liannnix revised this gist 1 month ago. Go to revision
No changes
liannnix revised this gist 1 month ago. Go to revision
1 file changed, 0 insertions, 0 deletions
samba-dc-deploy.md renamed to samba-dc-deploy.sh
File renamed without changes
liannnix revised this gist 1 month ago. Go to revision
1 file changed, 58 insertions
samba-dc-deploy.md(file created)
| @@ -0,0 +1,58 @@ | |||
| 1 | + | # Install samba-dc and provision master into LXC container | |
| 2 | + | apt-get install samba-dc | |
| 3 | + | ||
| 4 | + | rm -rf /etc/samba/smb.conf | |
| 5 | + | samba-tool domain provision --domain DEV --realm=dev.srt.basealt.ru --site infra --dns-backend=SAMBA_INTERNAL --server-role=dc --function-level=2016 --use-rfc2307 --backend-store=mdb --option="ad dc functional level = 2016" | |
| 6 | + | sed -i '/\[global\]/a \\tad dc functional level = 2016' /etc/samba/smb.conf | |
| 7 | + | ||
| 8 | + | systemctl enable samba.service | |
| 9 | + | systemctl start samba.service | |
| 10 | + | ||
| 11 | + | # Install bind dns | |
| 12 | + | apt-get install bind | |
| 13 | + | control bind-chroot disabled | |
| 14 | + | sed -i '/options {/a \\ttkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";' /etc/bind/options.conf | |
| 15 | + | sed -i '/options {/a \\tminimal-responses yes;' /etc/bind/options.conf | |
| 16 | + | sed -i -E 's/^([ \t]*)(listen-on\s+\{.*\};)$/\1\/\/\2/g' /etc/bind/options.conf | |
| 17 | + | sed -i -E 's/^([ \t]*)(listen-on-v6\s+\{.*\};)$/\1\/\/\2/g' /etc/bind/options.conf | |
| 18 | + | sed -i -E 's/^([ \t]*)\/\/(forwarders\s+\{).*(\};)$/\1\2 10.64.224.3; 10.64.0.16; 10.64.0.17; \3/g' /etc/bind/options.conf | |
| 19 | + | sed -i -E 's/^([ \t]*)\/\/(allow-query\s+\{).*(\};)$/\1\2 any; \3/g' /etc/bind/options.conf | |
| 20 | + | sed -i -E 's/^([ \t]*)\/\/(allow-recursion\s+\{).*(\};)$/\1\2 any; \3/g' /etc/bind/options.conf | |
| 21 | + | echo 'include "/var/lib/samba/bind-dns/named.conf";' >> /etc/bind/named.conf | |
| 22 | + | sed -i -E '/\[global\]/a \\tserver services = -dns' /etc/samba/smb.conf | |
| 23 | + | ||
| 24 | + | systemctl stop samba | |
| 25 | + | systemctl start bind | |
| 26 | + | systemctl start samba | |
| 27 | + | ||
| 28 | + | # Domain auth in DC | |
| 29 | + | apt-get install task-auth-ad-winbind gpupdate alterator-roles-common | |
| 30 | + | sed -i -E 's/^[ #]?(dns_lookup_realm)\s+=\s+[a-zA-Z]+$/ \1 = false/' /etc/krb5.conf | |
| 31 | + | sed -i -E 's/^[ #]+(default_realm)\s+=\s+[a-zA-Z.-]+$/ \1 = DEV.SRT.BASEALT.RU/' /etc/krb5.conf | |
| 32 | + | ||
| 33 | + | /etc/samba/smb.conf: | |
| 34 | + | [Global] | |
| 35 | + | ## Local domain auth | |
| 36 | + | kerberos method = dedicated keytab | |
| 37 | + | dedicated keytab file = /etc/krb5.keytab | |
| 38 | + | template shell = /bin/bash | |
| 39 | + | template homedir = /home/%D/%U | |
| 40 | + | wins support = no | |
| 41 | + | winbind use default domain = yes | |
| 42 | + | winbind enum users = no | |
| 43 | + | winbind enum groups = no | |
| 44 | + | winbind refresh tickets = yes | |
| 45 | + | winbind offline logon = yes | |
| 46 | + | ||
| 47 | + | /etc/nsswitch.conf: | |
| 48 | + | passwd: files winbind systemd | |
| 49 | + | shadow: tcb files winbind | |
| 50 | + | group: files [SUCCESS=merge] winbind systemd role | |
| 51 | + | ||
| 52 | + | control system-auth winbind | |
| 53 | + | control sudowheel enabled | |
| 54 | + | net ads keytab create | |
| 55 | + | roleadd 'domain users' users | |
| 56 | + | roleadd 'domain admins' localadmins | |
| 57 | + | systemctl restart samba.service | |
| 58 | + | gpupdate-setup enable --local-policy ad-domain-controller | |
liannnix revised this gist 1 month ago. Go to revision
1 file changed, 50 insertions
sisyphus.sh(file created)
| @@ -0,0 +1,50 @@ | |||
| 1 | + | # Выполнить в конце работы с шиблоном | |
| 2 | + | cloud-init clean | |
| 3 | + | cloud-init clean -s | |
| 4 | + | systemctl enable altlinux-new-instance | |
| 5 | + | shutdown now | |
| 6 | + | ||
| 7 | + | # sisyphus image setup | |
| 8 | + | apt-get update | |
| 9 | + | apt-get dist-upgrade -y | |
| 10 | + | update-kernel -y | |
| 11 | + | apt-get install -y bash-completion cloud-init qemu-guest-agent apt-repo bind-utils net-tools netplan systemd-networkd | |
| 12 | + | systemctl enable cloud-init | |
| 13 | + | systemctl enable cloud-init-local | |
| 14 | + | systemctl enable cloud-init-hotplugd.socket | |
| 15 | + | systemctl enable cloud-config.service | |
| 16 | + | systemctl enable cloud-final.service | |
| 17 | + | systemctl enable qemu-guest-agent.service | |
| 18 | + | systemctl enable sshd.service | |
| 19 | + | sed -i -E "s/^(GRUB_CMDLINE_LINUX_DEFAULT)='(.*)(\s+net\.ifnames=0)?'$/\1='\2 net.ifnames=0'/" /etc/default/grub | |
| 20 | + | grub-mkconfig -o /boot/grub/grub.cfg | |
| 21 | + | ||
| 22 | + | cat << EOF > /etc/cloud/cloud.cfg.d/10_pve.cfg | |
| 23 | + | system_info: | |
| 24 | + | network: | |
| 25 | + | renderers: ['netplan'] | |
| 26 | + | activators: ['netplan'] | |
| 27 | + | disable_root: false | |
| 28 | + | EOF | |
| 29 | + | echo "prefer_fqdn_over_hostname: true" > /etc/cloud/cloud.cfg.d/11_fqdn_hostname.cfg | |
| 30 | + | ||
| 31 | + | cloud-init clean | |
| 32 | + | cloud-init clean -s | |
| 33 | + | ||
| 34 | + | apt-repo add 295876 | |
| 35 | + | apt-get update | |
| 36 | + | apt-get -y install altlinux-new-instance | |
| 37 | + | systemctl enable altlinux-new-instance | |
| 38 | + | apt-repo rm 295876templa | |
| 39 | + | ||
| 40 | + | # Only for desktops (enable NetworkManager) | |
| 41 | + | cat << EOF > /etc/netplan/01-network-manager.yaml | |
| 42 | + | network: | |
| 43 | + | version: 2 | |
| 44 | + | renderer: NetworkManager | |
| 45 | + | EOF | |
| 46 | + | systemctl disable systemd-networkd | |
| 47 | + | systemctl disable systemd-resolved | |
| 48 | + | ||
| 49 | + | # Only for c10f1 server custom iso | |
| 50 | + | apt-get install branding-alt-spserver-bootloader branding-alt-spserver-bootsplash branding-alt-spserver-graphics | |
Newer
Older