind , PAM
sudo sed -ri 's/passwd:         compat systemd/passwd:         compat winbind/g' /etc/nsswitch.conf
sudo sed -ri 's/group:          compat systemd/group:          compat winbind/g' /etc/nsswitch.conf
sudo sed -ri 's/dns myhostname/dns mdns/g' /etc/nsswitch.conf
# sudo sed -ri 's/pam_winbind.so use_authtok try_first_pass/pam_winbind.so try_first_pass/g' /etc/pam.d/common-password
sudo pam-auth-update

# Ajustes Bind9
sudo wget -q -O /etc/bind/db.root http://www.internic.net/zones/named.root
sudo wget -q -O /etc/bind/bind.keys https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11
sudo bash -c 'echo -e "include \"/var/lib/samba/private/named.conf\";" >> /etc/bind/named.conf'
sudo bash -c 'echo -e "include \"/etc/bind/named.conf.logging\";" >> /etc/bind/named.conf'
sudo bash -c 'echo -e "include \"/etc/bind/rndc.key\";" >> /etc/bind/named.conf'
sudo bash -c 'echo -e "include \"/etc/bind/rndc.conf\";" >> /etc/bind/named.conf'
sudo bash -c 'echo -e "controls {\n         inet 127.0.0.1 port 953 allow { localhost; } keys { "rndc-key"; };\n};" >> /etc/bind/rndc.conf'
sudo chgrp bind /var/lib/samba/private/dns.keytab
sudo chmod g+r /var/lib/samba/private/dns.keytab
sudo rndc-confgen -a
sudo chown root:bind /etc/bind/rndc.key
sudo chmod 640 /etc/bind/rndc.key
sudo sed -i "/directory/a \        sortlist {\n        { $network ;{ $network ; };};\n        };"  /etc/bind/named.conf.options
sudo cp -b /etc/bind/db.local /var/lib/bind/db.$reverse
sudo chown bind:bind /var/lib/bind/db.$reverse
sudo chmod 640 /var/lib/bind/db.$reverse
sudo sed -ri 's/RESOLVCONF=no/RESOLVCONF=yes/g' /etc/default/bind9
sudo bash -c 'echo -e "acl "trusted" {\n    localhost;\n    localnets;\n};\n\nacl "internal-local-nets" {\n    $network;\n};\n" >> /etc/bind/named.conf.local'
sudo bash -c 'echo -e "zone "$reverse.in-addr.arpa" {\n    type master;\n    file \"/var/lib/bind/db.$reverse\";\n    update-policy {\n        // The only allowed dynamic updates are PTR records\n        grant $domain. subdomain $reverse.in-addr.arpa. PTR TXT;\n        // Grant from localhost\n        grant local-ddns zonesub any;\n    };\n};\n" >> /etc/bind/named.conf.local'
sudo sed -i "/directory/a \        cleaning-interval 1440;\n        max-cache-ttl 2419200;\n        max-ncache-ttl 86400;\n        max-cache-size unlimited;\n        stacksize unlimited;\n        datasize unlimited;\n        coresize unlimited;\n        \n        listen-on { any; };"  /etc/bind/named.conf.options
sudo sed -i "/listen-on-v6/a \        allow-query { any; };\n        allow-recursion { trusted; };\n        allow-query-cache { trusted; };\n        allow-transfer { none; };\n        notify no;"  /etc/bind/named.conf.options
sudo sed -i "/dnssec-validation/a \        #dnssec-lookaside auto;"  /etc/bind/named.conf.options
sudo sed -i 's[// forwarders[forwarders[g' /etc/bind/named.conf.options
sudo sed -i "s[// \t0.0.0.0;[      $forwarders[g" /etc/bind/named.conf.options
sudo sed -i "s[// };[};[g" /etc/bind/named.conf.options
sudo sed -i "/listen-on-v6/a \        tkey-gssapi-keytab\"/var/lib/samba/private/dns.keytab\";" /etc/bind/named.conf.options
sudo sed -i "/tkey-gssapi-keytab/i \        // DNS dynamic updates via Kerberos "/var/lib/samba/private/dns.keytab";" /etc/bind/named.conf.options
sudo sed -i "/notify no/a \        empty-zones-enable no;" /etc/bind/named.conf.options
sudo sed -i 's[//include[include[g' /etc/bind/named.conf.local
sudo bash -c 'echo -e "# Samba4 DLZ and Active Directory Zones (default source installation)\n/usr/lib/x86_64-linux-gnu/ldb/** rwmk,\n/usr/lib/x86_64-linux-gnu/samba/** rwmk,\n/var/lib/samba/** rm,\n/var/lib/samba/private/dns/** rwmk,\n/etc/samba/smb.conf r,\n/var/lib/samba/private/named.conf r,\n/var/lib/samba/private/dns.keytab r,\n/etc/bind/rndc.key  r,\n/var/tmp/** rwmk,\n/dev/urandom rw,\n/var/log/bind/** rw," >> /etc/apparmor.d/local/usr.sbin.named'
sudo bash -c 'echo -e "logging {\n        channel update_debug {\n                file \"/var/log/update_debug.log\" versions 3 size 100k;\n                severity debug;\n                print-severity  yes;\n                print-time      yes;\n        };\n        channel security_info {\n                file \"/var/log/security_info.log\" versions 1 size 100k;\n                severity info;\n                print-severity  yes;\n                print-time      yes;\n        };\n        channel bind_log {\n                file \"/var/log/bind.log\" versions 3 size 1m;\n                severity info;\n                print-category  yes;\n                print-severity  yes;\n                print-time      yes;\n        };\n\n        category default { bind_log; };\n        category lame-servers { null; };\n        category update { update_debug; };\n        category update-security { update_debug; };\n        category security { security_info; };\n};" >> /etc/bind/named.conf.logging'
sudo mkdir -p /var/log/bind
sudo chown -R bind:root /var/log/bind
sudo chmod -R 775 /var/log/bind

# Ajustes NTP
sudo bash -c 'echo -e "# samba4 ntp signing socket\n/var/lib/samba/ntp_signd/socket rw," >> /etc/apparmor.d/local/usr.sbin.chronyd'
sudo install -d /var/lib/samba/ntp_signd
sudo chown root:_chrony /var/lib/samba/ntp_signd
sudo chmod 750 /var/lib/samba/ntp_signd
sudo sed -ri 's/pool ntp.ubuntu.com        iburst maxsources 4/server 0.south-america.pool.ntp.org iburst/g' /etc/chrony/chrony.conf
sudo sed -ri 's/pool 0.ubuntu.pool.ntp.org iburst maxsources 1/server 1.south-america.pool.ntp.org iburst/g' /etc/chrony/chrony.conf
sudo sed -ri 's/pool 1.ubuntu.pool.ntp.org iburst maxsources 1/server 2.south-america.pool.ntp.org iburst/g' /etc/chrony/chrony.conf
sudo sed -ri 's/pool 2.ubuntu.pool.ntp.org iburst maxsources 2/server 3.south-america.pool.ntp.org iburst/g' /etc/chrony/chrony.conf
sudo bash -c 'echo -e "# This directive tells 'chronyd' to parse the 'adjtime' file to find out if the\n# real-time clock keeps local time or UTC. It overrides the 'rtconutc' directive.\nhwclockfile /etc/adjtime" >> /etc/chrony/chrony.conf'
sudo bash -c 'echo -e "bindcmdaddress $ipaddress" >> /etc/chrony/chrony.conf'
sudo bash -c 'echo -e "broadcast 60 $broadcast" >> /etc/chrony/chrony.conf'
sudo bash -c 'echo -e "allow $network" >> /etc/chrony/chrony.conf'
sudo bash -c 'echo -e "ntpsigndsocket /var/lib/samba/ntp_signd" >> /etc/chrony/chrony.conf'
sudo timedatectl set-local-rtc 1

# Certificado autofirmado
sudo rm -f /var/lib/samba/private/tls/cert.pem
sudo rm -f /var/lib/samba/private/tls/key.pem
sudo rm -f /var/lib/samba/private/tls/ca.pem
# sudo openssl req -newkey rsa:2048 -keyout /var/lib/samba/private/tls/samba.key -nodes -x509 -days 365 -out /var/lib/samba/private/tls/samba.crt
# sudo chmod 600 /var/lib/samba/private/tls/samba.key

# Certificado de confianza
sudo openssl genrsa -out /var/lib/samba/private/tls/samba.key 2048
sudo openssl req -new -key /var/lib/samba/private/tls/samba.key -out /var/lib/samba/private/tls/samba.csr
sudo openssl x509 -req -days 365 -in /var/lib/samba/private/tls/samba.csr -signkey /var/lib/samba/private/tls/samba.key -out /var/lib/samba/private/tls/samba.crt
sudo chmod 600 /var/lib/samba/private/tls/samba.key

sudo systemctl start samba-ad-dc
sudo systemctl enable samba-ad-dc
sudo systemctl daemon-reload
sudo systemctl reload apparmor
sudo systemctl restart systemd-networkd
sudo systemctl restart systemd-resolved
sudo systemctl restart bind9
sudo systemctl restart chrony

kinit administrator@$domain
sudo samba-tool group addmembers DnsAdmins dns-$hostname
sudo samba-tool user setpassword administrator
sudo samba-tool user setexpiry administrator --noexpiry
sudo samba-tool domain passwordsettings set --complexity=on
sudo samba-tool domain passwordsettings set --store-plaintext=off
sudo samba-tool domain passwordsettings set --history-length=0
sudo samba-tool domain passwordsettings set --min-pwd-age=0
sudo samba-tool domain passwordsettings set --max-pwd-age=0
sudo samba-tool domain passwordsettings set --min-pwd-length=7
sudo samba-tool domain passwordsettings set --account-lockout-duration=30
sudo samba-tool domain passwordsettings set --account-lockout-threshold=0
sudo samba-tool domain passwordsettings set --reset-account-lockout-after=30

# Configurando DHCP Server
sudo samba-tool user create dhcpduser --description="Unprivileged user for TSIG-GSSAPI DNS updates via ISC DHCP server" --random-password
sudo samba-tool user setexpiry dhcpduser --noexpiry
sudo samba-tool group addmembers DnsAdmins dhcpduser
sudo samba-tool domain exportkeytab --principal=dhcpduser@$domain /etc/isc-dhcp-server/dhcpduser.keytab
# incompleto en desarrollo
exit 0
« Last Edit: September 22, 2018, 10:39:05 pm by JLLEWELYN »

JLLEWELYN

  • Zen Monk
  • **
  • Posts: 65
  • Karma: +5/-0
    • View Profile
Re: [Desarrollo] Bash Script Samba-AD-DC Bind9_DLZ Backend
« Reply #1 on: September 22, 2018, 10:36:46 pm »
woao, mas de 200 a visto mi tema y nadie opina nada...  :'(