Atenção: Alterar as informações das variáveis abaixo conforme seu ambiente.
dc_domain_realm=sky.net
pass='Passw0rd$2'
gateway=192.168.0.1
pass='Passw0rd$2'
gateway=192.168.0.1
dc_domain="${dc_domain_realm^^}"
domain=$(echo $dc_domain | cut -d '.' -f 1)
## Define o nome do Servidor ##
hostname=$HOSTNAME.$dc_domain
hostname="${hostname,,}"
#hostnamectl set-hostname $hostname
## Coletando Dados do IP Atual #
ip4=$(hostname -I | cut -d '.' -f 4 | cut -d ' ' -f 1)
ip3=$(hostname -I | cut -d '.' -f 3 | cut -d ' ' -f 1)
ip2=$(hostname -I | cut -d '.' -f 2 | cut -d ' ' -f 1)
ip1=$(hostname -I | cut -d '.' -f 1 | cut -d ' ' -f 1)
## Interface da placa de rede ##
nic=$(ip -4 a | grep "$ip1" | grep -o '[^ ]*$')
## Define a prioridade do IPV4 ##
echo "precedence ::ffff:0:0/96 100" >> /etc/gai.conf
## Atualizando informações da placa de rede ##
mv /etc/network/interfaces /etc/network/interfaces.bkp
cat >> /etc/network/interfaces << EOL
source /etc/network/interfaces.d/*
EOL
cat >> /etc/network/interfaces.d/$nic << EOL
auto $nic
iface $nic inet static
address $ip1.$ip2.$ip3.$ip4
netmask 255.255.255.0
broadcast $ip1.$ip2.$ip3.255
gateway $gateway
dns-search $dc_domain_realm
dns-nameservers $ip1.$ip2.$ip3.$ip4
dns-nameservers 8.8.8.8
EOL
## Atualizando informações do resolv.con ##
mv /etc/resolv.conf /etc/resolv.conf.bkp
cat > /etc/resolv.conf << EOL
nameserver $ip1.$ip2.$ip3.$ip4
#nameserver $gateway
nameserver 8.8.8.8
domain $domain
search $dc_domain.
EOL
echo
/etc/init.d/networking restart
clear
echo
echo "-------------------------------------"
echo " Bem-Vindo a Instalação do Samba4 "
echo "-------------------------------------"
hostnamectl
echo "----------------------------------------"
echo "Interface de Rede: $nic "
echo "IP: $ip1.$ip2.$ip3.$ip4"
echo "Dominio Realm: $dc_domain_realm"
echo "Dominio FQDN: $dc_domain"
echo "Dominio: $domain"
echo "Senha: $pass"
echo "Gateway: $gateway"
echo "----------------------------------------"
cat /etc/network/interfaces.d/$nic
echo "----------------------------------------"
cat /etc/resolv.conf
echo "----------------------------------------"
sleep 5
echo
echo "-------------------------------------"
echo " Instalando o Samba4 "
echo "-------------------------------------"
echo
apt install -y samba wget net-tools dnsutils sudo smbclient ntpsec ntpdate cifs-utils libnss-winbind libpam-winbind acl ldap-utils attr ldb-tools smbldap-tools smbios-utils bind9 quota
sudo DEBIAN_FRONTEND=noninteractive apt install -y krb5-user libpam-krb5
sleep 3
echo
echo " Instalação Concluída "
echo
sudo samba -V
echo "Arquivo de configuração:"
sudo smbd -b | grep "CONFIGFILE"
sleep 3
echo
echo "-------------------------------------"
echo " Ajustando arquivos do SAMBA4 "
echo "-------------------------------------"
echo
sleep 3
echo
echo "----------------------------------------"
echo " Desativando IPV6 "
echo "----------------------------------------"
## Desativa o protocolo IPV6 ##
cat >> /etc/sysctl.conf << EOL
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
EOL
/etc/init.d/networking restart
echo
## Arquivo /etc/hosts ##
mv /etc/hosts /etc/hosts.bkp
cat > /etc/hosts << EOL
127.0.0.1 localhost
$ip1.$ip2.$ip3.$ip4 $hostname $HOSTNAME localhost
#::1 ip6-localhost ip6-loopback
#fe00::0 ip6-localnet
#ff00::0 ip6-mcastprefix
#ff02::1 ip6-allnodes
#ff02::2 ip6-allrouters
EOL
## FAZ UM BACKUP DO ARQUIVO SAMBA SMB.CONF
mv /etc/samba/smb.conf /etc/samba/smb.conf.bkp
echo " Concluído! "
echo
sudo sysctl -p
echo
echo " Concluído! "
echo
sleep 2
echo "-------------------------------------"
echo " Provisioando o seu Dominio agora! "
echo "-------------------------------------"
echo
samba-tool domain provision --use-rfc2307 --server-role=dc --dns-backend=BIND9_DLZ --realm=$dc_domain_realm --domain=$domain --adminpass=$pass --option="interfaces=lo $nic" --option="bind interfaces only=yes"
# PARA SERVIÇOS PARA CONFIGURAÇÃO DO SAMBA
sudo systemctl unmask smbd nmbd winbind
sudo systemctl stop smbd nmbd winbind
sudo systemctl disable smbd nmbd winbind
echo
sleep 5
echo "-------------------------------------"
echo " Ajustando configurações... "
echo "-------------------------------------"
echo
bind_named=$(sudo named -v | cut -d ' ' -f 2 | cut -d '.' -f2)
sed -i 's/ #/#/' /var/lib/samba/bind-dns/named.conf
sed -i '/18.so/s/^# //' /var/lib/samba/bind-dns/named.conf
cp /etc/bind/named.conf.local /etc/bind/named.conf.local.bkp
cat >> /etc/bind/named.conf.local << EOL
include "/var/lib/samba/bind-dns/named.conf";
EOL
cp /etc/bind/named.conf.options /etc/bind/named.conf.options.bkp
sudo sed -i 's/any; };/any; };\
bindkeys-file "\/etc\/bind\/bind.keys";\
tkey-gssapi-keytab "\/var\/lib\/samba\/bind-dns\/dns.keytab"; \
/g' /etc/bind/named.conf.options
# LIMPA O CACHE DO BIND.KEYS ##
mkdir /var/cache/bind/bkp
cp /var/cache/bind/managed-keys.bind* /var/cache/bind/bkp
cp /etc/apparmor.d/usr.sbin.named /etc/apparmor.d/usr.sbin.named.bkp
sudo sed -i 's/# Samba DLZ/# Samba DLZ\n\
\/var\/lib\/samba\/bind-dns\/named.conf r,\
\/var\/lib\/samba\/private\/named.conf r,\
\/usr\/lib\/x86_64-linux-gnu\/samba\/\*\* mlr,\
\/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/\*\* mlr,\
\/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9.so mlr,\
\/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9_9.so mlr,\
\/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9_10.so mlr,\
\/usr\/lib\/x86_64-linux-gnu\/samba\/bind9\/dlz_bind9_11.so mlr,\
\/usr\/lib\/x86_64-linux-gnu\/ldb\/modules\/ldb\/\*\* mlrwk,\
\/var\/lib\/samba\/private\/\*\* mlrwk,\
\/var\/lib\/samba\/ntpsec_signd\/\*\* rwlkix,\
/g' /etc/apparmor.d/usr.sbin.named
chmod 777 -R /var/lib/samba/private/sam.ldb.d/
systemctl restart apparmor
systemctl restart bind9
named-checkconf
## FAZ BACKUP DO ARQUIVO KRB5 E COPIA O ARQUIVO CRIADO PELO SAMBA
mv /etc/krb5.conf /etc/krb5.conf.bkp
## KRB5.CONF ##
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
## ADICIONA INFORMAÇÔES AO ARQUIVO KRB5.CONF
cp /etc/krb5.conf /etc/krb5.conf.bkp.krb5
sudo sed -i 's/\[libdefaults\]/\[libdefaults\]\
rdns = false\
default_tgs_enctypes = rc4-hmac des3-hmac-sha1\
default_tkt_enctypes = rc4-hmac des3-hmac-sha1\
permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1\
#ticket_lifetime = 24h\
ticket_lifetime = 86400\
forwardable = true\
udp_preference_limit = 1000000\
#renew_lifetime = 7d\
renew_lifetime = 604800\
default_ccache_name = \/etc\/samba\/krb5cc_%\{uid\}\
udp_preference_limit = 1\
kdc_timeout = 3000\
/g' /etc/krb5.conf
sudo sed -i 's/\dns_lookup_kdc = true/dns_lookup_kdc = false/g' /etc/krb5.conf
sudo sed -i "s/$dc_domain = {/$dc_domain = {\n\
kdc = $hostname\n\
admin_server = $hostname\
/g" /etc/krb5.conf
sudo sed -i "s/$HOSTNAME = $dc_domain/\
.$dc_domain_realm = $dc_domain\n\
$dc_domain_realm = $dc_domain\n\
/g" /etc/krb5.conf
cat >> /etc/krb5.conf << EOL
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
EOL
echo " Concluído! "
echo
echo "----------------------------------------"
echo " Configurando o SAMBA4 "
echo "----------------------------------------"
echo
sudo sed -i "s/passwd: files/passwd: compat files systemd/g" /etc/nsswitch.conf
sudo sed -i "s/group: files/group: compat files systemd/g" /etc/nsswitch.conf
cat >> /etc/samba/user.map << EOL
!root = $domain\Administrator $domain\administrator Administrator administrator
EOL
## ADICIONA INFORMAÇÕES AO ARQUIVO SMB.CONF
cp /etc/samba/smb.conf /etc/samba/smb.conf.bkp.provision
sudo sed -i "s/\[global\]/\[global\]\n\
dns forwarder = 8.8.8.8\n\
dns forwarder = $ip1.$ip2.$ip3.$ip4\
/g" /etc/samba/smb.conf
cp /etc/samba/smb.conf /etc/samba/smb.conf.initial
sudo sed -i "s/\[sysvol\]/\
password server = $ip1.$ip2.$ip3.$ip4\n\
#winbind enum users = yes\n\
#winbind enum groups = yes\n\
#winbind nss info = rfc2307\n\
\n\
template homedir = \/home\/%U\n\
template shell = \/bin\/bash\n\
create mask = 0664\n\
directory mask = 0775\n\
\n\
logging = file\n\
max log size = 1000\n\
log file = \/var\/log\/samba\/log.%m\n\
log level = 1\n\
\n\
passdb backend = tdbsam\n\
kerberos method = secrets and keytab\n\
ldap server require strong auth = no\n\
map to guest = Bad User\n\
\n\
vfs objects = dfs_samba4 acl_xattr recycle\n\
#vfs objects = acl_xattr\n\
#vfs objects = dfs_samba4 acl_xattr audit\n\
\n\
map acl inherit = yes\n\
acl allow execute always = yes\n\
store dos attributes = yes\n\
username map = \/etc\/samba\/user.map\n\
#enable privileges = yes\n\
preferred master = yes\n\
case sensitive = No\n\
\n\
wins support = yes\n\
hosts allow = ALL\n\
name resolve order = lmhosts host wins bcast\n\
\n\
## Desabilita compartilhamento de impressoras\n\
printcap name = \/dev\/null\n\
load printers = no\n\
disable spoolss = yes\n\
printing = bsd\n\
\n\
#security = user \n\
idmap config $domain : unix_nss_info = no\n\
idmap config $domain : backend = ad \n\
#idmap config $domain : range = 10000-59999 \n\
idmap config * : backend = tdb \n\
idmap config * : range = 3000-7999 \n\
\n\[sysvol\]/" /etc/samba/smb.conf
sudo sed -i "s/interfaces = lo $nic/interfaces = lo $nic $ip1.$ip2.$ip3.$ip4\/24/g" /etc/samba/smb.conf
sudo sed -i 's/winbindd/winbind/g' /etc/samba/smb.conf
sudo systemctl restart bind9
sudo smbcontrol all reload-config
#sudo systemctl restart samba-ad-dc
echo " Concluído! "
echo
echo "----------------------------------------"
echo "Habilitando PAM-AUTH-UPDATE MKHOMEDIR "
echo "----------------------------------------"
echo
sudo pam-auth-update --enable mkhomedir
echo " Concluído! "
sleep 2
echo
echo "----------------------------------------"
echo "Habilitando os Serviços do SAMBA4 "
echo "----------------------------------------"
sudo systemctl unmask samba-ad-dc
sudo systemctl enable samba-ad-dc
sudo systemctl start samba-ad-dc
sleep 3
echo
echo " Concluído! "
echo
echo "----------------------------------------"
echo " Ajustes ntpsec "
echo "----------------------------------------"
sudo systemctl stop ntpsec
sudo sed -i "s/pool /#pool/g" /etc/ntpsec/ntp.conf
sudo sed -i '23p' /etc/ntpsec/ntp.conf
sed -i '23s/^/server a.ntp.br iburst\n/g' /etc/ntpsec/ntp.conf
sed -i '23s/^/server b.ntp.br iburst\n/g' /etc/ntpsec/ntp.conf
sed -i '23s/^/server c.ntp.br iburst\n/g' /etc/ntpsec/ntp.conf
echo
## SAMBA ntpsec ##
cat >> /etc/ntpsec/ntp.conf << EOL
# Relogio Local
server 127.127.1.0
fudge 127.127.1.0 stratum 10
# Configurações adicionais para o Samba 4
ntpsigndsocket /var/lib/samba/ntp_signd/
restrict default mssntp
disable monitor
EOL
## ADICIONA PERMISSÕES NO ARQUIVO ntpsec PARA O SAMBA
#sudo chown root:ntp /var/lib/samba/ntp_signd/
sudo chown -v root:ntpsec /var/lib/samba/ntp_signd/
sudo chmod -v 750 /var/lib/samba/ntp_signd/
## Cron Server ##
cat >> /etc/cron.d/server.conf << EOF
bindaddress $ip1.$ip2.$ip3.$ip4
allow $ip1.$ip2.$ip3.1/24
ntpsigndsocket /var/lib/samba/ntp_signd
EOF
cat >> /etc/cron.d/cmd.conf << EOF
bindcmdaddress /var/run/crond.pid
cmdport 0
EOF
sudo systemctl enable --now cron
echo
echo " Atualizando horário do sistema ...."
echo
sudo ntpdate pool.ntp.br
echo
sudo service ntpsec start
sleep 2
## Nome principal para os serviços SPN ##
samba-tool spn add ldap/$dc_domain_realm Administrator
samba-tool spn add cifs/$dc_domain_realm Administrator
## Exportando arquivo krb5.keytab
samba-tool domain exportkeytab /etc/krb5.keytab
ls -l /etc/krb5.keytab
chmod 755 /etc/krb5.keytab
ls -l /etc/krb5.keytab
# Cria uma KLIST#
kinit -kt /etc/krb5.keytab Administrator@$dc_domain
klist
sleep 2
echo " Concluído! "
echo
echo " Reiniciando todos os Serviços ..."
/etc/init.d/networking restart
sudo systemctl daemon-reload
sudo systemctl daemon-reexec
sudo systemctl restart ntpsec
sudo systemctl restart sshd
sudo systemctl restart bind9
sudo smbcontrol all reload-config
sudo systemctl restart samba-ad-dc
echo
echo " Concluído! "
sleep 4
echo
echo " Sistema SAMBA4 Instalado com Sucesso! "
echo "------------------------------------------"
echo
sleep 3
echo "------------------------------------------"
echo " Cadastrando ZONA REVERSA "
echo "------------------------------------------"
echo
echo " Cadastrando Zona "
echo "------------------------------------------"
echo $pass | samba-tool dns zonecreate $hostname $ip3.$ip2.$ip1.in-addr.arpa -U administrator
echo "------------------------------------------"
echo
sleep 2
echo " Cadastrando PTR "
echo "------------------------------------------"
echo $pass | samba-tool dns add $hostname $ip3.$ip2.$ip1.in-addr.arpa $ip4 PTR $hostname -U administrator
echo "------------------------------------------"
echo
sleep 2
echo "-------------------------------------"
echo "Informações do SID "
echo "-------------------------------------"
ldbsearch -H /var/lib/samba/private/sam.ldb DC=$domain | grep objectSid
echo "------------------------------------------"
sleep 2
echo
echo "-------------------------------------"
echo " Teste do SMBClient "
echo "-------------------------------------"
echo
echo "------------------------------------------"
smbclient -L localhost -N
echo "------------------------------------------"
echo
echo "------------------------------------------"
echo "$pass" | smbclient //localhost/netlogon -U Administrator -c 'ls'
echo "------------------------------------------"
echo
sleep 2
echo "-------------------------------------"
echo " Teste de Descoberta Kerberos e LDAP"
echo "-------------------------------------"
echo
echo " Kerberos"
echo "------------------------------------------"
host -t SRV _kerberos._udp.$dc_domain_realm.
echo "------------------------------------------"
echo
echo " LDAP "
echo "------------------------------------------"
host -t SRV _ldap._tcp.$dc_domain_realm.
echo "------------------------------------------"
echo
sleep 2
echo "-------------------------------------"
echo " Teste DNS Reverso"
echo "-------------------------------------"
echo
echo " Nslookup $dc_domain_realm "
echo "------------------------------------------"
nslookup $dc_domain_realm
echo
echo " Nslookup $ip1.$ip2.$ip3.$ip4 "
echo "------------------------------------------"
nslookup $ip1.$ip2.$ip3.$ip4
echo
echo " Host $ip1.$ip2.$ip3.$ip4"
echo "------------------------------------------"
host $ip1.$ip2.$ip3.$ip4
echo
sleep 2
echo "-------------------------------------"
echo " Nivel do Dominio ao Windows "
echo "-------------------------------------"
echo
echo "------------------------------------------"
sudo samba-tool domain level show
echo "------------------------------------------"
echo
sleep 2
echo "------------------------------------------"
echo " Sincronização ntpsec "
echo "------------------------------------------"
echo
sudo ntpq -p
echo
sleep 2
echo "-------------------------------------"
echo " Teste do GETENT "
echo "-------------------------------------"
echo
getent passwd administrator
echo
sleep 2
echo "-------------------------------------"
echo " Conceder privilégios para configurar ACLs pelo Windows "
echo "-------------------------------------"
echo
echo $pass | net rpc rights grant "$domain\Administrator" SeDiskOperatorPrivilege -U "$domain\Administrator"
echo
sleep 2
echo "-------------------------------------"
echo " Definindo senha "nunca expira" para administrator"
echo "-------------------------------------"
echo
samba-tool user setexpiry administrator --noexpiry
echo
sleep 2
echo "-------------------------------------"
echo "## Informações SPN ##"
echo "-------------------------------------"
echo
samba-tool spn list Administrator
echo
echo "-------------------------------------"
echo "## Verifica de tem erros ##"
echo "-------------------------------------"
echo
samba-tool dbcheck --cross-ncs
echo
echo "Sistema Instalado com Sucesso "
echo
sleep 2
echo "-------------------------------------"
echo " O Dominio do sistema é $dc_domain"
echo " O usuário é administrator, e a senha é $pass"
echo "-------------------------------------"
#sudo named -f -g -d 10
## atualiza banco de dados dC
#samba-tool drs replicate --full-sync --sync-forced
#Para corrigir erros no banco de dados do Active Directory (AD), execute:
# samba-tool dbcheck --cross-ncs --fix
#Para redefinir ACLs Sysvol erradas, execute:
#samba-tool ntacl sysvolreset
#Para redefinir todas as ACLs conhecidas no diretório, execute:
# samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix
#samba-tool dbcheck
#net ads info
#samba-tool domain passwordsettings show
#mkdir /var/lib/samba/private/tls/bkp
#mv /var/lib/samba/private/tls/*.pem /var/lib/samba/private/tls/bkp
#rm /var/lib/samba/private/tls/*.pem
#pgrep "smbd" | cut -f1 -d" "
#pid=$(pgrep "smbd" | cut -f1 -d" " | head -n 1)
#kill -s 9 $pid
#pgrep "smbd" | cut -f1 -d" "
#samba_dnsupdate --verbose --all-names
#samba_upgradedns --dns-backend=BIND9_DLZ
## KRB5.KEYTAB ##
## Validar Keytab
#klist -e -k -t /var/lib/samba/private/secrets.keytab
#sudo ln -s /var/lib/samba/private/secrets.keytab /etc/krb5.keytab
#klist -e -k -t /etc/krb5.keytab