domingo, 17 de setembro de 2023

Script de instalação do Samba4 com Bind9 no Debian 12 | Samba4Easy



Atenção: Alterar as informações das variáveis abaixo conforme seu ambiente.

dc_domain_realm=sky.net
pass='Passw0rd$2'
gateway=192.168.0.1
dc_domain="${dc_domain_realm^^}"
domain=$(echo $dc_domain | cut -d '.' -f 1)
## Define o nome do Servidor    ##
hostname=$HOSTNAME.$dc_domain
hostname="${hostname,,}"
#hostnamectl set-hostname $hostname

## Coletando Dados do IP Atual #
ip4=$(hostname -I | cut -d '.' -f 4 | cut -d ' ' -f 1)
ip3=$(hostname -I | cut -d '.' -f 3 | cut -d ' ' -f 1)
ip2=$(hostname -I | cut -d '.' -f 2 | cut -d ' ' -f 1)
ip1=$(hostname -I | cut -d '.' -f 1 | cut -d ' ' -f 1)
## Interface da placa de rede ##
nic=$(ip -4 a | grep "$ip1" | grep -o '[^ ]*$')

## Define a prioridade do IPV4  ##
echo "precedence ::ffff:0:0/96  100" >> /etc/gai.conf

## Atualizando informações da placa de rede ##
mv /etc/network/interfaces /etc/network/interfaces.bkp
cat >> /etc/network/interfaces << EOL
source /etc/network/interfaces.d/*
EOL
cat >> /etc/network/interfaces.d/$nic << EOL
auto $nic
iface $nic inet static
address $ip1.$ip2.$ip3.$ip4
netmask 255.255.255.0
broadcast $ip1.$ip2.$ip3.255
gateway $gateway
dns-search $dc_domain_realm
dns-nameservers $ip1.$ip2.$ip3.$ip4
dns-nameservers 8.8.8.8
EOL

## Atualizando informações do resolv.con ##
mv /etc/resolv.conf /etc/resolv.conf.bkp
cat > /etc/resolv.conf << EOL
nameserver $ip1.$ip2.$ip3.$ip4
#nameserver $gateway
nameserver 8.8.8.8
domain $domain
search $dc_domain.
EOL
echo
/etc/init.d/networking restart 
clear
echo
echo "-------------------------------------"
echo " Bem-Vindo a Instalação do Samba4    "
echo "-------------------------------------" 
hostnamectl
echo "----------------------------------------"
echo "Interface de Rede: $nic "
echo "IP: $ip1.$ip2.$ip3.$ip4"
echo "Dominio Realm: $dc_domain_realm"
echo "Dominio FQDN: $dc_domain"
echo "Dominio: $domain"
echo "Senha: $pass"
echo "Gateway: $gateway"
echo "----------------------------------------"
cat /etc/network/interfaces.d/$nic
echo "----------------------------------------"
cat /etc/resolv.conf
echo "----------------------------------------"
sleep 5
echo
echo "-------------------------------------"
echo " Instalando o Samba4                 "
echo "-------------------------------------" 
echo
apt install -y samba wget net-tools dnsutils sudo smbclient ntpsec ntpdate cifs-utils libnss-winbind libpam-winbind acl ldap-utils attr ldb-tools smbldap-tools smbios-utils bind9 quota
sudo DEBIAN_FRONTEND=noninteractive apt install -y krb5-user libpam-krb5
sleep 3
echo
echo " Instalação Concluída "
echo
sudo samba -V
echo "Arquivo de configuração:"
sudo smbd -b | grep "CONFIGFILE"
sleep 3
echo
echo "-------------------------------------"
echo " Ajustando arquivos do SAMBA4 "
echo "-------------------------------------"
echo
sleep 3
echo
echo "----------------------------------------"
echo " Desativando IPV6 "
echo "----------------------------------------"
##  Desativa o protocolo IPV6   ##
cat >> /etc/sysctl.conf << EOL
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
EOL
/etc/init.d/networking restart 
echo
##       Arquivo /etc/hosts     ##
mv /etc/hosts /etc/hosts.bkp
cat > /etc/hosts << EOL
127.0.0.1 localhost
$ip1.$ip2.$ip3.$ip4 $hostname $HOSTNAME localhost
#::1     ip6-localhost ip6-loopback
#fe00::0 ip6-localnet
#ff00::0 ip6-mcastprefix
#ff02::1 ip6-allnodes
#ff02::2 ip6-allrouters
EOL
## FAZ UM BACKUP DO ARQUIVO SAMBA SMB.CONF
mv /etc/samba/smb.conf /etc/samba/smb.conf.bkp
echo " Concluído! "
echo
sudo sysctl -p
echo
echo " Concluído! "
echo
sleep 2
echo "-------------------------------------"
echo " Provisioando o seu Dominio agora!   "
echo "-------------------------------------"
echo
samba-tool domain provision --use-rfc2307 --server-role=dc --dns-backend=BIND9_DLZ --realm=$dc_domain_realm --domain=$domain --adminpass=$pass --option="interfaces=lo $nic" --option="bind interfaces only=yes"
# PARA SERVIÇOS PARA CONFIGURAÇÃO DO SAMBA
sudo systemctl unmask smbd nmbd winbind
sudo systemctl stop smbd nmbd winbind
sudo systemctl disable smbd nmbd winbind
echo
sleep 5
echo "-------------------------------------"
echo " Ajustando configurações...          "
echo "-------------------------------------"
echo

bind_named=$(sudo named -v | cut -d ' ' -f 2 | cut -d '.' -f2)
sed -i 's/    #/#/' /var/lib/samba/bind-dns/named.conf
sed -i '/18.so/s/^# //' /var/lib/samba/bind-dns/named.conf

cp /etc/bind/named.conf.local /etc/bind/named.conf.local.bkp
cat >> /etc/bind/named.conf.local << EOL
include "/var/lib/samba/bind-dns/named.conf";
EOL

cp /etc/bind/named.conf.options /etc/bind/named.conf.options.bkp
sudo sed -i 's/any; };/any; };\
bindkeys-file "\/etc\/bind\/bind.keys";\
tkey-gssapi-keytab "\/var\/lib\/samba\/bind-dns\/dns.keytab"; \
/g' /etc/bind/named.conf.options

# LIMPA O CACHE DO BIND.KEYS ##
mkdir /var/cache/bind/bkp
cp /var/cache/bind/managed-keys.bind* /var/cache/bind/bkp

cp /etc/apparmor.d/usr.sbin.named /etc/apparmor.d/usr.sbin.named.bkp
sudo sed -i 's/# Samba DLZ/# Samba DLZ\n\
  \/var\/lib\/samba\/bind-dns\/named.conf r,\
  \/var\/lib\/samba\/private\/named.conf r,\
  \/usr\/lib\/x86_64-linux-gnu\/samba\/\*\* mlr,\
  \/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/\*\* mlr,\
  \/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9.so mlr,\
  \/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9_9.so mlr,\
  \/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9_10.so mlr,\
  \/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9_11.so mlr,\
  \/usr\/lib\/x86_64-linux-gnu\/ldb\/modules\/ldb\/\*\* mlrwk,\
  \/var\/lib\/samba\/private\/\*\* mlrwk,\
  \/var\/lib\/samba\/ntpsec_signd\/\*\* rwlkix,\
/g' /etc/apparmor.d/usr.sbin.named

chmod 777 -R /var/lib/samba/private/sam.ldb.d/
systemctl restart apparmor
systemctl restart bind9
named-checkconf

## FAZ BACKUP DO ARQUIVO KRB5 E COPIA O ARQUIVO CRIADO PELO SAMBA
mv /etc/krb5.conf /etc/krb5.conf.bkp
## KRB5.CONF ##
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

## ADICIONA INFORMAÇÔES AO ARQUIVO KRB5.CONF
cp /etc/krb5.conf /etc/krb5.conf.bkp.krb5

sudo sed -i 's/\[libdefaults\]/\[libdefaults\]\
rdns = false\
default_tgs_enctypes = rc4-hmac des3-hmac-sha1\
default_tkt_enctypes = rc4-hmac des3-hmac-sha1\
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1\
#ticket_lifetime = 24h\
ticket_lifetime = 86400\
forwardable = true\
udp_preference_limit = 1000000\
#renew_lifetime = 7d\
renew_lifetime = 604800\
default_ccache_name = \/etc\/samba\/krb5cc_%\{uid\}\
udp_preference_limit = 1\
kdc_timeout = 3000\
/g' /etc/krb5.conf

sudo sed -i 's/\dns_lookup_kdc = true/dns_lookup_kdc = false/g' /etc/krb5.conf

sudo sed -i "s/$dc_domain = {/$dc_domain = {\n\
kdc = $hostname\n\
admin_server = $hostname\
/g" /etc/krb5.conf

sudo sed -i "s/$HOSTNAME = $dc_domain/\
.$dc_domain_realm = $dc_domain\n\
$dc_domain_realm = $dc_domain\n\
/g" /etc/krb5.conf

cat >> /etc/krb5.conf << EOL
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
EOL

echo " Concluído! "
echo
echo "----------------------------------------"
echo " Configurando o SAMBA4                  "
echo "----------------------------------------"
echo
sudo sed -i "s/passwd:         files/passwd:         compat files systemd/g" /etc/nsswitch.conf
sudo sed -i "s/group:          files/group:          compat files systemd/g" /etc/nsswitch.conf

cat >> /etc/samba/user.map << EOL
!root = $domain\Administrator $domain\administrator Administrator administrator
EOL

## ADICIONA INFORMAÇÕES AO ARQUIVO SMB.CONF
cp /etc/samba/smb.conf /etc/samba/smb.conf.bkp.provision
sudo sed -i "s/\[global\]/\[global\]\n\
dns forwarder = 8.8.8.8\n\
dns forwarder = $ip1.$ip2.$ip3.$ip4\
/g" /etc/samba/smb.conf

cp /etc/samba/smb.conf /etc/samba/smb.conf.initial
sudo sed -i "s/\[sysvol\]/\
password server = $ip1.$ip2.$ip3.$ip4\n\
#winbind enum users = yes\n\
#winbind enum groups = yes\n\
#winbind nss info = rfc2307\n\
\n\
template homedir = \/home\/%U\n\
template shell = \/bin\/bash\n\
        create mask = 0664\n\
        directory mask = 0775\n\
\n\
logging = file\n\
max log size = 1000\n\
log file = \/var\/log\/samba\/log.%m\n\
log level = 1\n\
\n\
passdb backend = tdbsam\n\
kerberos method = secrets and keytab\n\
ldap server require strong auth = no\n\
map to guest = Bad User\n\
\n\
vfs objects = dfs_samba4 acl_xattr recycle\n\
#vfs objects = acl_xattr\n\
#vfs objects = dfs_samba4 acl_xattr audit\n\
\n\
map acl inherit = yes\n\
acl allow execute always = yes\n\
store dos attributes = yes\n\
username map = \/etc\/samba\/user.map\n\
#enable privileges = yes\n\
preferred master = yes\n\
case sensitive = No\n\
\n\
wins support = yes\n\
hosts allow = ALL\n\
name resolve order = lmhosts host wins bcast\n\
\n\
## Desabilita compartilhamento de impressoras\n\
printcap name = \/dev\/null\n\
load printers = no\n\
disable spoolss = yes\n\
printing = bsd\n\
\n\
#security = user \n\
idmap config $domain : unix_nss_info = no\n\
idmap config $domain : backend = ad  \n\
#idmap config $domain : range = 10000-59999 \n\
idmap config * : backend = tdb \n\
        idmap config * : range = 3000-7999 \n\
\n\[sysvol\]/" /etc/samba/smb.conf

sudo sed -i "s/interfaces = lo $nic/interfaces = lo $nic $ip1.$ip2.$ip3.$ip4\/24/g" /etc/samba/smb.conf

sudo sed -i 's/winbindd/winbind/g' /etc/samba/smb.conf

sudo systemctl restart bind9
sudo smbcontrol all reload-config
#sudo systemctl restart samba-ad-dc
echo " Concluído! "
echo
echo "----------------------------------------"
echo "Habilitando PAM-AUTH-UPDATE MKHOMEDIR   "
echo "----------------------------------------"
echo
sudo pam-auth-update --enable mkhomedir
echo " Concluído! "
sleep 2
echo
echo "----------------------------------------"
echo "Habilitando os Serviços do SAMBA4       "
echo "----------------------------------------"
sudo systemctl unmask samba-ad-dc 
sudo systemctl enable samba-ad-dc 
sudo systemctl start samba-ad-dc 
sleep 3
echo
echo " Concluído! "
echo
echo "----------------------------------------"
echo " Ajustes ntpsec                            "
echo "----------------------------------------"
sudo systemctl stop ntpsec
sudo sed -i "s/pool /#pool/g" /etc/ntpsec/ntp.conf
sudo sed -i '23p' /etc/ntpsec/ntp.conf
sed -i '23s/^/server a.ntp.br iburst\n/g' /etc/ntpsec/ntp.conf
sed -i '23s/^/server b.ntp.br iburst\n/g' /etc/ntpsec/ntp.conf
sed -i '23s/^/server c.ntp.br iburst\n/g' /etc/ntpsec/ntp.conf
echo
## SAMBA ntpsec ##
cat >> /etc/ntpsec/ntp.conf << EOL
# Relogio Local
server 127.127.1.0
fudge 127.127.1.0 stratum 10
# Configurações adicionais para o Samba 4
ntpsigndsocket /var/lib/samba/ntp_signd/
restrict default mssntp
disable monitor
EOL

## ADICIONA PERMISSÕES NO ARQUIVO ntpsec PARA O SAMBA
#sudo chown root:ntp /var/lib/samba/ntp_signd/
sudo chown -v root:ntpsec /var/lib/samba/ntp_signd/ 
sudo chmod -v 750 /var/lib/samba/ntp_signd/ 

## Cron Server ##
cat >> /etc/cron.d/server.conf << EOF
bindaddress $ip1.$ip2.$ip3.$ip4
allow $ip1.$ip2.$ip3.1/24
ntpsigndsocket  /var/lib/samba/ntp_signd
EOF
cat >> /etc/cron.d/cmd.conf << EOF
bindcmdaddress /var/run/crond.pid
cmdport 0
EOF
sudo systemctl enable --now cron 
echo
echo " Atualizando horário do sistema ...."
echo
sudo ntpdate pool.ntp.br
echo
sudo service ntpsec start
sleep 2
## Nome principal para os serviços SPN ##
samba-tool spn add ldap/$dc_domain_realm Administrator
samba-tool spn add cifs/$dc_domain_realm Administrator
## Exportando arquivo krb5.keytab
samba-tool domain exportkeytab /etc/krb5.keytab
ls -l /etc/krb5.keytab
chmod 755 /etc/krb5.keytab
ls -l /etc/krb5.keytab
# Cria uma KLIST#
kinit -kt /etc/krb5.keytab Administrator@$dc_domain
klist
sleep 2
echo " Concluído! "
echo
echo " Reiniciando todos os Serviços ..."
/etc/init.d/networking restart
sudo systemctl daemon-reload
sudo systemctl daemon-reexec
sudo systemctl restart ntpsec
sudo systemctl restart sshd
sudo systemctl restart bind9
sudo smbcontrol all reload-config
sudo systemctl restart samba-ad-dc
echo
echo " Concluído! "
sleep 4
echo
echo " Sistema SAMBA4 Instalado com Sucesso!    "
echo "------------------------------------------"
echo
sleep 3
echo "------------------------------------------"
echo " Cadastrando ZONA REVERSA                 "
echo "------------------------------------------"
echo
echo " Cadastrando Zona "
echo "------------------------------------------"
echo $pass | samba-tool dns zonecreate $hostname $ip3.$ip2.$ip1.in-addr.arpa -U administrator
echo "------------------------------------------"
echo
sleep 2
echo " Cadastrando PTR "
echo "------------------------------------------"
echo $pass | samba-tool dns add $hostname $ip3.$ip2.$ip1.in-addr.arpa $ip4 PTR $hostname -U administrator
echo "------------------------------------------"
echo
sleep 2
echo "-------------------------------------"
echo "Informações do SID                   "
echo "-------------------------------------"
ldbsearch -H /var/lib/samba/private/sam.ldb DC=$domain | grep objectSid
echo "------------------------------------------"
sleep 2
echo
echo "-------------------------------------"
echo " Teste do SMBClient                  "
echo "-------------------------------------"
echo
echo "------------------------------------------"
smbclient -L localhost -N
echo "------------------------------------------"
echo
echo "------------------------------------------"
echo "$pass" | smbclient //localhost/netlogon -U Administrator -c 'ls'
echo "------------------------------------------"
echo
sleep 2
echo "-------------------------------------"
echo " Teste de Descoberta Kerberos e LDAP"
echo "-------------------------------------"
echo
echo " Kerberos"
echo "------------------------------------------"
host -t SRV _kerberos._udp.$dc_domain_realm.
echo "------------------------------------------"
echo
echo " LDAP "
echo "------------------------------------------"
host -t SRV _ldap._tcp.$dc_domain_realm.
echo "------------------------------------------"
echo
sleep 2
echo "-------------------------------------"
echo " Teste DNS Reverso"
echo "-------------------------------------"
echo
echo " Nslookup $dc_domain_realm "
echo "------------------------------------------"
nslookup $dc_domain_realm
echo
echo " Nslookup $ip1.$ip2.$ip3.$ip4 "
echo "------------------------------------------"
nslookup $ip1.$ip2.$ip3.$ip4
echo
echo " Host $ip1.$ip2.$ip3.$ip4"
echo "------------------------------------------"
host $ip1.$ip2.$ip3.$ip4
echo
sleep 2
echo "-------------------------------------"
echo " Nivel do Dominio ao Windows "
echo "-------------------------------------"
echo
echo "------------------------------------------"
sudo samba-tool domain level show
echo "------------------------------------------"
echo
sleep 2
echo "------------------------------------------"
echo " Sincronização ntpsec                        "
echo "------------------------------------------"
echo
sudo ntpq -p
echo
sleep 2
echo "-------------------------------------"
echo " Teste do GETENT                     "
echo "-------------------------------------"
echo
getent passwd administrator
echo
sleep 2
echo "-------------------------------------"
echo " Conceder privilégios para configurar ACLs pelo Windows "
echo "-------------------------------------"
echo
echo $pass | net rpc rights grant "$domain\Administrator" SeDiskOperatorPrivilege -U "$domain\Administrator"
echo
sleep 2
echo "-------------------------------------"
echo " Definindo senha "nunca expira" para administrator"
echo "-------------------------------------"
echo
samba-tool user setexpiry administrator --noexpiry
echo
sleep 2
echo "-------------------------------------"
echo "## Informações SPN ##"
echo "-------------------------------------"
echo
samba-tool spn list Administrator
echo
echo "-------------------------------------"
echo "## Verifica de tem erros ##"
echo "-------------------------------------"
echo
samba-tool dbcheck --cross-ncs
echo
echo "Sistema Instalado com Sucesso "
echo
sleep 2
echo "-------------------------------------"
echo " O Dominio do sistema é $dc_domain"
echo " O usuário é administrator, e a senha é $pass"
echo "-------------------------------------"


#sudo named -f -g -d 10
## atualiza banco de dados dC
#samba-tool drs replicate --full-sync --sync-forced

#Para corrigir erros no banco de dados do Active Directory (AD), execute:
# samba-tool dbcheck --cross-ncs --fix

#Para redefinir ACLs Sysvol erradas, execute:
#samba-tool ntacl sysvolreset

#Para redefinir todas as ACLs conhecidas no diretório, execute:
# samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix

#samba-tool dbcheck

#net ads info
#samba-tool domain passwordsettings show

#mkdir /var/lib/samba/private/tls/bkp
#mv /var/lib/samba/private/tls/*.pem /var/lib/samba/private/tls/bkp
#rm /var/lib/samba/private/tls/*.pem

#pgrep "smbd" | cut -f1 -d" "
#pid=$(pgrep "smbd" | cut -f1 -d" " | head -n 1)
#kill -s 9 $pid
#pgrep "smbd" | cut -f1 -d" "
#samba_dnsupdate --verbose --all-names
#samba_upgradedns --dns-backend=BIND9_DLZ
## KRB5.KEYTAB ##
## Validar Keytab
#klist -e -k -t /var/lib/samba/private/secrets.keytab
#sudo ln -s /var/lib/samba/private/secrets.keytab /etc/krb5.keytab
#klist -e -k -t /etc/krb5.keytab

quinta-feira, 7 de setembro de 2023

Provisionamento de Domínio com SAMBA 4 no Debian

################################
## Altere de acordo com seu ambiente #
################################

dc_domain_realm=sky.net
pass='Passw0rd$2'
gateway=192.168.0.1

dc_domain="${dc_domain_realm^^}"
domain=$(echo $dc_domain | cut -d '.' -f 1)

################################

ip4=$(hostname -I | cut -d '.' -f 4 | cut -d ' ' -f 1)
ip3=$(hostname -I | cut -d '.' -f 3 | cut -d ' ' -f 1)
ip2=$(hostname -I | cut -d '.' -f 2 | cut -d ' ' -f 1)
ip1=$(hostname -I | cut -d '.' -f 1 | cut -d ' ' -f 1)

nic=$(ip -4 a | grep "$ip1" | grep -o '[^ ]*$')

##################################
## Prioridade IPV4              ##
##################################
echo "precedence ::ffff:0:0/96  100" >> /etc/gai.conf

##################################
##       Nome do Servidor       ##
##################################
dc_domain="${dc_domain_realm^^}"
hostname=$HOSTNAME.$dc_domain
#hostname="${hostname,,}"
hostnamectl set-hostname $hostname

## INSTALA OS PACOTES NECESSÁRIOS
apt install -y samba winbind wget net-tools dnsutils sudo smbclient ntp ntpdate cifs-utils libnss-winbind libpam-winbind acl
sudo DEBIAN_FRONTEND=noninteractive apt install -y krb5-user libpam-krb5

##################################
##       Instala o WEBMIM       ##
##################################
wget http://prdownloads.sourceforge.net/webadmin/webmin_2.102_all.deb

apt install -y perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python unzip shared-mime-info

export PATH=$PATH:/usr/local/sbin:/usr/sbin:/sbin

dpkg --install webmin_2.102_all.deb

##################################
##       Arquivo /etc/hosts     ##
##################################
mv /etc/hosts /etc/hosts.bkp
cat > /etc/hosts << EOL
127.0.0.1 localhost
$ip1.$ip2.$ip3.$ip4 $hostname $HOSTNAME localhost
#::1     ip6-localhost ip6-loopback
#fe00::0 ip6-localnet
#ff00::0 ip6-mcastprefix
#ff02::1 ip6-allnodes
#ff02::2 ip6-allrouters
EOL

mv /etc/network/interfaces /etc/network/interfaces.bkp
cat >> /etc/network/interfaces << EOL
source /etc/network/interfaces.d/*
EOL

cat >> /etc/network/interfaces.d/$nic << EOL
auto $nic
iface $nic inet static
address $ip1.$ip2.$ip3.$ip4
netmask 255.255.255.0
gateway $gateway
dns-search $dc_domain_realm
dns-nameservers $ip1.$ip2.$ip3.$ip4
dns-nameservers 8.8.8.8
EOL

/etc/init.d/networking restart

## FAZ UM BACKUP DO ARQUIVO RESOLV.CONF E ADICIONA INFORMAÇÕES
mv /etc/resolv.conf /etc/resolv.conf.bkp
cat > /etc/resolv.conf << EOL
nameserver $ip1.$ip2.$ip3.$ip4
nameserver $gateway
nameserver 8.8.8.8
domain $domain
search $dc_domain
EOL

# PARA SERVIÇOS PARA CONFIGURAÇÃO DO SAMBA
systemctl stop smbd nmbd 
systemctl disable smbd nmbd
systemctl stop systemd-networkd
systemctl disable systemd-networkd

## FAZ UM BACKUP DO ARQUIVO NTP E ADICIONA INFORMAÇÕES
cat >> /etc/ntp.conf << EOL
# Relogio Local
server $ip1.$ip2.$ip3.$ip4
fudge $ip1.$ip2.$ip3.$ip4 stratum 10
# Configurações adicionais para o Samba 4
ntpsigndsocket /var/lib/samba/ntp_signd/
restrict default mssntp
disable monitor
EOL

systemctl restart ntp
sudo service ntp stop
sudo ntpdate -o 1 br.pool.ntp.org
sudo service ntp start

##################################
##  Desativa o protocolo IPV6   ##
##################################
cat >> /etc/sysctl.conf << EOL
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
EOL

sudo sysctl -p

## PROVISIONAMENTO DO DOMINIO
## FAZ UM BACKUP DO ARQUIVO SAMBA SMB.CONF
mv /etc/samba/smb.conf /etc/samba/smb.conf.bkp
samba-tool domain provision --use-rfc2307 --server-role=dc --dns-backend=SAMBA_INTERNAL --realm=$dc_domain_realm --domain=$domain --adminpass=$pass

## HABILITA O SERVIÇO DO SAMBA
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl start samba-ad-dc

systemctl stop winbind
systemctl stop samba-ad-dc
systemctl start samba-ad-dc

## DEFINE SENHA NUNCA EXPIRA PARA A CONTA ADMINISTRATOR
samba-tool user setexpiry administrator --noexpiry

## FAZ BACKUP DO ARQUIVO KRB5 E COPIA O ARQUIVO CRIADO PELO SAMBA
mv /etc/krb5.conf /etc/krb5.conf.bkp
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

##################################
##           Ajustes            ##
##################################
#sudo ln -s /var/lib/samba/private/secrets.keytab /etc/krb5.keytab
sudo pam-auth-update --enable mkhomedir
## ADICIONA PERMISSÕES NO ARQUIVO NTP PARA O SAMBA
sudo chown root:ntp /var/lib/samba/ntp_signd/

## ADICIONA INFORMAÇÔES AO ARQUIVO KRB5.CONF
cat >> /etc/krb5.conf << EOL
.$dc_domain_realm = $dc_domain
$dc_domain_realm = $dc_domain
EOL

cat >> /etc/pam.d/common-session << EOL
session required        pam_mkhomedir.so umask=0022 skel=/etc/skel
EOL

## ADICIONA INFORMAÇÕES AO ARQUIVO SMB.CONF
sed -i '3p' /etc/samba/smb.conf
sudo sed -i "4s/$ip1.$ip2.$ip3.$ip4/8.8.8.8/g" /etc/samba/smb.conf

sed -i '10s/^/winbind enum users = yes\n/g' /etc/samba/smb.conf
sed -i '10s/^/winbind enum groups = yes\n/g' /etc/samba/smb.conf
sed -i '10s/^/template homedir = \/home\/%U\n/g' /etc/samba/smb.conf
sed -i '10s/^/template shell = \/bin\/bash\n/g' /etc/samba/smb.conf
sed -i '10s/^/logging = file\n/g' /etc/samba/smb.conf
sed -i '10s/^/max log size = 1000\n/g' /etc/samba/smb.conf
sed -i '10s/^/log file = \/var\/log\/samba\/log.samba\n/g' /etc/samba/smb.conf
#sed -i "10s/^/interfaces = lo $nic\n/g" /etc/samba/smb.conf
#sed -i '10s/^/idmap config * : backend = tdb\n/g' /etc/samba/smb.conf
#sed -i "10s/^/idmap config $domain : backend = rid\n/g" /etc/samba/smb.conf
#sed -i "10s/^/idmap config $domain : range = 1000000-9999999\n/g" /etc/samba/smb.conf
#sed -i '10s/^/security = ads\n/g' /etc/samba/smb.conf

sudo sed -i "7s/files/files winbind/g" /etc/nsswitch.conf
sudo sed -i "8s/files/files winbind/g" /etc/nsswitch.conf

#sudo sed -i "s/#PasswordAuthentication yes/PasswordAuthentication yes/g" /etc/ssh/sshd_config
#sudo sed -i "s/#KerberosAuthentication no/KerberosAuthentication yes/g" /etc/ssh/sshd_config
#sudo sed -i "s/#UsePAM Yes/UsePAM no/g" /etc/ssh/sshd_config

## RECARREGA TODAS AS CONFIGURAÇÕES DO SAMBA E SERVIÇOS DEPENDENTES
smbcontrol all reload-config
systemctl restart samba-ad-dc
systemctl restart systemd-resolved
systemctl restart ntp
systemctl restart sshd

##################################
##     Zona do DNS reverso      ##
##################################
echo $pass | samba-tool dns zonecreate $hostname 0.168.192.in-addr.arpa -U administrator
echo $pass | samba-tool dns add $hostname $ip3.$ip2.$ip1.in-addr.arpa $ip4 PTR $hostname -U administrator

##################################
## Testes finais                ##
##################################
echo
echo "-------------------------------------"
echo " Teste de rede do NETLOGON "
echo "-------------------------------------"
echo
smbclient -L localhost -N
echo "$pass" | smbclient //localhost/netlogon -U Administrator -c 'ls'
echo
echo "-------------------------------------"
echo " Teste de Conexão com a Internet"
echo "-------------------------------------"
echo
ping -c4 google.com.br
echo
echo "-------------------------------------"
echo " Teste de Conexão NTP"
echo "-------------------------------------"
echo
sudo ntpq -p
echo
echo "-------------------------------------"
echo " Teste de Descoberta Kerberos e LDAP"
echo "-------------------------------------"
echo
host -t SRV _kerberos._udp.$dc_domain_realm.
host -t SRV _ldap._tcp.$dc_domain_realm.
echo
echo "-------------------------------------"
echo " Teste de Conexão com o Dominio"
echo "-------------------------------------"
echo
echo $pass | kinit administrator@$dc_domain
klist
echo
echo "-------------------------------------"
echo " Teste DNS Reverso"
echo "-------------------------------------"
nslookup $dc_domain_realm
nslookup $ip1.$ip2.$ip3.$ip4
host $ip1.$ip2.$ip3.$ip4
echo "-------------------------------------"
echo
echo "-------------------------------------"
echo " O Dominio do sistema é $dc_domain"
echo " O usuário é administrator, e a senha é $pass"
echo "-------------------------------------"
echo
echo "-------------------------------------"
echo " Acesse via broswer o WEBMIM: $ip1.$ip2.$ip3.$ip4:10000 "
echo "-------------------------------------"
echo

#net rpc rights list -U administrator
#sudo samba_dnsupdate --verbose --all-names


Integração automática em dominio no SAMBA 4 no debian

 ##################################
## Configurações do seu Dominio ##
##################################
dc_user=administrator
dc_pass='Passw0rd$2'
dc_ip=192.168.0.5
dc_host=SRVAD001M
dc_domain=domain.intra
dc_domain_realm=DOMAIN.INTRA
##################################
## Ajuste de configuração do    ##
## computador no dominio        ##
##################################
mv /etc/hosts /etc/hosts.bkp
cat > /etc/hosts << EOL
127.0.0.1 $HOSTNAME.$dc_domain $HOSTNAME localhost
::1     localhost ip6-localhost ip6-loopback
$dc_ip $dc_host.$dc_domain
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
EOL
##################################
## Definição do nome do         ## 
## Computador                   ##
##################################
hostnamectl set-hostname $HOSTNAME.$dc_domain
##################################
## Instalação dos pacotes       ##
## necessários para integração  ##
## ao dominio                   ##
##################################
apt -y install sudo realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

##################################
## Configuração da resolução    ##
## de nomes para dominio        ##
##################################
mv /etc/resolv.conf /etc/resolv.conf.bkp
cat > /etc/resolv.conf << EOL
domain $dc_domain
search $dc_domain
nameserver $dc_ip
nameserver 8.8.8.8
EOL
##################################
## Teste de descoberta do       ##
## dominio na rede              ##
##################################
sudo realm discover $dc_domain_realm
##################################
## Integração ao Dominio        ##
##################################
echo $dc_pass | sudo realm join -U $dc_user $dc_domain_realm
##################################
## Configuração de nomes FQDN   ##
##################################
cp /etc/sssd/sssd.conf /etc/sssd/sssd.conf.bkp
sudo sed -i 's/use_fully_qualified_names = True/use_fully_qualified_names = False/g' /etc/sssd/sssd.conf
##################################
## Ajuste para criação de       ## 
## perfil de usuários           ##
##################################
cat >> /etc/sssd/sssd.conf << EOL
ad_gpo_ignore_unreadable = True
ad_gpo_access_control = permissive
EOL
sudo sssctl config-check
##################################
## Habilita criação automática  ##
## do perfil de usuário do      ##
## dominio                      ##
##################################
sudo pam-auth-update --enable mkhomedir
##################################
## Ajuste de permissão do SSSD  ##
##################################
mkdir -p /var/lib/sss/gpo_cache/domain.intra
chown -R sssd:sssd /var/lib/sss/gpo_cache
##################################
## Restart dos serviços         ##
##################################
systemctl restart sssd
##################################
## Teste de perfil de usuário   ##
##################################
getent passwd administrator@$dc_domain
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bkp
sudo sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config
dc_grp_admins=grp-admins
cat > /etc/ssh/sshd_config.d/grp-$dc_grp_admins.conf << EOL 
AllowGroups Domain $dc_grp_admins sudo $USER
EOL
systemctl restart sshd

domingo, 3 de setembro de 2023

Script de integração ao Domínio automatizada | Debian 11 Netinst + SSSD




Atenção: Alterar as informações das variáveis abaixo conforme seu ambiente.

dc_user=user.adm
dc_pass='P@$$w0rd'
dc_ip=192.168.0.5
dc_host=SRVAD001M
dc_domain=domain.intra
dc_domain_realm=DOMAIN.INTRA
dc_grp_admins=grp-admins

mv /etc/hosts /etc/hosts.bkp
cat > /etc/hosts << EOL
127.0.0.1 $HOSTNAME.$dc_domain $HOSTNAME localhost
::1     localhost ip6-localhost ip6-loopback
$dc_ip $dc_host.$dc_domain
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
EOL

hostnamectl set-hostname $HOSTNAME.$dc_domain

apt -y install sudo realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

cp /etc/resolv.conf /etc/resolv.conf.bkp
cat >> /etc/resolv.conf << EOL
domain $dc_domain
search $dc_domain
nameserver $dc_ip
EOL

sudo realm discover $dc_domain_realm

echo $dc_pass | sudo realm join -U $dc_user $dc_domain_realm

cp /etc/sssd/sssd.conf /etc/sssd/sssd.conf.bkp
sudo sed -i 's/use_fully_qualified_names = True/use_fully_qualified_names = False/g' /etc/sssd/sssd.conf

systemctl restart sssd

cat > /etc/ssh/sshd_config.d/$dc_grp_admins.conf << EOL 
AllowGroups Domain $dc_grp_admins sudo $USER
EOL

systemctl restart sshd

Debian 11 Netinst + Samba4 | Script de provisionamento de domínio automático




Ambiente

Sistema Operacional: Debian 11 Netinst
IP: 192.168.0.5 / 24
Gateway: 192.168.0.1

Domínio: DOMAIN.INTRA

Requisito: SSH

Atenção, altere em VERMELHO de acordo com seu ambiente

Copiar e colar no SSH:


################################
## Altere de acordo com seu ambiente #
################################

dc_domain=DOMAIN.INTRA
dc_domain_realm=domain.intra
domain=DOMAIN
pass='P@$$w0rd'
gateway=192.168.0.1

################################

## INSTALA OS PACOTES NECESSÁRIOS
apt install -y samba winbind wget dnsutils sudo smbclient ntp
sudo DEBIAN_FRONTEND=noninteractive apt install -y krb5-user

## DEFINE O HOSTNAME DO SERVIDOR
hostnamectl set-hostname $HOSTNAME.$dc_domain

## FAZ UM BACKUP DO ARQUIVO INTERFACES E ADICIONA INFORMAÇÕES
cp /etc/network/interfaces /etc/network/interfaces.bkp
cat >> /etc/network/interfaces << EOL
 dns-search $dc_domain_realm
 dns-nameservers 127.0.0.1
 dns-nameservers 8.8.8.8
 dns-nameservers $gateway
EOL

## FAZ UM BACKUP DO ARQUIVO HOST E ADICIONA INFORMAÇÕES
mv /etc/hosts /etc/hosts.bkp
cat > /etc/hosts << EOL
127.0.0.1 $HOSTNAME.$dc_domain $HOSTNAME localhost
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
EOL

## FAZ UM BACKUP DO ARQUIVO RESOLV.CONF E ADICIONA INFORMAÇÕES
mv /etc/resolv.conf /etc/resolv.conf.bkp
cat > /etc/resolv.conf << EOL
nameserver 127.0.0.1
nameserver $gateway
domain $domain
search $dc_domain
EOL

# PARA SERVIÇOS PARA CONFIGURAÇÃO DO SAMBA
systemctl stop smbd nmbd 
systemctl disable smbd nmbd
systemctl stop systemd-networkd
systemctl disable systemd-networkd

## FAZ UM BACKUP DO ARQUIVO SAMBA SMB.CONF
mv /etc/samba/smb.conf /etc/samba/smb.conf.bkp

## FAZ UM BACKUP DO ARQUIVO NTP E ADICIONA INFORMAÇÕES
cat >> /etc/ntp.conf << EOL
# Relogio Local
server 127.127.1.0
fudge 127.127.1.0 stratum 10
# Configurações adicionais para o Samba 4
ntpsigndsocket /var/lib/samba/ntp_signd/
restrict default mssntp
disable monitor
EOL

## ADICIONA PERMISSÕES NO ARQUIVO NTP PARA O SAMBA
sudo chown root:ntp /var/lib/samba/ntp_signd/

## PROVISIONAMENTO DO DOMINIO 
samba-tool domain provision --use-rfc2307 --server-role=dc --dns-backend=SAMBA_INTERNAL --realm=$dc_domain_realm --domain=$domain --adminpass=$pass

## HABILITA O SERVIÇO DO SAMBA
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl start samba-ad-dc

systemctl stop winbind
systemctl stop samba-ad-dc
systemctl start samba-ad-dc

## ADICIONA INFORMAÇÕES AO ARQUIVO SMB.CONF
sudo sed -i 's/dns forwarder = 127.0.0.1/dns forwarder = 8.8.8.8/g' /etc/samba/smb.conf

## DEFINE SENHA NUNCA EXPIRA PARA A CONTA ADMINISTRATOR
samba-tool user setexpiry administrator --noexpiry

## MOSTRA OS COMPARTILHAMENTOS DO DOMINIO
smbclient -L localhost -N

## TESTA OS ARQUIVOS DE COMPARTILHAMENTO COM O DOMINIO
echo "$pass" | smbclient //localhost/netlogon -U Administrator -c 'ls'

## FAZ BACKUP DO ARQUIVO KRB5 E COPIA O ARQUIVO CRIADO PELO SAMBA
mv /etc/krb5.conf /etc/krb5.conf.bkp
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

## ADICIONA INFORMAÇÔES AO ARQUIVO KRB5.CONF
cat >> /etc/krb5.conf << EOL
.$dc_domain_realm = $dc_domain
$dc_domain_realm = $dc_domain
EOL

## RECARREGA TODAS AS CONFIGURAÇÕES DO SAMBA E SERVIÇOS DEPENDENTES
smbcontrol all reload-config
systemctl restart samba-ad-dc
systemctl restart systemd-resolved
systemctl restart ntp

## TESTA A CONEXÃO COM A INTERNE
ping -c4 google.com

## TESTE A CONFIGURAÇÂO NTP
sudo ntpq -p

## TESTE DE SERVIÇOS DA REDE KERBEROS E LDAP
host -t SRV _kerberos._udp.$dc_domain_realm.
host -t SRV _ldap._tcp.$dc_domain_realm.

## TESTE DE CONEXÃO AO DOMINIO
echo $pass | kinit administrator@$dc_domain
klist

Como mostrar a versão do Linux Debian

 Para mostrar a versão do Linux do Debian, rode o seguinte comando: $ cat /etc/*release* | grep CODENAME | cut -d "=" -f 2 Debian ...