Merge pull request #3 from ybucci/develop

Updated to 4.17.0
ybucci · Oct 17, 2022 · fa4156c · fa4156c
2 parents e5dd4ef + e1ed0e2
commit fa4156c
Show file tree

Hide file tree

Showing 12 changed files with 227 additions and 73 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,15 +1,11 @@
 FROM oraclelinux:8
 ARG SAMBA_VERSION=4.17.0
 RUN yum update -y && yum install -y dnf-plugins-core && yum install -y epel-release && set -xueo pipefail && dnf config-manager --enable ol8_codeready_builder ol8_baseos_latest ol8_appstream && dnf update -y
-RUN yum install -y --setopt=install_weak_deps=False "@Development Tools" acl attr autoconf avahi-devel bind bind-utils binutils bison ccache chrpath cups-devel curl dbus-devel docbook-dtds docbook-style-xsl flex gawk gcc gdb git glib2-devel glibc-common glibc-langpack-en glusterfs-api-devel glusterfs-devel gnutls-devel gpgme-devel gzip hostname htop jansson-devel keyutils-libs-devel krb5-devel krb5-server krb5-workstation libacl-devel libarchive-devel libattr-devel libblkid-devel libbsd-devel libcap-devel libcephfs-devel libicu-devel libpcap-devel libtasn1-devel libtasn1-tools libtirpc-devel libunwind-devel libuuid-devel libxslt lmdb lmdb-devel make mingw64-gcc ncurses-devel openldap-devel pam-devel patch perl perl-Archive-Tar perl-ExtUtils-MakeMaker perl-JSON perl-Parse-Yapp perl-Test-Simple perl-generators perl-interpreter pkgconfig popt-devel procps-ng psmisc python3 python3-cryptography python3-devel python3-dns python3-gpg python3-iso8601 python3-libsemanage python3-markdown python3-policycoreutils python3-pyasn1 python3-setproctitle quota-devel readline-devel redhat-lsb rng-tools rpcgen rpcsvc-proto-devel rsync sed sudo systemd-devel tar tracker-devel tree wget which xfsprogs-devel yum-utils zlib-devel supervisor && yum clean all
+RUN yum install -y --setopt=install_weak_deps=False "@Development Tools" chrony acl attr autoconf avahi-devel bind bind-utils binutils bison ccache chrpath cups-devel curl dbus-devel docbook-dtds docbook-style-xsl flex gawk gcc gdb git glib2-devel glibc-common glibc-langpack-en glusterfs-api-devel glusterfs-devel gnutls-devel gpgme-devel gzip hostname htop jansson-devel keyutils-libs-devel krb5-devel krb5-server krb5-workstation libacl-devel libarchive-devel libattr-devel libblkid-devel libbsd-devel libcap-devel libcephfs-devel libicu-devel libpcap-devel libtasn1-devel libtasn1-tools libtirpc-devel libunwind-devel libuuid-devel libxslt lmdb lmdb-devel make mingw64-gcc ncurses-devel openldap-devel pam-devel patch perl perl-Archive-Tar perl-ExtUtils-MakeMaker perl-JSON perl-Parse-Yapp perl-Test-Simple perl-generators perl-interpreter pkgconfig popt-devel procps-ng psmisc python3 python3-cryptography python3-devel python3-dns python3-gpg python3-iso8601 python3-libsemanage python3-markdown python3-policycoreutils python3-pyasn1 python3-setproctitle quota-devel readline-devel redhat-lsb rng-tools rpcgen rpcsvc-proto-devel rsync sed sudo systemd-devel tar tracker-devel tree wget which xfsprogs-devel yum-utils zlib-devel supervisor && yum clean all
 RUN wget https://download.samba.org/pub/samba/stable/samba-$SAMBA_VERSION.tar.gz && tar -xvf samba-$SAMBA_VERSION.tar.gz && cd samba-$SAMBA_VERSION && ./configure --prefix /usr --enable-fhs --sysconfdir=/etc --localstatedir=/var --with-privatedir=/var/lib/samba/private --with-piddir=/var/run/samba --with-automount --datadir=/usr/share --with-lockdir=/var/run/samba --with-statedir=/var/lib/samba --with-cachedir=/var/cache/samba && make -j4 && make install && rm -rf /samba-$SAMBA_VERSION*
-COPY nsswitch.conf /etc/nsswitch.conf
-COPY named.conf /etc/named.conf
+COPY  files/ /
 RUN chown named:named /etc/named.conf && echo 'OPTIONS="-4"' >> /etc/sysconfig/named
 RUN ln -s /usr/lib/libnss_winbind.so.2 /lib64/ && ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so && ldconfig && ldconfig && rm -rf /etc/samba/smb.conf
-ADD entrypoint.sh /entrypoint/entrypoint.sh
-COPY supervisord* /entrypoint/
-COPY krb5.conf /entrypoint/
 RUN chmod +x /entrypoint/entrypoint.sh
 ENTRYPOINT ["/entrypoint/entrypoint.sh"]
-CMD ["samba"]
+CMD ["samba"] 
diff --git a/README.md b/README.md
@@ -14,7 +14,7 @@ See the following examples on how to start/setup the DC and FileServer
 - Pull the image
 
 ```bash
-docker pull yuribucci/samba4-dc:1.0.0_4.17.0
+docker pull ybucci/samba4-ad:1.0.0_4.17.0
 ```
 
 - Edit resolv.conf and point DNS to your local server and search domain
@@ -41,7 +41,6 @@ docker run -d -it  \
     -e SAMBA_DC_DOMAIN="CONTOSO" \
     -e SAMBA_INTERFACE="eth1" \
     -v /etc/timezone:/etc/timezone:ro \
-    -v /etc/localtime:/etc/localtime:ro \
     -v ${PWD}/samba/domain:/var/lib/samba \
     -v ${PWD}/samba/config:/etc/samba \
     -v ${PWD}/samba/logs:/var/log/samba \
@@ -50,15 +49,15 @@ docker run -d -it  \
     -h server-pdc.contoso.local -P \
     --restart=unless-stopped \
     --name samba-pdc \
-    yuribucci/samba4-dc:1.0.0_4.17.0
+    ybucci/samba4-ad:1.0.0_4.17.0
 ```
 
 ### How to Domain DC Domain Join
 
 - Pull the image
 
 ```bash
-docker pull yuribucci/samba4-dc:1.0.0_4.17.0
+docker pull ybucci/samba4-ad:1.0.0_4.17.0
 ```
 
 - Edit resolv.conf and point DNS to your local server and search domain
@@ -86,7 +85,6 @@ docker run -d -it  \
     -e SAMBA_DC_DOMAIN="CONTOSO" \
     -e SAMBA_INTERFACE="eth1" \
     -v /etc/timezone:/etc/timezone:ro \
-    -v /etc/localtime:/etc/localtime:ro \
     -v ${PWD}/samba/domain:/var/lib/samba \
     -v ${PWD}/samba/config:/etc/samba \
     -v ${PWD}/samba/logs:/var/log/samba \
@@ -95,7 +93,7 @@ docker run -d -it  \
     -h server-dc.contoso.local -P \
     --restart=unless-stopped \
     --name samba-dc \
-    yuribucci/samba4-dc:1.0.0_4.17.0
+    ybucci/samba4-ad:1.0.0_4.17.0
 ```
 
 - Wait for succesfull join, after that change the resolv.conf
@@ -110,7 +108,7 @@ nameserver 192.168.18.131 # IP of your DC server
 - Pull the image
 
 ```bash
-docker pull yuribucci/samba4-dc:1.0.0_4.17.0
+docker pull ybucci/samba4-ad:1.0.0_4.17.0
 ```
 
 - Edit resolv.conf and point DNS to your local server and search domain
@@ -139,16 +137,15 @@ docker run -d -it  \
     -e SAMBA_DC_DOMAIN="CONTOSO" \
     -e SAMBA_INTERFACE="eth1" \
     -v /etc/timezone:/etc/timezone:ro \
-    -v /etc/localtime:/etc/localtime:ro \
-    -v ${PWD}/samba/domain:/var/lib/samba/private \
+    -v ${PWD}/samba/domain:/var/lib/samba \
     -v ${PWD}/samba/config:/etc/samba \
     -v ${PWD}/samba/logs:/var/log/samba \
     -v ${PWD}/samba/shares:/samba/shares \
     --net host --privileged \
     -h server-fs.contoso.local -P \
     --restart=unless-stopped \
     --name samba-fs \
-    yuribucci/samba4-dc:1.0.0_4.17.0
+    ybucci/samba4-ad:1.0.0_4.17.0
 ```
 
 

diff --git a/files/entrypoint/chrony-fs.conf b/files/entrypoint/chrony-fs.conf
@@ -0,0 +1,36 @@
+# Record the rate at which the system clock gains/losses time.
+driftfile /var/lib/chrony/drift
+
+# Allow the system clock to be stepped in the first three updates
+# if its offset is larger than 1 second.
+makestep 1.0 3
+
+# Enable kernel synchronization of the real-time clock (RTC).
+rtcsync
+
+# Enable hardware timestamping on all interfaces that support it.
+#hwtimestamp *
+
+# Increase the minimum number of selectable sources required to adjust
+# the system clock.
+#minsources 2
+
+# Allow NTP client access from local network.
+#allow 192.168.0.0/16
+
+# Serve time even if not synchronized to a time source.
+#local stratum 10
+
+# Specify file containing keys for NTP authentication.
+keyfile /etc/chrony.keys
+
+# Get TAI-UTC offset and leap seconds from the system tz database.
+leapsectz right/UTC
+
+# Specify directory for log files.
+logdir /var/log/chrony
+
+# Select which information is logged.
+#log measurements statistics tracking
+
+# Servers
diff --git a/files/entrypoint/chrony.conf b/files/entrypoint/chrony.conf
@@ -0,0 +1,46 @@
+# Welcome to the chrony configuration file. See chrony.conf(5) for more
+# information about usuable directives.
+
+# This directive specify the location of the file containing ID/key pairs for
+# NTP authentication.
+keyfile /etc/chrony/chrony.keys
+
+# This directive specify the file into which chronyd will store the rate
+# information.
+driftfile /var/lib/chrony/chrony.drift
+
+# Uncomment the following line to turn logging on.
+#log tracking measurements statistics
+
+# Log files location.
+logdir /var/log/chrony
+
+# Stop bad estimates upsetting machine clock.
+maxupdateskew 100.0
+
+# This directive tells 'chronyd' to parse the 'adjtime' file to find out if the
+# real-time clock keeps local time or UTC. It overrides the 'rtconutc' directive.
+hwclockfile /etc/adjtime
+
+# This directive enables kernel synchronisation (every 11 minutes) of the
+# real-time clock. Note that it can’t be used along with the 'rtcfile' directive.
+rtcsync
+
+# Step the system clock instead of slewing it if the adjustment is larger than
+# one second, but only in the first three clock updates.
+makestep 1 3
+
+# Endereço IP do Servidor
+bindcmdaddress 0.0.0.0
+
+# Servidores NTP
+server 0.br.pool.ntp.org iburst
+server 1.br.pool.ntp.org iburst
+server 2.br.pool.ntp.org iburst
+server 3.br.pool.ntp.org iburst
+
+# Libera para todas as máquinas
+allow 0.0.0.0/0 # dns netmask
+
+# Socket de conversão com o Samba4
+ntpsigndsocket /var/lib/samba/ntp_signd/
diff --git a/entrypoint.sh → files/entrypoint/entrypoint.sh b/entrypoint.sh → files/entrypoint/entrypoint.sh
@@ -16,6 +16,16 @@ info () {
   echo "[INFO] $@"
 }
 
+if [ ! -d /var/lib/samba/private ]; then
+  mkdir /var/lib/samba/private
+  chmod 700 /var/lib/samba/private
+fi
+
+if [ ! -d /var/lib/samba/bind-dns ]; then
+  mkdir /var/lib/samba/bind-dns
+  chmod 770 /var/lib/samba/bind-dns
+fi
+
 if [ ! -f /etc/samba/smb.conf ]; then
 
   : "${SAMBA_DC_REALM:?SAMBA_DC_REALM must be set}"
@@ -30,7 +40,6 @@ if [ ! -f /etc/samba/smb.conf ]; then
   case "${SAMBA_DC_ACTION}" in
     "join")
       info "${SAMBA_DC_DOMAIN} - Begin Domain Joining"
-      cp /entrypoint/supervisord-dc.conf /etc/supervisord.d/supervisord.conf
       samba-tool domain join "${SAMBA_DC_REALM}" DC \
         --dns-backend="BIND9_DLZ" \
         --username="Administrator" \
@@ -47,10 +56,12 @@ if [ ! -f /etc/samba/smb.conf ]; then
       rm -rf /etc/krb5.conf
       cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
       chown root:named /etc/krb5.conf
-      chown root:named /var/lib/samba/bind-dns -R      ;;
+      chown root:named /var/lib/samba/bind-dns -R
+      mkdir /var/lib/samba/ntp_signd/
+      chmod 0750 /var/lib/samba/ntp_signd/
+      chown root.chrony /var/lib/samba/ntp_signd/       ;;
     "provision")
       info "${SAMBA_DC_DOMAIN} - Begin Domain Provisioning"
-      cp /entrypoint/supervisord-dc.conf /etc/supervisord.d/supervisord.conf
       samba-tool domain provision --domain="${SAMBA_DC_DOMAIN}" \
         --adminpass="${SAMBA_DC_ADMIN_PASSWD}" \
         --server-role=dc \
@@ -68,10 +79,12 @@ if [ ! -f /etc/samba/smb.conf ]; then
       rm -rf /etc/krb5.conf
       cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
       chown root:named /etc/krb5.conf
-      chown root:named /var/lib/samba/bind-dns -R      ;;
+      chown root:named /var/lib/samba/bind-dns -R
+      mkdir /var/lib/samba/ntp_signd/
+      chmod 0750 /var/lib/samba/ntp_signd/
+      chown root.chrony /var/lib/samba/ntp_signd/       ;;      
     "member")
       info "${SAMBA_DC_DOMAIN} - Begin Member Join"
-      cp /entrypoint/supervisord-fs.conf /etc/supervisord.d/supervisord.conf
       cp /entrypoint/krb5.conf /etc/krb5.conf
       SAMBA_DC_REALM_UPPER=$(echo $SAMBA_DC_REALM | tr 'a-z' 'A-Z')
       sed -i "s/CHANGE_ME/$SAMBA_DC_REALM_UPPER/g" /etc/krb5.conf
@@ -97,10 +110,25 @@ fi
 
 case "${SAMBA_DC_ACTION}" in
   "join")
-    cp /entrypoint/supervisord-dc.conf /etc/supervisord.d/supervisord.conf      ;;
+    rm -rf /etc/krb5.conf
+    cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
+    chown root:named /etc/krb5.conf
+    chown root:named /var/lib/samba/bind-dns -R  
+    cp /entrypoint/chrony.conf /etc/chrony.conf
+    cp /entrypoint/supervisord-dc.conf /etc/supervisord.d/supervisord.conf
+    ;;
   "provision")
-    cp /entrypoint/supervisord-dc.conf /etc/supervisord.d/supervisord.conf       ;;
+    rm -rf /etc/krb5.conf
+    cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
+    chown root:named /etc/krb5.conf
+    chown root:named /var/lib/samba/bind-dns -R  
+    cp /entrypoint/chrony.conf /etc/chrony.conf
+    cp /entrypoint/supervisord-dc.conf /etc/supervisord.d/supervisord.conf 
+    ;;
   "member")
+    cp /entrypoint/chrony-fs.conf /etc/chrony.conf
+    GET_HOSTS=$(cat /etc/hosts | awk '{print $2}' | egrep -iv "localhost|samba|#|^$|$(hostname)")
+    for i in `echo $GET_HOSTS`; do if ! grep -qF "pool $i iburst" /etc/chrony.conf; then echo "pool $i iburst" >> /etc/chrony.conf; fi; done
     cp /entrypoint/supervisord-fs.conf /etc/supervisord.d/supervisord.conf
     cp /entrypoint/krb5.conf /etc/krb5.conf
     SAMBA_DC_REALM_UPPER=$(echo $SAMBA_DC_REALM | tr 'a-z' 'A-Z')

diff --git a/krb5.conf → files/entrypoint/krb5.conf b/krb5.conf → files/entrypoint/krb5.conf
diff --git a/supervisord-dc.conf → files/entrypoint/supervisord-dc.conf b/supervisord-dc.conf → files/entrypoint/supervisord-dc.conf
@@ -22,4 +22,24 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
+autorestart=true
+
+[program:rsyslog]
+command=/usr/sbin/rsyslogd -n
+stdout_events_enabled=true
+stderr_events_enabled=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autorestart=true
+
+[program:chronyd]
+command=/usr/sbin/chronyd -4 -d -f /etc/chrony.conf
+stdout_events_enabled=true
+stderr_events_enabled=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
 autorestart=true
diff --git a/supervisord-fs.conf → files/entrypoint/supervisord-fs.conf b/supervisord-fs.conf → files/entrypoint/supervisord-fs.conf
@@ -32,4 +32,24 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
+autorestart=true
+
+[program:rsyslog]
+command=/usr/sbin/rsyslogd -n
+stdout_events_enabled=true
+stderr_events_enabled=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autorestart=true
+
+[program:chronyd]
+command=/usr/sbin/chronyd -4 -d -f /etc/chrony.conf
+stdout_events_enabled=true
+stderr_events_enabled=true
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
 autorestart=true
diff --git a/named.conf → files/etc/named.conf b/named.conf → files/etc/named.conf
diff --git a/nsswitch.conf → files/etc/nsswitch.conf b/nsswitch.conf → files/etc/nsswitch.conf
diff --git a/files/etc/rsyslog.conf b/files/etc/rsyslog.conf
@@ -0,0 +1,60 @@
+# rsyslog configuration file
+
+# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
+# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
+# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
+
+#### MODULES ####
+
+module(load="imuxsock"    # provides support for local system logging (e.g. via logger command)
+       SysSock.Use="on") # Turn off message reception via local log socket;
+                          # local messages are retrieved through imjournal now.
+#module(load="imjournal"            # provides access to the systemd journal
+#       StateFile="imjournal.state") # File to store the position in the journal
+#module(load="imklog") # reads kernel messages (the same are read from journald)
+#module(load="immark") # provides --MARK-- message capability
+
+# Provides UDP syslog reception
+# for parameters see http://www.rsyslog.com/doc/imudp.html
+#module(load="imudp") # needs to be done just once
+#input(type="imudp" port="514")
+
+# Provides TCP syslog reception
+# for parameters see http://www.rsyslog.com/doc/imtcp.html
+#module(load="imtcp") # needs to be done just once
+#input(type="imtcp" port="514")
+
+#### GLOBAL DIRECTIVES ####
+
+# Where to place auxiliary files
+global(workDirectory="/var/lib/rsyslog")
+
+# Use default timestamp format
+module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
+
+# Include all config files in /etc/rsyslog.d/
+include(file="/etc/rsyslog.d/*.conf" mode="optional")
+
+#### RULES ####
+
+# Log all kernel messages to the console.
+# Logging much else clutters up the screen.
+#kern.*                                                 /dev/console
+
+
+local5.* /var/log/samba/audit.log
+#*.* /var/log/messages
+#mail.* /var/log/mail
+
+# ### sample forwarding rule ###
+#action(type="omfwd"
+# An on-disk queue is created for this action. If the remote host is
+# down, messages are spooled to disk and sent when it is up again.
+#queue.filename="fwdRule1"       # unique name prefix for spool files
+#queue.maxdiskspace="1g"         # 1gb space limit (use as much as possible)
+#queue.saveonshutdown="on"       # save messages to disk on shutdown
+#queue.type="LinkedList"         # run asynchronously
+#action.resumeRetryCount="-1"    # infinite retries if host is down
+# Remote Logging (we use TCP for reliable delivery)
+# remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
+#Target="remote_host" Port="XXX" Protocol="tcp")