Zentyal Forum, Linux Small Business Server
International => Spanish => Topic started by: JLLEWELYN on August 15, 2018, 07:36:33 am
-
Descripción: Script Bash como alternativa para crear un servidor Samba Directorio Activo, Controlador de Dominio DNS Bind9_DLZ Backend para Ubuntu Server 18.04 LTS.
Nota: En desarrollo, solo para pruebas, no intente usar en entorno producción.
Primero identifiquemos los interfaz de red:
ip -o link show | awk -F': ' '{print $2}'
resultado:
lo
enp4s0
enp4s1
enp6s0
wlp5s0
edite /etc/netplan/01-netcfg.yaml para configurar los adaptadores de red, el nombre de cada adaptador puede ser diferente en su equipo.
ejemplo:
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
version: 2
renderer: networkd
ethernets:
enp6s0:
dhcp4: no
addresses: [192.168.1.2/24]
gateway4: 192.168.1.1
nameservers:
search: [savidoca.com]
addresses: [192.168.1.1,192.168.1.2]
enp4s0:
dhcp4: yes
dhcp6: yes
enp4s1:
dhcp4: yes
dhcp6: yes
wlp5s0:
dhcp4: yes
dhcp6: yes
aplicar cambios
sudo netplan apply
Esta en desarrollo.
Samba-ad-dc_DNS-Backend.sh
pastebin: https://pastebin.com/LK6vfKpT (https://pastebin.com/LK6vfKpT)
#!/bin/bash
# Autor: John Llewelyn
# Description: Instalar Samba Directorio Activo, Controlador de Dominio Bind9_DLZ DNS Backend
echo 'Configure la contraseña root'
sudo passwd root
clear
read -p 'Introduzca el nombre de host, ejemplo [ servidor ]: ' hostname
clear
read -p 'Introduzca el nombre de dominio, ejemplo [ savidoca.com ]: ' domain
clear
read -p 'Introduzca el nombre de grupo de trabajo, ejemplo [ SAVIDOCA ]: ' workgroup
clear
read -p 'Introduzca la direccion IP de su red, ejemplo [ 192.168.1.0/24 ]: ' network
clear
read -p 'Introduzca la direccion IP broadcast de su red, ejemplo [ 192.168.1.255 ]: ' broadcast
clear
read -p 'Introduzca la direccion IP del AD DC, ejemplo [ 192.168.1.2 ]: ' ipaddress
clear
read -p 'Introduzca la direccion IP de su gateway, ejemplo [ 192.168.1.1 ]: ' gw
clear
read -p 'Introduzca la direccion IP inversa de su AD DC, ejemplo: [ 1.168.192 ]: ' reverse
clear
read -p 'Introduzca las direcciones DNS reenviadores para su AD DC, ejemplo: [ 8.8.8.8;8.8.4.4; ] ' forwarders
clear
read -sp 'Introduzca la contraseña para AD: ' password
clear
echo el nombre de tu host es: $hostname
echo el nombre de dominio es: $domain
echo el nombre de tu grupo de trabajo es: $workgroup
echo el esquema de la tu red es: $network
echo el broadcast de tu red es: $broadcast
echo la direccion ip de tu AD DC es: $ipaddress
echo la direccion ip de tu gateway es: $gw
echo la direccion inversa de tu dominio es: $reverse.in-addr.arpa.
echo la direcciones DNS reenviadores son: $forwarders
read -p "Esta seguro que estos son los datos correctos? " -n 1 -r
echo # (optional) move to a new line
if [[ ! $REPLY =~ ^[Yy]$ ]]
then
exit 1
fi
clear
# Ajustes hostname, resolvconf, hosts, acl, attr
sudo hostnamectl set-hostname "$hostname"
sudo bash -c 'echo -e "nameserver $ipaddress\ndomain $domain" > /etc/resolvconf/resolv.conf.d/tail'
sudo chmod 644 /etc/resolvconf/resolv.conf.d/tail
sudo resolvconf -u
sudo bash -c 'echo -e "127.0.0.1 localhost localhost.localdomain\n$ipaddress $hostname $hostname.$domain\n# The following lines are desirable for IPv6 capable hosts\n::1 ip6-localhost ip6-loopback\nfe00::0 ip6-localnet\nff00::0 ip6-mcastprefix\nff02::1 ip6-allnodes\nff02::2 ip6-allrouters\nff02::3 ip6-allhosts" > /etc/hosts'
sudo sed -i.old -r '/[ \t]\/[ \t]/{s/(ext4[\t ]*)([^\t ]*)/\1\2,user_xattr,acl,barrier=1/}' /etc/fstab
sudo mount -a -o remount,rw /
# Instalando samba, krb5, winbind, bind9, chrony, openssl
sudo apt install acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user krb5-config krb5-locales bind9 bind9utils bind9-doc binutils ldb-tools chrony openssl isc-dhcp-server -y
# Preparando Servicio samba-ad-dc
sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo systemctl unmask samba-ad-dc
sudo rm -f /etc/samba/smb.conf
sudo rm -f /var/run/samba/*.[t,l]db
sudo rm -f /var/lib/samba/*.[t,l]db
sudo rm -f /var/cache/samba/*.[t,l]db
sudo rm -f /var/lib/samba/private/*.[t,l]db
sudo rm -r /var/lib/samba/sysvol/*
# provisionando ad-dc
sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=BIND9_DLZ --realm=$domain --domain=$workgroup --function-level=2008_R2 --adminpass=$password
# Ajustes krb5.conf
sudo rm -f /etc/krb5.conf
sudo ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
sudo sed -i "/dns_lookup_kdc = true/a \ rdns = no" /var/lib/samba/private/krb5.conf
# Ajustes smb.conf
sudo sed -i "/[global]/a security = auto" /etc/samba/smb.conf
sudo sed -i "/security = auto/a allow dns updates = secure only" /etc/samba/smb.conf
sudo sed -ri 's/server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate/server services = -dns/g' /etc/samba/smb.conf
sudo sed -i "/workgroup = $workgroup/a /n# dns forwarder = $ipaddress" /etc/samba/smb.conf
sudo sed -i "/dns forwarder = /a # interfaces = " /etc/samba/smb.conf
sudo sed -i "/interfaces = /a # bind interfaces only = yes" /etc/samba/smb.conf
sudo sed -i "/idmap_ldb:use rfc2307 = yes/a n\ # Default idmap config for local BUILTIN accounts and groups\n idmap config * : backend = tdb\n idmap config * : range = 3000-7999" /etc/samba/smb.conf
sudo sed -i "/idmap config * : range = /a n\ # idmap config for the $workgroup domain\n idmap config $workgroup:backend = ad\n idmap config $workgroup:schema_mode = rfc2307\n idmap config $workgroup:range = 10000-999999" /etc/samba/smb.conf
sudo sed -i "/idmap config $workgroup:range = /a n\ idmap config $workgroup: unix_nss_info = yes\n idmap config $workgroup: unix_primary_group = yes" /etc/samba/smb.conf
sudo sed -i "/unix_primary_group = /a n\ # Template settings for login shell and home directory\n template shell = /bin/bash\n template homedir = /home/%U" /etc/samba/smb.conf
sudo sed -i "/template homedir/a n\ winbind enum users = yes\n winbind enum groups = yes\n winbind use default domain = yes\n winbind use default domain = yes\n winbind offline logon = no\n winbind cache time = 300\n winbind nss info = rfc2307" /etc/samba/smb.conf
sudo sed -i "/winbind nss info = /a n\ server signing = auto\n# server role check:inhibit = yes\n# dsdb:schema update allowed = yes\n# drs:max object sync = 1200\n# kernel share modes = yes\n# client use spnego = yes\n# client NTLMv2 auth = yes\n# client min protocol = SMB2\n# client max protocol = SMB3\n# server min protocol = SMB2\n# server max protocol = SMB3\n restrict anonymous = 2\n map to guest = Never" /etc/samba/smb.conf
sudo sed -i "/map to guest/a n\log level = 3" /etc/samba/smb.conf
sudo sed -i "/log level/a log file = /var/log/samba/samba.log" /etc/samba/smb.conf
sudo sed -i "/log file/a max log size = 100000" /etc/samba/smb.conf
sudo sed -i "/max log size/a \n# Configuring LDAP over SSL (LDAPS)\ntls enabled = yes\ntls keyfile = tls/samba.key\ntls certfile = tls/samba.crt\ntls cafile = " /etc/samba/smb.conf
sudo sed -i "/tls cafile/a n\# printing = CUPS" /etc/samba/smb.conf
sudo sed -i "/printing = /a n\# include = /etc/samba/shares.conf\n# include = /etc/samba/profiles.conf\n# include = /etc/samba/printers.conf" /etc/samba/smb.conf
# Incompleto falta modificar 1 linea.
# Roaming Windows User Profiles
sudo bash -c 'echo -e "[profiles]\n comment = Users profiles\n path = /srv/samba/profiles/\n browseable = No\n read only = No\n force create mode = 0600\n force directory mode = 0700\n csc policy = disable\n store dos attributes = yes\n vfs objects = acl_xattr" >> /etc/samba/profiles.conf'
sudo mkdir -p /srv/samba/profiles/
sudo chgrp -R "Domain Users" /srv/samba/profiles/
sudo chmod 1750 /srv/samba/profiles/
# Creando /etc/samba/shares.conf
sudo bash -c 'echo -e "[homes]\n comment = Directorios de usuario\n path = /home/%S\n read only = no\n browseable = no\n create mask = 0611\n directory mask = 0711\n vfs objects = acl_xattr full_audit\n full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename\n full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename" >> /etc/samba/shares.conf'
# Creando /etc/samba/printers.conf
sudo bash -c 'echo -e "[printers]\n path = /var/spool/samba/\n printable = yes" >> /etc/samba/printers.conf'
mkdir -p /var/spool/samba/
chmod 1777 /var/spool/samba/
# smbcontrol all reload-config
# Ajustes windbind , PAM
sudo sed -ri 's/passwd: compat systemd/passwd: compat winbind/g' /etc/nsswitch.conf
sudo sed -ri 's/group: compat systemd/group: compat winbind/g' /etc/nsswitch.conf
sudo sed -ri 's/dns myhostname/dns mdns/g' /etc/nsswitch.conf
# sudo sed -ri 's/pam_winbind.so use_authtok try_first_pass/pam_winbind.so try_first_pass/g' /etc/pam.d/common-password
sudo pam-auth-update
# Ajustes Bind9
sudo wget -q -O /etc/bind/db.root http://www.internic.net/zones/named.root
sudo wget -q -O /etc/bind/bind.keys https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11
sudo bash -c 'echo -e "include \"/var/lib/samba/private/named.conf\";" >> /etc/bind/named.conf'
sudo bash -c 'echo -e "include \"/etc/bind/named.conf.logging\";" >> /etc/bind/named.conf'
sudo bash -c 'echo -e "include \"/etc/bind/rndc.key\";" >> /etc/bind/named.conf'
sudo bash -c 'echo -e "include \"/etc/bind/rndc.conf\";" >> /etc/bind/named.conf'
sudo bash -c 'echo -e "controls {\n inet 127.0.0.1 port 953 allow { localhost; } keys { "rndc-key"; };\n};" >> /etc/bind/rndc.conf'
sudo chgrp bind /var/lib/samba/private/dns.keytab
sudo chmod g+r /var/lib/samba/private/dns.keytab
sudo rndc-confgen -a
sudo chown root:bind /etc/bind/rndc.key
sudo chmod 640 /etc/bind/rndc.key
sudo sed -i "/directory/a \ sortlist {\n { $network ;{ $network ; };};\n };" /etc/bind/named.conf.options
sudo cp -b /etc/bind/db.local /var/lib/bind/db.$reverse
sudo chown bind:bind /var/lib/bind/db.$reverse
sudo chmod 640 /var/lib/bind/db.$reverse
sudo sed -ri 's/RESOLVCONF=no/RESOLVCONF=yes/g' /etc/default/bind9
sudo bash -c 'echo -e "acl "trusted" {\n localhost;\n localnets;\n};\n\nacl "internal-local-nets" {\n $network;\n};\n" >> /etc/bind/named.conf.local'
sudo bash -c 'echo -e "zone "$reverse.in-addr.arpa" {\n type master;\n file \"/var/lib/bind/db.$reverse\";\n update-policy {\n // The only allowed dynamic updates are PTR records\n grant $domain. subdomain $reverse.in-addr.arpa. PTR TXT;\n // Grant from localhost\n grant local-ddns zonesub any;\n };\n};\n" >> /etc/bind/named.conf.local'
sudo sed -i "/directory/a \ cleaning-interval 1440;\n max-cache-ttl 2419200;\n max-ncache-ttl 86400;\n max-cache-size unlimited;\n stacksize unlimited;\n datasize unlimited;\n coresize unlimited;\n \n listen-on { any; };" /etc/bind/named.conf.options
sudo sed -i "/listen-on-v6/a \ allow-query { any; };\n allow-recursion { trusted; };\n allow-query-cache { trusted; };\n allow-transfer { none; };\n notify no;" /etc/bind/named.conf.options
sudo sed -i "/dnssec-validation/a \ #dnssec-lookaside auto;" /etc/bind/named.conf.options
sudo sed -i 's[// forwarders[forwarders[g' /etc/bind/named.conf.options
sudo sed -i "s[// \t0.0.0.0;[ $forwarders[g" /etc/bind/named.conf.options
sudo sed -i "s[// };[};[g" /etc/bind/named.conf.options
sudo sed -i "/listen-on-v6/a \ tkey-gssapi-keytab\"/var/lib/samba/private/dns.keytab\";" /etc/bind/named.conf.options
sudo sed -i "/tkey-gssapi-keytab/i \ // DNS dynamic updates via Kerberos "/var/lib/samba/private/dns.keytab";" /etc/bind/named.conf.options
sudo sed -i "/notify no/a \ empty-zones-enable no;" /etc/bind/named.conf.options
sudo sed -i 's[//include[include[g' /etc/bind/named.conf.local
sudo bash -c 'echo -e "# Samba4 DLZ and Active Directory Zones (default source installation)\n/usr/lib/x86_64-linux-gnu/ldb/** rwmk,\n/usr/lib/x86_64-linux-gnu/samba/** rwmk,\n/var/lib/samba/** rm,\n/var/lib/samba/private/dns/** rwmk,\n/etc/samba/smb.conf r,\n/var/lib/samba/private/named.conf r,\n/var/lib/samba/private/dns.keytab r,\n/etc/bind/rndc.key r,\n/var/tmp/** rwmk,\n/dev/urandom rw,\n/var/log/bind/** rw," >> /etc/apparmor.d/local/usr.sbin.named'
sudo bash -c 'echo -e "logging {\n channel update_debug {\n file \"/var/log/update_debug.log\" versions 3 size 100k;\n severity debug;\n print-severity yes;\n print-time yes;\n };\n channel security_info {\n file \"/var/log/security_info.log\" versions 1 size 100k;\n severity info;\n print-severity yes;\n print-time yes;\n };\n channel bind_log {\n file \"/var/log/bind.log\" versions 3 size 1m;\n severity info;\n print-category yes;\n print-severity yes;\n print-time yes;\n };\n\n category default { bind_log; };\n category lame-servers { null; };\n category update { update_debug; };\n category update-security { update_debug; };\n category security { security_info; };\n};" >> /etc/bind/named.conf.logging'
sudo mkdir -p /var/log/bind
sudo chown -R bind:root /var/log/bind
sudo chmod -R 775 /var/log/bind
# Ajustes NTP
sudo bash -c 'echo -e "# samba4 ntp signing socket\n/var/lib/samba/ntp_signd/socket rw," >> /etc/apparmor.d/local/usr.sbin.chronyd'
sudo install -d /var/lib/samba/ntp_signd
sudo chown root:_chrony /var/lib/samba/ntp_signd
sudo chmod 750 /var/lib/samba/ntp_signd
sudo sed -ri 's/pool ntp.ubuntu.com iburst maxsources 4/server 0.south-america.pool.ntp.org iburst/g' /etc/chrony/chrony.conf
sudo sed -ri 's/pool 0.ubuntu.pool.ntp.org iburst maxsources 1/server 1.south-america.pool.ntp.org iburst/g' /etc/chrony/chrony.conf
sudo sed -ri 's/pool 1.ubuntu.pool.ntp.org iburst maxsources 1/server 2.south-america.pool.ntp.org iburst/g' /etc/chrony/chrony.conf
sudo sed -ri 's/pool 2.ubuntu.pool.ntp.org iburst maxsources 2/server 3.south-america.pool.ntp.org iburst/g' /etc/chrony/chrony.conf
sudo bash -c 'echo -e "# This directive tells 'chronyd' to parse the 'adjtime' file to find out if the\n# real-time clock keeps local time or UTC. It overrides the 'rtconutc' directive.\nhwclockfile /etc/adjtime" >> /etc/chrony/chrony.conf'
sudo bash -c 'echo -e "bindcmdaddress $ipaddress" >> /etc/chrony/chrony.conf'
sudo bash -c 'echo -e "broadcast 60 $broadcast" >> /etc/chrony/chrony.conf'
sudo bash -c 'echo -e "allow $network" >> /etc/chrony/chrony.conf'
sudo bash -c 'echo -e "ntpsigndsocket /var/lib/samba/ntp_signd" >> /etc/chrony/chrony.conf'
sudo timedatectl set-local-rtc 1
# Certificado autofirmado
sudo rm -f /var/lib/samba/private/tls/cert.pem
sudo rm -f /var/lib/samba/private/tls/key.pem
sudo rm -f /var/lib/samba/private/tls/ca.pem
# sudo openssl req -newkey rsa:2048 -keyout /var/lib/samba/private/tls/samba.key -nodes -x509 -days 365 -out /var/lib/samba/private/tls/samba.crt
# sudo chmod 600 /var/lib/samba/private/tls/samba.key
# Certificado de confianza
sudo openssl genrsa -out /var/lib/samba/private/tls/samba.key 2048
sudo openssl req -new -key /var/lib/samba/private/tls/samba.key -out /var/lib/samba/private/tls/samba.csr
sudo openssl x509 -req -days 365 -in /var/lib/samba/private/tls/samba.csr -signkey /var/lib/samba/private/tls/samba.key -out /var/lib/samba/private/tls/samba.crt
sudo chmod 600 /var/lib/samba/private/tls/samba.key
sudo systemctl start samba-ad-dc
sudo systemctl enable samba-ad-dc
sudo systemctl daemon-reload
sudo systemctl reload apparmor
sudo systemctl restart systemd-networkd
sudo systemctl restart systemd-resolved
sudo systemctl restart bind9
sudo systemctl restart chrony
kinit administrator@$domain
sudo samba-tool group addmembers DnsAdmins dns-$hostname
sudo samba-tool user setpassword administrator
sudo samba-tool user setexpiry administrator --noexpiry
sudo samba-tool domain passwordsettings set --complexity=on
sudo samba-tool domain passwordsettings set --store-plaintext=off
sudo samba-tool domain passwordsettings set --history-length=0
sudo samba-tool domain passwordsettings set --min-pwd-age=0
sudo samba-tool domain passwordsettings set --max-pwd-age=0
sudo samba-tool domain passwordsettings set --min-pwd-length=7
sudo samba-tool domain passwordsettings set --account-lockout-duration=30
sudo samba-tool domain passwordsettings set --account-lockout-threshold=0
sudo samba-tool domain passwordsettings set --reset-account-lockout-after=30
# Configurando DHCP Server
sudo samba-tool user create dhcpduser --description="Unprivileged user for TSIG-GSSAPI DNS updates via ISC DHCP server" --random-password
sudo samba-tool user setexpiry dhcpduser --noexpiry
sudo samba-tool group addmembers DnsAdmins dhcpduser
sudo samba-tool domain exportkeytab --principal=dhcpduser@$domain /etc/isc-dhcp-server/dhcpduser.keytab
# incompleto en desarrollo
exit 0
-
woao, mas de 200 a visto mi tema y nadie opina nada... :'(