diff --git a/.gitattributesdb b/.gitattributesdb index df29729..38e94ad 100644 --- a/.gitattributesdb +++ b/.gitattributesdb @@ -118,6 +118,7 @@ ZXRjL2hvc3RuYW1l 1757594311.000000000 1777400265.660000000 root:root 0644 - - ZXRjL2hvc3Rz 1775846139.436411007 1777400265.660000000 root:root 0644 - - ZXRjL2luaXQuZC8uZ2l0aWdub3Jl 1775484728.393595405 1777400265.660000000 root:root 0644 - - ZXRjL2luaXQuZC9maXJld2FsbA== 1776520875.412000000 1777400254.148000000 root:root 0777 - - +ZXRjL2luaXQuZC9zYW1iYS1hZC1kYw== 1777226878.460000000 1777404401.440000000 root:root 0755 - - ZXRjL2luaXQuZC90ZXJyYWZvcm0taHR0cC1iYWNrZW5k 1773654405.833829368 1777400265.660000000 root:root 0755 - - ZXRjL2tlcm5lbC1pbWcuY29uZg== 1776526522.312000000 1777400265.680000000 root:root 0644 - - ZXRjL2tyYjUuY29uZg== 1776540770.172000000 1777400265.680000000 root:root 0644 - - diff --git a/etc/init.d/samba-ad-dc b/etc/init.d/samba-ad-dc new file mode 100755 index 0000000..c433736 --- /dev/null +++ b/etc/init.d/samba-ad-dc @@ -0,0 +1,63 @@ +#! /bin/sh + +### BEGIN INIT INFO +# Provides: samba-ad-dc +# Required-Start: $network $local_fs $remote_fs autofs +# Required-Stop: $network $local_fs $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Samba daemons for the AD DC +# Description: Meta-service to provide AD and SMB/CIFS services to clients +### END INIT INFO + +NAME=samba +DAEMON=/usr/sbin/$NAME +PIDFILE=/run/samba/$NAME.pid +DESC="Samba AD DC server" +SCRIPT=samba-ad-dc + +# clear conflicting settings from the environment +unset TMPDIR + +test -x $DAEMON || exit 0 +/usr/share/samba/is-configured $NAME || exit 0 + +[ -f /etc/default/samba ] && . /etc/default/samba + +. /lib/lsb/init-functions + +case "$1" in + (start) + # CVE-2013-4475 + KEYFILE=/var/lib/samba/private/tls/key.pem + if [ -e $KEYFILE ] + then + KEYPERMS=`stat -c %a $KEYFILE` + if [ "$KEYPERMS" != "600" ] + then + echo "wrong permission on $KEYFILE, must be 600" + echo "samba will not start (CVE-2013-4475)" + echo "Removing all tls .pem files will cause an auto-regeneration with the correct permissions." + exit 1 + fi + fi + log_daemon_msg "Starting $DESC" $NAME + start-stop-daemon --start --quiet --oknodo --exec $DAEMON --pidfile $PIDFILE -- -D $SAMBAOPTIONS + log_end_msg $? + ;; + (stop) + log_daemon_msg "Stopping $DESC" $NAME + start-stop-daemon --stop --quiet --oknodo --exec $DAEMON --pidfile $PIDFILE + log_end_msg $? + ;; + (restart|force-reload) + $0 stop && sleep 1 && $0 start + ;; + (status) + status_of_proc -p $PIDFILE $DAEMON $NAME + ;; + (*) + echo "Usage: /etc/init.d/$SCRIPT {start|stop|restart|force-reload|status}" + exit 1 + ;; +esac diff --git a/etc/samba/smb.conf b/etc/samba/smb.conf index 27a077b..0f73f4c 100644 --- a/etc/samba/smb.conf +++ b/etc/samba/smb.conf @@ -1,40 +1,47 @@ [global] -realm = SLACKWARE.UK.INTERNAL -netbios name = CORE -workgroup = SLACKWAREUKINT -server string = "slackware.uk.internal Domain Controller" -bind interfaces only = yes -interfaces = lo eth1 -# FIXME: -# dns forwarder = 5.101.171.216 5.101.171.217 185.176.90.169 -dns forwarder = 216.119.155.58 185.176.90.169 -allow dns updates = secure -tls cafile = /etc/ssl/certs/ca-certificates.crt -tls certfile = /etc/certificates/core.slackware.uk.internal_cert.pem -tls keyfile = /etc/certificates/core.slackware.uk.internal_key_samba.pem -tls verify peer = ca_and_name_if_available -log level = 1 -logging = syslog:local5 -log file = /var/log/samba/samba-debug -debug syslog format = always -debug hires timestamp = no -enable core files = no -idmap config * : backend = tdb -# There are only 568 IDs mapped into the container by TrueNAS, so limit the number that can be used. -idmap config * : range = 10000-10500 -idmap_ldb:use rfc2307 = yes -password hash userPassword schemes = CryptSHA512 -server role = active directory domain controller -username map = /etc/samba/smbusers -vfs objects = dfs_samba4 posixacl acl_xattr -nfs4acl_xattr:encoding = nfs -nfs4acl_xattr:version = 41 -nfs4acl_xattr:xattr_name = user.nfs4_acl -nfs4acl_xattr:default acl style = windows acl_xattr:security_acl_name = user.NTACL acl_xattr:default acl style = windows add machine script = /usr/sbin/useradd -c "%u machine account" -d /dev/null -g machines -M -N -s /bin/false %u add user script = /usr/sbin/useradd -c "%u domain user" -d /dev/null -g users -M -N -s /bin/false %u +allow dns updates = secure +bind interfaces only = yes +debug syslog format = always +debug hires timestamp = no +# FIXME: +# dns forwarder = 5.101.171.216 5.101.171.217 185.176.90.169 +dns forwarder = 216.119.155.58 185.176.90.169 +#dsdb:schema update allowed = true +enable core files = no +idmap config * : backend = tdb +idmap config * : range = 1000000 - 9999999 +idmap config SLACKWARE.UK.INTERNAL : backend = ad +idmap config SLACKWARE.UK.INTERNAL : schema_mode = rfc2307 +idmap config SLACKWARE.UK.INTERNAL : range = 100 - 10000 +idmap config SLACKWARE.UK.INTERNAL : unix_nss_info = yes +idmap config SLACKWARE.UK.INTERNAL : unix_primary_group = yes +idmap_ldb:use rfc2307 = yes +interfaces = lo eth1 +logging = syslog:local5 +log file = /var/log/samba/samba-debug +log level = 1 +netbios name = CORE +nfs4acl_xattr:encoding = nfs +nfs4acl_xattr:version = 41 +nfs4acl_xattr:xattr_name = user.nfs4_acl +nfs4acl_xattr:default acl style = windows +password hash userPassword schemes = CryptSHA512 +realm = SLACKWARE.UK.INTERNAL +server role = active directory domain controller +server string = "slackware.uk.internal Domain Controller" +template shell = /bin/bash +template homedir = /home/%U +tls cafile = /etc/ssl/certs/ca-certificates.crt +tls certfile = /etc/certificates/core.slackware.uk.internal_cert.pem +tls keyfile = /etc/certificates/core.slackware.uk.internal_key_samba.pem +tls verify peer = ca_and_name_if_available +username map = /etc/samba/smbusers +vfs objects = dfs_samba4 posixacl acl_xattr +workgroup = SLACKWAREUKINT # [homes]