quinta-feira, 7 de setembro de 2023

Provisionamento de Domínio com SAMBA 4 no Debian

################################
## Altere de acordo com seu ambiente #
################################

dc_domain_realm=sky.net
pass='Passw0rd$2'
gateway=192.168.0.1

dc_domain="${dc_domain_realm^^}"
domain=$(echo $dc_domain | cut -d '.' -f 1)

################################

ip4=$(hostname -I | cut -d '.' -f 4 | cut -d ' ' -f 1)
ip3=$(hostname -I | cut -d '.' -f 3 | cut -d ' ' -f 1)
ip2=$(hostname -I | cut -d '.' -f 2 | cut -d ' ' -f 1)
ip1=$(hostname -I | cut -d '.' -f 1 | cut -d ' ' -f 1)

nic=$(ip -4 a | grep "$ip1" | grep -o '[^ ]*$')

##################################
## Prioridade IPV4              ##
##################################
echo "precedence ::ffff:0:0/96  100" >> /etc/gai.conf

##################################
##       Nome do Servidor       ##
##################################
dc_domain="${dc_domain_realm^^}"
hostname=$HOSTNAME.$dc_domain
#hostname="${hostname,,}"
hostnamectl set-hostname $hostname

## INSTALA OS PACOTES NECESSÁRIOS
apt install -y samba winbind wget net-tools dnsutils sudo smbclient ntp ntpdate cifs-utils libnss-winbind libpam-winbind acl
sudo DEBIAN_FRONTEND=noninteractive apt install -y krb5-user libpam-krb5

##################################
##       Instala o WEBMIM       ##
##################################
wget http://prdownloads.sourceforge.net/webadmin/webmin_2.102_all.deb

apt install -y perl libnet-ssleay-perl openssl libauthen-pam-perl libpam-runtime libio-pty-perl apt-show-versions python unzip shared-mime-info

export PATH=$PATH:/usr/local/sbin:/usr/sbin:/sbin

dpkg --install webmin_2.102_all.deb

##################################
##       Arquivo /etc/hosts     ##
##################################
mv /etc/hosts /etc/hosts.bkp
cat > /etc/hosts << EOL
127.0.0.1 localhost
$ip1.$ip2.$ip3.$ip4 $hostname $HOSTNAME localhost
#::1     ip6-localhost ip6-loopback
#fe00::0 ip6-localnet
#ff00::0 ip6-mcastprefix
#ff02::1 ip6-allnodes
#ff02::2 ip6-allrouters
EOL

mv /etc/network/interfaces /etc/network/interfaces.bkp
cat >> /etc/network/interfaces << EOL
source /etc/network/interfaces.d/*
EOL

cat >> /etc/network/interfaces.d/$nic << EOL
auto $nic
iface $nic inet static
address $ip1.$ip2.$ip3.$ip4
netmask 255.255.255.0
gateway $gateway
dns-search $dc_domain_realm
dns-nameservers $ip1.$ip2.$ip3.$ip4
dns-nameservers 8.8.8.8
EOL

/etc/init.d/networking restart

## FAZ UM BACKUP DO ARQUIVO RESOLV.CONF E ADICIONA INFORMAÇÕES
mv /etc/resolv.conf /etc/resolv.conf.bkp
cat > /etc/resolv.conf << EOL
nameserver $ip1.$ip2.$ip3.$ip4
nameserver $gateway
nameserver 8.8.8.8
domain $domain
search $dc_domain
EOL

# PARA SERVIÇOS PARA CONFIGURAÇÃO DO SAMBA
systemctl stop smbd nmbd 
systemctl disable smbd nmbd
systemctl stop systemd-networkd
systemctl disable systemd-networkd

## FAZ UM BACKUP DO ARQUIVO NTP E ADICIONA INFORMAÇÕES
cat >> /etc/ntp.conf << EOL
# Relogio Local
server $ip1.$ip2.$ip3.$ip4
fudge $ip1.$ip2.$ip3.$ip4 stratum 10
# Configurações adicionais para o Samba 4
ntpsigndsocket /var/lib/samba/ntp_signd/
restrict default mssntp
disable monitor
EOL

systemctl restart ntp
sudo service ntp stop
sudo ntpdate -o 1 br.pool.ntp.org
sudo service ntp start

##################################
##  Desativa o protocolo IPV6   ##
##################################
cat >> /etc/sysctl.conf << EOL
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
EOL

sudo sysctl -p

## PROVISIONAMENTO DO DOMINIO
## FAZ UM BACKUP DO ARQUIVO SAMBA SMB.CONF
mv /etc/samba/smb.conf /etc/samba/smb.conf.bkp
samba-tool domain provision --use-rfc2307 --server-role=dc --dns-backend=SAMBA_INTERNAL --realm=$dc_domain_realm --domain=$domain --adminpass=$pass

## HABILITA O SERVIÇO DO SAMBA
systemctl unmask samba-ad-dc
systemctl enable samba-ad-dc
systemctl start samba-ad-dc

systemctl stop winbind
systemctl stop samba-ad-dc
systemctl start samba-ad-dc

## DEFINE SENHA NUNCA EXPIRA PARA A CONTA ADMINISTRATOR
samba-tool user setexpiry administrator --noexpiry

## FAZ BACKUP DO ARQUIVO KRB5 E COPIA O ARQUIVO CRIADO PELO SAMBA
mv /etc/krb5.conf /etc/krb5.conf.bkp
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

##################################
##           Ajustes            ##
##################################
#sudo ln -s /var/lib/samba/private/secrets.keytab /etc/krb5.keytab
sudo pam-auth-update --enable mkhomedir
## ADICIONA PERMISSÕES NO ARQUIVO NTP PARA O SAMBA
sudo chown root:ntp /var/lib/samba/ntp_signd/

## ADICIONA INFORMAÇÔES AO ARQUIVO KRB5.CONF
cat >> /etc/krb5.conf << EOL
.$dc_domain_realm = $dc_domain
$dc_domain_realm = $dc_domain
EOL

cat >> /etc/pam.d/common-session << EOL
session required        pam_mkhomedir.so umask=0022 skel=/etc/skel
EOL

## ADICIONA INFORMAÇÕES AO ARQUIVO SMB.CONF
sed -i '3p' /etc/samba/smb.conf
sudo sed -i "4s/$ip1.$ip2.$ip3.$ip4/8.8.8.8/g" /etc/samba/smb.conf

sed -i '10s/^/winbind enum users = yes\n/g' /etc/samba/smb.conf
sed -i '10s/^/winbind enum groups = yes\n/g' /etc/samba/smb.conf
sed -i '10s/^/template homedir = \/home\/%U\n/g' /etc/samba/smb.conf
sed -i '10s/^/template shell = \/bin\/bash\n/g' /etc/samba/smb.conf
sed -i '10s/^/logging = file\n/g' /etc/samba/smb.conf
sed -i '10s/^/max log size = 1000\n/g' /etc/samba/smb.conf
sed -i '10s/^/log file = \/var\/log\/samba\/log.samba\n/g' /etc/samba/smb.conf
#sed -i "10s/^/interfaces = lo $nic\n/g" /etc/samba/smb.conf
#sed -i '10s/^/idmap config * : backend = tdb\n/g' /etc/samba/smb.conf
#sed -i "10s/^/idmap config $domain : backend = rid\n/g" /etc/samba/smb.conf
#sed -i "10s/^/idmap config $domain : range = 1000000-9999999\n/g" /etc/samba/smb.conf
#sed -i '10s/^/security = ads\n/g' /etc/samba/smb.conf

sudo sed -i "7s/files/files winbind/g" /etc/nsswitch.conf
sudo sed -i "8s/files/files winbind/g" /etc/nsswitch.conf

#sudo sed -i "s/#PasswordAuthentication yes/PasswordAuthentication yes/g" /etc/ssh/sshd_config
#sudo sed -i "s/#KerberosAuthentication no/KerberosAuthentication yes/g" /etc/ssh/sshd_config
#sudo sed -i "s/#UsePAM Yes/UsePAM no/g" /etc/ssh/sshd_config

## RECARREGA TODAS AS CONFIGURAÇÕES DO SAMBA E SERVIÇOS DEPENDENTES
smbcontrol all reload-config
systemctl restart samba-ad-dc
systemctl restart systemd-resolved
systemctl restart ntp
systemctl restart sshd

##################################
##     Zona do DNS reverso      ##
##################################
echo $pass | samba-tool dns zonecreate $hostname 0.168.192.in-addr.arpa -U administrator
echo $pass | samba-tool dns add $hostname $ip3.$ip2.$ip1.in-addr.arpa $ip4 PTR $hostname -U administrator

##################################
## Testes finais                ##
##################################
echo
echo "-------------------------------------"
echo " Teste de rede do NETLOGON "
echo "-------------------------------------"
echo
smbclient -L localhost -N
echo "$pass" | smbclient //localhost/netlogon -U Administrator -c 'ls'
echo
echo "-------------------------------------"
echo " Teste de Conexão com a Internet"
echo "-------------------------------------"
echo
ping -c4 google.com.br
echo
echo "-------------------------------------"
echo " Teste de Conexão NTP"
echo "-------------------------------------"
echo
sudo ntpq -p
echo
echo "-------------------------------------"
echo " Teste de Descoberta Kerberos e LDAP"
echo "-------------------------------------"
echo
host -t SRV _kerberos._udp.$dc_domain_realm.
host -t SRV _ldap._tcp.$dc_domain_realm.
echo
echo "-------------------------------------"
echo " Teste de Conexão com o Dominio"
echo "-------------------------------------"
echo
echo $pass | kinit administrator@$dc_domain
klist
echo
echo "-------------------------------------"
echo " Teste DNS Reverso"
echo "-------------------------------------"
nslookup $dc_domain_realm
nslookup $ip1.$ip2.$ip3.$ip4
host $ip1.$ip2.$ip3.$ip4
echo "-------------------------------------"
echo
echo "-------------------------------------"
echo " O Dominio do sistema é $dc_domain"
echo " O usuário é administrator, e a senha é $pass"
echo "-------------------------------------"
echo
echo "-------------------------------------"
echo " Acesse via broswer o WEBMIM: $ip1.$ip2.$ip3.$ip4:10000 "
echo "-------------------------------------"
echo

#net rpc rights list -U administrator
#sudo samba_dnsupdate --verbose --all-names


Nenhum comentário:

Postar um comentário

Como mostrar a versão do Linux Debian

 Para mostrar a versão do Linux do Debian, rode o seguinte comando: $ cat /etc/*release* | grep CODENAME | cut -d "=" -f 2 Debian ...