forked from thctlo/samba4
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsamba-with-nfsv4.sh
469 lines (417 loc) · 18.2 KB
/
samba-with-nfsv4.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
#!/bin/bash
##
## Version : 1.0.3
## release d.d. : 05-11-2015
## Author : L. van Belle
## E-mail : [email protected]
## Copyright : Free as free can be, copy it, change it if needed.
## Sidenote : if you change please inform me
## ChangeLog : 15-6-2015: small bug fix for running this on debian jessie
## ChangeLog 1.0.2 : 7-8-2015: changed /etc/exports file remove gss/krb5, see https://wiki.debian.org/NFS/Kerberos
## ChangeLog 1.0.3 : changed idmap.conf to map the servername to user root.
## : With this modification, kerberos ssh with dedicated mounted home dirs works.
## : added nfs mount fix for Debian Jessie.
## !! ROOT, without kerberos ticket !! CAN NOT ACCESS USER DIRS !!
## This script wil setup the Samba user dirs over NFS with kerberos auth.
## Howto use it.
## run it with parameter "server" or "client"
## like sudo ./scriptname server or sudo ./scriptname client
## DONT run this script server and client on the same server !
## set the nfs export paths..
## you cannot set /home here, not tested in this script.
## the users must be a separated folder
## this path wil be used for client and server setup
SAMBA_USERS_HOMEDIR="/home/users"
## NFS V4 needed settings
## Put here there server name where the exports are. ( the NFS server )
## This is the server where you did setup the "server" setting.
## put the FQDN Name here, like server.internal.domain.tld
## THIS MUST BE THE NAME USED IN DNS for kerberos auth to work.
NFSD_V4_SERVERNAME="hostname.internal.domain.tld"
## The nfs exports folder
## these 2 result in /exports/users in the script
NFSD_V4_EXPORTS_PATH="/exports"
## it should not be needed to change this one.
## this matches with the SAMBA_USERS_HOMEDIR variable
NFSD_V4_EXPORTS_USERS_PATH="/users"
## Your network where clients are connecting from.
## for now only 1 network is supported.
## if left empty we wil use your network extracted from ip adres, range /24
## example : 192.168.1.0/24"
NFSD_V4_NETWORK=""
## Use a dedicated mount for the users or automount.
## Options : dedicated or automount
## a dedicated mount is setup in fstab
## for mulpliple users use dedicated, only for ssh logins use auto.
NFS_CLIENT_MOUNT_USERS="dedicated"
# Enable ssh kerberos enable logins
SSHD_KERBEROS_ENABLED="yes"
## change this one to yes to start the script.
CONFIGURED="no"
################### FUNCTIONS #############################
SET_SCRIPT_RUN_DATE_TIME=`date +%Y-%m-%d-%H_%m`
SETTPUT=`which tput`
if [ -z ${SETTPUT} ]; then
echo "program tput not found, installing it now.. please wait"
apt-get update > /dev/null
apt-get install -y --no-install-recommends ncurses-bin > /dev/null
fi
RED=$(${SETTPUT} setaf 1)
NORMAL=$(${SETTPUT} sgr0)
GREEN=$(${SETTPUT} setaf 2)
YELLOW=$(${SETTPUT} setaf 3)
UNDERLINE=$(${SETTPUT} smul)
WHITE=$(${SETTPUT} setaf 7)
BOLD=$(${SETTPUT} bold)
function message() {
printf "%40s\n" "${WHITE}${BOLD}$@${NORMAL}"
}
function good() {
printf "%40s\n" "${GREEN}$@${NORMAL}"
}
function error() {
printf "%40s\n" "${RED}$@${NORMAL}"
}
function warning() {
printf "%40s\n" "${YELLOW}$@${NORMAL}"
}
function warning_underline() {
printf "%40s\n" "${YELLOW}${UNDERLINE}$@${NORMAL}"
}
function _apt_update_upgrade() {
message "Please wait, running update and upgrade"
apt-get update > /dev/null
apt-get upgrade -y 2&> /dev/null
echo " "
}
function _apt_install() {
apt-get install -y $1 > /dev/null
}
function _apt_install_norecommends() {
apt-get install -y --no-install-recommends $1 > /dev/null
}
function _apt_available() {
if [ `apt-cache search $1 | grep -o "$1" | uniq | wc -l` = "1" ]; then
good "Package is available : $1"
PACKAGE_INSTALL="1"
else
error "Package $1 is NOT available for install"
error "We can not continue without this package..."
error "Exitting now.."
exit 0
fi
}
function _package_install {
_apt_available $1
if [ "${PACKAGE_INSTALL}" = "1" ]; then
if [ "$(dpkg-query -l $1 | tail -n1 | cut -c1-2)" = "ii" ]; then
warning "package is already_installed: $1"
else
message "installing package : $1, please wait.."
_apt_install $1
sleep 0.5
fi
fi
}
function _package_install_no_recommends {
_apt_available $1
if [ "${PACKAGE_INSTALL}" = "1" ]; then
if [ "$(dpkg-query -l $1 | tail -n1 | cut -c1-2)" = "ii" ]; then
warning "package is already_installed: $1"
else
message "installing package : $1, please wait.."
_apt_install_norecommends $1
sleep 0.5
fi
fi
}
function _check_run_as_sudo_root() {
if ! [[ $EUID -eq 0 ]]; then
error "This script should be run using sudo or by root."
exit 1
fi
}
function _configured_script() {
if [ "${CONFIGURED}" = "no" ]; then
error "####################################################"
error "You need to configure this script first to run it. "
error " "
error "exiting script now... "
exit 0
fi
}
function _check_folder_exists() {
if [ ! -d $1 ] ; then
message "Creating folder: $1"
mkdir -p $1
fi
}
function _backup_file() {
if [ ! -f $1.backup ] ; then
message "Creating Backup of file: $1"
cp $1 $1.backup
fi
}
function _backup_file_date() {
if [ ! -f $1.${SET_SCRIPT_RUN_DATE_TIME}.backup ] ; then
message "Creating Backup of file: $1 (date include in filename)"
cp $1 $1.${SET_SCRIPT_RUN_DATE_TIME}.backup
fi
}
function _backup_folder() {
if [ ! -d $1.backup ] ; then
message "Creating Backup of folder: $1"
cp -R $1 $1.backup
fi
}
function _backup_folder_date() {
if [ ! -d $1.${SET_SCRIPT_RUN_DATE_TIME}.backup ] ; then
message "Creating Backup of folder: $1 (date include in foldername)"
cp -R $1 $1.${SET_SCRIPT_RUN_DATE_TIME}.backup
fi
}
########################## CODE #########################
_configured_script
_check_run_as_sudo_root
#############################################################
######## LEAVE THESE HERE AND DONT CHANGE THESE 4 !!!!!!
## hostname in single word, but you dont need to change this
SETHOSTNAME=`hostname -s`
## domainname.tld, but if you installed correct, you dont need to change this
SETDNSDOMAIN=`hostname -d`
## hostname.domainname.tld, but if you installed correct, you dont need to change this
SETFQDN=`hostname -f`
## server ip, if /etc/hosts is setup correct.
SETSERVERIP=`hostname -i`
SETSERVERIPNET=`hostname -i| cut -d"." -f1,2,3`
##############################################################
#### Specific NFS setup setting
SETHOSTNAME_CAPS=`echo ${SETHOSTNAME^^}`
## Samba general setting
SAMBA_KERBEROS_REALM=`echo ${SETDNSDOMAIN^^}`
##################################################################
NFS_SETUP="$1"
if [ -z "${NFS_SETUP}" ]; then
error "You need to run the script with server or client parameter"
error "Example ./setup-samba-home-nfs-server.sh server"
error "Exitting now.. "
exit 0
fi
if [ "${NFS_SETUP}" = "server" ] || [ "${NFS_SETUP}" = "client" ]; then
if [ "${NFS_SETUP}" = "server" ]; then
good "Setting up NFS Server support"
_package_install nfs-kernel-server
service nfs-kernel-server stop
service nfs-common stop
_check_folder_exists "${NFSD_V4_EXPORTS_PATH}/${NFSD_V4_EXPORTS_USERS_PATH}"
_backup_file_date /etc/krb5.keytab
_backup_file /etc/fstab
if [ `cat /etc/fstab | grep 'NFSv4: Setup'| wc -l` = "0" ]; then
message "NFSv4: Setup fstab for NFS v4 with kerberos support"
echo "${SAMBA_USERS_HOMEDIR} "${NFSD_V4_EXPORTS_PATH}${NFSD_V4_EXPORTS_USERS_PATH}" none bind 0 0" >> /etc/fstab
mount -a
else
warning "fstab was already setup for NFSv4, checking if mounted.."
if `df | grep "${NFSD_V4_EXPORTS_PATH}${NFSD_V4_EXPORTS_USERS_PATH}" | wc -l` = "0" ]; then
mount -a
else
warning "${NFSD_V4_EXPORTS_PATH}${NFSD_V4_EXPORTS_USERS_PATH} was already mounted"
fi
fi
_backup_file /etc/exports
message "Setup of /etc/exports"
if [ ${NFSD_V4_NETWORK} = "" ]; then
NFSD_V4_NETWORK="${SETSERVERIPNET}.0/24"
fi
if [ `cat /etc/exports | grep "${NFSD_V4_EXPORTS_PATH}${NFSD_V4_EXPORTS_USERS_PATH}" | wc -l` = "0" ]; then
cat << EOF > /etc/exports
# 'fsid=0' designates this path as the nfs4 root
# 'crossmnt' is necessary to properly expose the paths
# 'no_subtree_check' is specified to get rid of warning messages
# about the default value changing. This is the default value
${NFSD_V4_EXPORTS_PATH} ${NFSD_V4_NETWORK}(rw,sync,fsid=0,no_subtree_check,crossmnt,sec=krb5)
${NFSD_V4_EXPORTS_PATH}${NFSD_V4_EXPORTS_USERS_PATH} ${NFSD_V4_NETWORK}(rw,sync,no_subtree_check,sec=krb5)
EOF
else
warning "The file : /etc/exports was already setup"
fi
_backup_file /etc/idmapd.conf
if [ `cat /etc/idmapd.conf | grep "Method = nsswitch" | wc -l` = "0" ]; then
message "Setup of /etc/idmapd.conf"
cat << EOF >> /etc/idmapd.conf
[Translation]
Method = nsswitch
EOF
else
warning "The file : /etc/idmapd.conf was already setup"
fi
_backup_file /etc/default/nfs-kernel-server
message "Setup of /etc/default/nfs-kernel-server"
if [ `cat /etc/default/nfs-kernel-server | grep "NEED_SVCGSSD=yes" | wc -l` = "0" ]; then
sed -i 's/NEED_SVCGSSD=""/NEED_SVCGSSD="yes"/g' /etc/default/nfs-kernel-server
else
warning "The file : /etc/default/nfs-kernel-server was already setup"
fi
_backup_file /etc/default/nfs-common
message "Setup of /etc/default/nfs-common"
if [ `cat /etc/default/nfs-kernel-server | grep "NEED_GSSD" | wc -l` = "0" ]; then
sed -i 's/NEED_IDMAPD=/NEED_IDMAPD=yes/g' /etc/default/nfs-common
sed -i 's/NEED_GSSD=/NEED_GSSD=yes/g' /etc/default/nfs-common
sed -i 's/NEED_STATD=/NEED_STATD=no/g' /etc/default/nfs-common
else
warning "The file : /etc/default/nfs-common was already setup"
fi
message "Exporting exports"
exportfs -r
sleep 0.5
message " "
good "The basic setup of the NFS server is done"
message " "
warning "Now you need to add the nfs SPN to this servers name."
warning "Run the following commands on one of your DC's"
warning "samba-tool spn add nfs/${SETFQDN} ${SETHOSTNAME_CAPS}\$"
warning "samba-tool spn add nfs/${SETFQDN}@${SAMBA_KERBEROS_REALM} ${SETHOSTNAME_CAPS}\$"
warning "samba-tool domain exportkeytab --principal=nfs/${SETFQDN} keytab.${SETHOSTNAME_CAPS}-nfs"
message " "
warning "When above is done, you need to copy the keytab file keytab.${SETHOSTNAME_CAPS}-nfs to the server ${SETHOSTNAME_CAPS}"
warning "Now you need to merge te original keytab file and keytab.${SETHOSTNAME_CAPS}-nfs on server ${SETHOSTNAME_CAPS}"
message " "
message "Stop the samba services:"
message "for x in \`ls /etc/init.d/sernet-*\` ; do \$x stop ; done"
message " "
message "Merging the keytab files"
message "Now type the following on server ${SETHOSTNAME_CAPS}: "
message "ktutil (hit enter)"
message "rkt /etc/krb5.keytab (hit enter)"
message "rkt /PATH_TO_THE_NEW_KEYTABFILE/keytab.${SETHOSTNAME_CAPS}-nfs"
message "list ( hit enter and check the output, is nfs listed?) "
message "wkt /etc/krb5.keytab"
message "quit"
message "chmod 600 /etc/krb5.keytab"
message "chown root:root /etc/krb5.keytab"
message "Now the keytab file is setup for NFS server support."
message "Now you can startup the nfs server on ${SETHOSTNAME_CAPS}"
message "run : service nfs-kernel-server start"
message "run : service nfs-common restart"
message "And test with : mount -t nfs4 ${SETFQDN}:${NFSD_V4_EXPORTS_USERS_PATH} /mnt -o sec=krb5 "
message "if it works, umount with : umount /mnt"
message "and start samba services again"
message "for x in \`ls /etc/init.d/sernet-*\` ; do \$x start ; done"
message " "
warning " !! Both server and client need nfs spn's "
fi
############################################ NFS CLIENT SETUP #######################################################
if [ "${NFS_SETUP}" = "client" ]; then
good "Setting up NFS Client support"
# FOR THE OTHER SERVERS /Client servers.
_package_install nfs-common
_package_install rpcbind
service nfs-common stop
_check_folder_exists "${SAMBA_USERS_HOMEDIR}"
_backup_file /etc/idmapd.conf
if [ `cat /etc/idmapd.conf | grep 'Method = nsswitch' | wc -l` = "0" ]; then
message "Setup of /etc/idmapd.conf"
cat << EOF > /etc/idmapd.conf
[General]
Verbosity = 0
Pipefs-Directory = /run/rpc_pipefs
# set your own domain here, if id differs from FQDN minus hostname
# Domain = localdomain
Domain = ${SETDNSDOMAIN}
Local-Realm = ${SAMBA_KERBEROS_REALM}
[Mapping]
Nobody-User = nobody
Nobody-Group = nogroup
[Translation]
Method = static,nsswitch
GSS-Methods = static,nsswitch
[Static]
${SETHOSTNAME_CAPS}\$@${SAMBA_KERBEROS_REALM} = root
host/${SETFQDN}@${SAMBA_KERBEROS_REALM} = root
nfs/${SETFQDN}@${SAMBA_KERBEROS_REALM} = root
nfs/${SETFQDN}@ = root
EOF
else
warning "The file : /etc/idmapd.conf was already setup"
fi
if [ ${NFS_CLIENT_MOUNT_USERS} = "dedicated" ]; then
if [ `cat /etc/fstab | grep 'NFS V4 Client Users'| wc -l` = "0" ] || [ `cat /etc/auto.master | grep 'NFS V4 Client Users automount'| wc -l` = "0" ]; then
_backup_file /etc/fstab
echo "## NFS V4 Client Users mount" >> /etc/fstab
echo "${NFSD_V4_SERVERNAME}:${NFSD_V4_EXPORTS_USERS_PATH} ${SAMBA_USERS_HOMEDIR} nfs4 sec=krb5 0 0" >> /etc/fstab
else
warning "NFS V4 Client setup was already done"
fi
fi
if [ ${NFS_CLIENT_MOUNT_USERS} = "automount" ]; then
if [ `cat /etc/fstab | grep 'NFS V4 Client Users'| wc -l` = "0" ] || [ `cat /etc/auto.master | grep 'NFS V4 Client Users automount'| wc -l` = "0" ]; then
_package_install autofs
service autofs stop
#_backup_file /etc/auto.master
_check_folder_exists /etc/auto.master.d
echo "## NFS V4 Client Users automount" >> /etc/auto.master.d/user-home.autofs
echo "* ${NFSD_V4_SERVERNAME}:${NFSD_V4_EXPORTS_USERS_PATH}\/\&" >> /etc/auto.master.d/user-home.autofs
echo "user-home automount file can be found here : /etc/auto.master.d/user-home.autofs"
else
warning "NFS V4 Client setup was already done, see /etc/auto.master.d/user-home.autofs"
fi
fi
message " "
good "The setup of the NFS Client is done"
message " "
warning "Now you need to add the nfs SPN to this client server name."
warning "Run the following commands on one of your DC's"
warning "samba-tool spn add nfs/${SETFQDN} ${SETHOSTNAME_CAPS}\$"
warning "samba-tool spn add nfs/${SETFQDN}@${SAMBA_KERBEROS_REALM} ${SETHOSTNAME_CAPS}\$"
warning "samba-tool domain exportkeytab --principal=nfs/${SETFQDN} keytab.${SETHOSTNAME_CAPS}-nfs"
message " "
warning "When above is done, you need to copy the keytab file keytab.${SETHOSTNAME_CAPS}-nfs to the nfs client ${SETHOSTNAME_CAPS}"
warning "Now you need to merge te original keytab file and keytab.${SETHOSTNAME_CAPS}-nfs on client ${SETHOSTNAME_CAPS}"
message " "
message "Stop the samba services:"
message "SERNET SAMBA: for x in \`ls /etc/init.d/sernet-*\` ; do \$x stop ; done"
message "DEBIAN SAMBA: for x in \`ls /etc/init.d/samba\` ; do \$x stop ; done"
message " "
message "Merging the keytab files"
message "Now type the following on server ${SETHOSTNAME_CAPS}: "
message "ktutil (hit enter)"
message "rkt /etc/krb5.keytab (hit enter)"
message "rkt /PATH_TO_THE_NEW_KEYTABFILE/keytab.${SETHOSTNAME_CAPS}-nfs"
message "list ( hit enter and check the output, is nfs listed?) "
message "wkt /etc/krb5.keytab"
message "quit"
message "chmod 600 /etc/krb5.keytab"
message "chown root:root /etc/krb5.keytab"
message "Now the keytab file is setup for NFS server support."
message "Now you can startup the nfs client on ${SETHOSTNAME_CAPS}"
message "run : service nfs-common start"
message "And test with : mount -t nfs4 ${NFSD_V4_SERVERNAME}:${NFSD_V4_EXPORTS_USERS_PATH} ${SAMBA_USERS_HOMEDIR} -o sec=krb5 "
message "and start samba services again"
message "SERNET SAMBA: for x in \`ls /etc/init.d/sernet-*\` ; do \$x start ; done"
message "DEBIAN SAMBA: for x in \`ls /etc/init.d/samba\` ; do \$x start ; done"
message " "
warning " !! Both server and client need nfs spn's "
fi
if [ ${SSHD_KERBEROS_ENABLED} = "yes" ]; then
message "Enable kerborised ssh logins"
_package_install_no_recommends ssh-krb5 libpam-krb5
pam-auth-update --package --force
sed -i '/#GSSAPICleanupCredentials yes/aGSSAPIStoreCredentialsOnRekey yes # If your version supports this/' /etc/ssh/sshd_config
sed -i '/#GSSAPICleanupCredentials yes/aGSSAPIKeyExchange yes # If your version supports this/' /etc/ssh/sshd_config
sed -i 's/#GSSAPICleanupCredentials yes/GSSAPICleanupCredentials yes/g' /etc/ssh/sshd_config
sed -i 's/#GSSAPIAuthentication no/GSSAPIAuthentication yes/g' /etc/ssh/sshd_config
service ssh restart
fi
if [ ! -e /etc/systemd/system/nfs-common.service.d/remote-fs-pre.conf ] ; then
echo "Fixing NFS mount on boot with systemd"
mkdir -p /etc/systemd/system/nfs-common.service.d
cat << EOF > /etc/systemd/system/nfs-common.service.d/remote-fs-pre.conf
[Unit]
Before=remote-fs-pre.target
Wants=remote-fs-pre.target
EOF
fi
else
error "No server of client variable input"
error "Exiting now. "
fi