Needs Testing

- Added: example (non working) openvpn config - Update: README with new options - Added: Kerberos TGT PW change service - Some formating & shellcheck
wus-technik · Apr 12, 2022 · bdcfbd3 · bdcfbd3
1 parent cfc0305
commit bdcfbd3
Show file tree

Hide file tree

Showing 11 changed files with 1,013 additions and 328 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+
+init.sh.bak
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM ubuntu
+FROM ubuntu:devel
 
 LABEL maintainer="Fmstrat <fmstrat@NOSPAM.NO>"
 
@@ -20,7 +20,61 @@ RUN apt-get update \
     && rm -fr /tmp/* /var/tmp/*
 
 COPY init.sh /init.sh
-COPY ldif/ /root/ldif/
+COPY /ldif /ldif/
 COPY /etc /etc/
+COPY /scripts /scripts/
 
-CMD /init.sh setup
+RUN chmod +x /init.sh
+
+# DNS
+EXPOSE 53/tcp
+EXPOSE 53/udp
+
+# Kerberos
+EXPOSE 88/tcp
+EXPOSE 88/udp
+
+# NTP
+EXPOSE 123/udp
+
+# End Point Mapper (DCE/RPC Locator Service) 
+EXPOSE 135/tcp
+
+# NetBIOS Name Service
+EXPOSE 137/udp
+
+# NetBIOS Datagram Service
+EXPOSE 138/udp
+
+# NetBIOS Session Service
+EXPOSE 139/tcp
+
+# LDAP
+EXPOSE 389/tcp
+EXPOSE 389/udp
+
+# SMB over TCP
+EXPOSE 445/tcp
+
+# Kerberos Change/Set password
+EXPOSE 464/tcp
+EXPOSE 464/udp
+
+# LDAPS
+EXPOSE 636/tcp
+
+# msft-gc, Microsoft Global Catalog
+EXPOSE 3268/tcp
+
+# msft-gc, Microsoft Global Catalog over SSL
+EXPOSE 3269/tcp
+
+# Dynamic RPC Ports # LIMITED TO 18 CONNECTIONS FOR SMALL ARM PROXY DEVICES
+# EXPOSE 49152-65535/tcp
+EXPOSE 49152-49170/tcp
+
+WORKDIR /
+
+HEALTHCHECK CMD smbcontrol smbd num-children || exit 1
+
+ENTRYPOINT ["bash", "init.sh"]
diff --git a/README.md b/README.md
@@ -1,22 +1,34 @@
+# FORKED
+![Githubg Workflow Image CI](https://img.shields.io/github/workflow/status/burnbabyburn/docker-ubuntu-samba-dc/Docker%20Image%20CI)
+* No OpenVPN testing
+* No second DC testing
+
 # Samba Active Directory Domain Controller for Docker
 
 A well documented, tried and tested Samba Active Directory Domain Controller that works with the standard Windows management tools; built from scratch using internal DNS and kerberos and not based on existing containers.
 
 ## Environment variables for quick start
-
+* `BIND_INTERFACE` boolean to bind to interfaces. Avoids messing up samba dns entries with random interface ip. defaults to false
+* `INTERFACES` container internal interfaces to bind to. docker interface names are given alphabetically. e.g. docker-network-name=a => eth0 in container; docker-network-name=b => eth1 in container . Valid values would be `eth0` or a list seperated by space `eth0 eth1`
+* `DOMAIN_NETBIOS` NETBIOS domain name. defaults to first portion of DNS DOMAIN NAME. e.g. DNS-Domain=SAMDOM.EXAMPLE.COM - NETBIOS-Domain=SAMDOM
+* `HOSTNAME` Hostname of the dc
+#* `IMAP_ID_START` BaseID to derive SID and GID from. defaults to 1000
+#* `IMAP_SID_START` ID to which to start SID from. defaults to `IMAP_ID_START`
+#* `IMAP_GID_START` ID to which to start GID from. defaults to `IMAP_ID_START`
 * `DOMAIN` defaults to `CORP.EXAMPLE.COM` and should be set to your domain
+* `DOMAINUSER` Domain administrator username. Use docker secrets
 * `DOMAINPASS` should be set to your administrator password, be it existing or new. This can be removed from the environment after the first setup run.
 * `HOSTIP` can be set to the IP you want to advertise.
 * `JOIN` defaults to `false` and means the container will provision a new domain. Set this to `true` to join an existing domain.
-* `JOINSITE` is optional and can be set to a site name when joining a domain, otherwise the default site will be used.
+* `JOINSITE` is optional and can be set to a site name when joining and creating a domain, otherwise the default site name will be used.
 * `DNSFORWARDER` is optional and if an IP such as `192.168.0.1` is supplied will forward all DNS requests samba can't resolve to that DNS server. Only add once. Add multiple forwarder speerated by spaces. Otherwise smb.conf will break
 * `INSECURELDAP` defaults to `false`. When set to true, it removes the secure LDAP requirement. While this is not recommended for production it is required for some LDAP tools. You can remove it later from the smb.conf file stored in the config directory.
 * `MULTISITE` defaults to `false` and tells the container to connect to an OpenVPN site via an ovpn file with no password. For instance, if you have two locations where you run your domain controllers, they need to be able to interact. The VPN allows them to do that.
 * `NOCOMPLEXITY` defaults to `false`. When set to `true` it removes password complexity requirements including `complexity, history-length, min-pwd-age, max-pwd-age`
 * `TLS` defaults to `false`. When set to `true` it creates certificate files for ldaps
 * `LOGS` defaults to `false`. When set to `true` it creates log file in /var/log/samba for kerberos and samba. Add a mapping
-* `ADLOGINONUNIX` defaults to `false`. When false nothing changes. When true windbind is added to `/etc/nsswitch.conf` and `windbind enum users` and `winbind enum groups` are enabled.
-* `FREERADIUS` defaults to `false`. When false nothing changes. When true ntlm auth = mschapv2-and-ntlmv2-only is added to config.
+#* `ADLOGINONUNIX` defaults to `false`. When false nothing changes. When true windbind is added to `/etc/nsswitch.conf` and `windbind enum users` and `winbind enum groups` are enabled.
+* `MSCHAPV2` defaults to `false`. When false nothing changes. When true ntlm auth = mschapv2-and-ntlmv2-only is added to config.
 
 ## Add Reverse DNS Zone
 docker exec -it samba-ad-dc "samba-tool dns zonecreate <Your-AD-DNS-Server-IP-or-hostname> <NETADDR>.in-addr.arpa -U<URDOMAIN>\administrator --password=<DOMAINPASS>"

diff --git a/etc/krb5.conf b/etc/krb5.conf
@@ -1,20 +1,24 @@
 [libdefaults]
-    dns_lookup_realm = false
-    dns_lookup_kdc = true
-    default_realm = {{ UDOMAIN }}
-#    forwardable = true
-#    rdns = false
-#    ticket_lifetime = 24h
-#    renew_lifetime = 7d
+  dns_lookup_realm = false
+  dns_lookup_kdc = true
+  default_realm = {{ UDOMAIN }}
+#  forwardable = true
+#  rdns = false
+#  ticket_lifetime = 24h
+#  renew_lifetime = 7d
+
+[logging]
+  default = CONSOLE
+#  default = FILE:/var/log/samba/krb5libs.log
+  kdc = CONSOLE
+#  kdc = FILE:/var/log/samba/krb5kdc.log
+  admin_server = CONSOLE
+#  admin_server = FILE:/var/log/samba/kadmind.log
 
-#[logging]
-#    default = FILE:/var/log/samba/krb5libs.log
-#    kdc = FILE:/var/log/samba/krb5kdc.log
-#    admin_server = FILE:/var/log/samba/kadmind.log
 #[realms]
 # {{ UDOMAIN }} = {
-#  kdc = {{ NETBIOS_NAME }}.{{ LDOMAIN }}
-#  default_domain = {{ LDOMAIN }}
+#  kdc = {{ HOSTNAME }}.{{ UDOMAIN }}
+#  default_domain = {{ UDOMAIN }}
 # }
 
 #[domain_realm]

diff --git a/etc/ntp.conf b/etc/ntp.conf
@@ -1,3 +1,6 @@
+#DEBUG
+logconfig =all
+
 driftfile /var/lib/ntp/ntp.drift
 logfile         /var/log/ntp
 ntpsigndsocket  /var/lib/samba/ntp_signd/
@@ -16,7 +19,7 @@ logfile   /var/log/ntp
 
 # Access control
 # Default restriction: Disallow everything
-restrict default ignore
+#restrict default ignore
 
 # No restrictions for localhost
 restrict 127.0.0.1

diff --git a/example.env b/example.env
@@ -0,0 +1,14 @@
+# For Slow devices
+COMPOSE_HTTP_TIMEOUT=200
+
+# Domain Name
+DOMAINNAME=domain.tld
+
+#IP of the Docker HOST
+HOST_IP=192.168.1.2
+
+#IP Router
+ROUTER_IP=192.168.1.1
+
+#SAMBA
+SAMBA_PASSWORD=Pwd12345!