add test 'AD' (samba)

internet2 · May 5, 2023 · 8ad2e7f · 8ad2e7f
1 parent adda8d4
commit 8ad2e7f
Show file tree

Hide file tree

Showing 6 changed files with 243 additions and 9 deletions.
diff --git a/Workbench/ad/Dockerfile b/Workbench/ad/Dockerfile
@@ -0,0 +1,14 @@
+FROM ubuntu:xenial
+# based on work at https://github.com/Fmstrat/samba-domain
+
+ENV DEBIAN_FRONTEND noninteractive
+
+RUN apt-get update && apt-get upgrade -y
+RUN apt-get install -y pkg-config
+RUN apt-get install -y attr acl samba smbclient ldap-utils winbind libnss-winbind libpam-winbind krb5-user krb5-kdc supervisor
+RUN apt-get install -y openvpn inetutils-ping
+
+ADD start.sh /start.sh
+RUN chmod 755 /start.sh
+CMD /start.sh setup
+
diff --git a/Workbench/ad/start.sh b/Workbench/ad/start.sh
@@ -0,0 +1,128 @@
+#!/bin/bash
+# based on work at https://github.com/Fmstrat/samba-domain
+
+set -e
+
+appSetup () {
+
+	# Set variables
+	DOMAIN=${DOMAIN:-SAMDOM.LOCAL}
+	DOMAINPASS=${DOMAINPASS:-password}
+	JOIN=${JOIN:-false}
+	JOINSITE=${JOINSITE:-NONE}
+	MULTISITE=${MULTISITE:-false}
+	NOCOMPLEXITY=${NOCOMPLEXITY:-false}
+	INSECURELDAP=${INSECURELDAP:-false}
+	DNSFORWARDER=${DNSFORWARDER:-NONE}
+	HOSTIP=${HOSTIP:-NONE}
+
+	LDOMAIN=${DOMAIN,,}
+	UDOMAIN=${DOMAIN^^}
+	URDOMAIN=${UDOMAIN%%.*}
+
+	# If multi-site, we need to connect to the VPN before joining the domain
+	if [[ ${MULTISITE,,} == "true" ]]; then
+		/usr/sbin/openvpn --config /docker.ovpn &
+		VPNPID=$!
+		echo "Sleeping 30s to ensure VPN connects ($VPNPID)";
+		sleep 30
+	fi
+
+        # Set host ip option
+        if [[ "$HOSTIP" != "NONE" ]]; then
+		HOSTIP_OPTION="--host-ip=$HOSTIP"
+        else
+		HOSTIP_OPTION=""
+        fi
+
+	# Set up samba
+	mv /etc/krb5.conf /etc/krb5.conf.orig
+	echo "[libdefaults]" > /etc/krb5.conf
+	echo "    dns_lookup_realm = false" >> /etc/krb5.conf
+	echo "    dns_lookup_kdc = true" >> /etc/krb5.conf
+	echo "    default_realm = ${UDOMAIN}" >> /etc/krb5.conf
+	# If the finished file isn't there, this is brand new, we're not just moving to a new container
+	if [[ ! -f /etc/samba/external/smb.conf ]]; then
+		mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
+		if [[ ${JOIN,,} == "true" ]]; then
+			if [[ ${JOINSITE} == "NONE" ]]; then
+				samba-tool domain join ${LDOMAIN} DC -U"${URDOMAIN}\administrator" --password="${DOMAINPASS}" --dns-backend=SAMBA_INTERNAL
+			else
+				samba-tool domain join ${LDOMAIN} DC -U"${URDOMAIN}\administrator" --password="${DOMAINPASS}" --dns-backend=SAMBA_INTERNAL --site=${JOINSITE}
+			fi
+		else
+			samba-tool domain provision --use-rfc2307 --domain=${URDOMAIN} --realm=${UDOMAIN} --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass=${DOMAINPASS} ${HOSTIP_OPTION}
+			if [[ ${NOCOMPLEXITY,,} == "true" ]]; then
+				samba-tool domain passwordsettings set --complexity=off
+				samba-tool domain passwordsettings set --history-length=0
+				samba-tool domain passwordsettings set --min-pwd-age=0
+				samba-tool domain passwordsettings set --max-pwd-age=0
+			fi
+		fi
+		sed -i "/\[global\]/a \
+			\\\tidmap_ldb:use rfc2307 = yes\\n\
+			wins support = yes\\n\
+			template shell = /bin/bash\\n\
+			winbind nss info = rfc2307\\n\
+			idmap config ${URDOMAIN}: range = 10000-20000\\n\
+			idmap config ${URDOMAIN}: backend = ad\
+			" /etc/samba/smb.conf
+		if [[ $DNSFORWARDER != "NONE" ]]; then
+			sed -i "/\[global\]/a \
+				\\\tdns forwarder = ${DNSFORWARDER}\
+				" /etc/samba/smb.conf
+		fi
+		if [[ ${INSECURELDAP,,} == "true" ]]; then
+			sed -i "/\[global\]/a \
+				\\\tldap server require strong auth = no\
+				" /etc/samba/smb.conf
+		fi
+		# Once we are set up, we'll make a file so that we know to use it if we ever spin this up again
+		cp /etc/samba/smb.conf /etc/samba/external/smb.conf
+	else
+		cp /etc/samba/external/smb.conf /etc/samba/smb.conf
+	fi
+
+	# Set up supervisor
+	echo "[supervisord]" > /etc/supervisor/conf.d/supervisord.conf
+	echo "nodaemon=true" >> /etc/supervisor/conf.d/supervisord.conf
+	echo "" >> /etc/supervisor/conf.d/supervisord.conf
+	echo "[program:samba]" >> /etc/supervisor/conf.d/supervisord.conf
+	echo "command=/usr/sbin/samba -i" >> /etc/supervisor/conf.d/supervisord.conf
+	if [[ ${MULTISITE,,} == "true" ]]; then
+		if [[ -n $VPNPID ]]; then
+			kill $VPNPID
+		fi
+		echo "" >> /etc/supervisor/conf.d/supervisord.conf
+		echo "[program:openvpn]" >> /etc/supervisor/conf.d/supervisord.conf
+		echo "command=/usr/sbin/openvpn --config /docker.ovpn" >> /etc/supervisor/conf.d/supervisord.conf
+	fi
+
+	appStart
+}
+
+appStart () {
+	/usr/bin/supervisord
+}
+
+case "$1" in
+	start)
+		if [[ -f /etc/samba/external/smb.conf ]]; then
+			cp /etc/samba/external/smb.conf /etc/samba/smb.conf
+			appStart
+		else
+			echo "Config file is missing."
+		fi
+		;;
+	setup)
+		# If the supervisor conf isn't there, we're spinning up a new container
+		if [[ -f /etc/supervisor/conf.d/supervisord.conf ]]; then
+			appStart
+		else
+			appSetup
+		fi
+		;;
+esac
+
+exit 0
+
diff --git a/Workbench/directory/container_files/etc/phpldapadmin/config.php b/Workbench/directory/container_files/etc/phpldapadmin/config.php
@@ -533,17 +533,17 @@
  * your other LDAP servers.                                               *
  **************************************************************************/
 
-/*
 $servers->newServer('ldap_pla');
-$servers->setValue('server','name','LDAP Server');
-$servers->setValue('server','host','127.0.0.1');
-$servers->setValue('server','port',389);
-$servers->setValue('server','base',array(''));
+$servers->setValue('server','name','AD Server');
+$servers->setValue('server','host','ldaps://ad/');
+$servers->setValue('server','port',636);
+$servers->setValue('server','base',array('dc=ad,dc=example,dc=edu'));
 $servers->setValue('login','auth_type','cookie');
-$servers->setValue('login','bind_id','');
-$servers->setValue('login','bind_pass','');
+$servers->setValue('login','bind_id','AD\Administrator');
+$servers->setValue('login','bind_pass','Supersecret1!');
 $servers->setValue('server','tls',false);
 
+/*
 # SASL auth
 $servers->setValue('login','auth_type','sasl');
 $servers->setValue('sasl','mech','GSSAPI');

diff --git a/Workbench/docker-compose.yml b/Workbench/docker-compose.yml
@@ -176,8 +176,10 @@ services:
 
   directory:
     build: ./directory/
+    links:
+     - "ad:ad"
     ports:
-     - 389:389
+     - 1389:389
     networks:
      - net
     healthcheck:
@@ -561,6 +563,33 @@ services:
         aliases:
           - comanage-cron
 
+  ad:
+    build:
+      context: ./ad/
+    environment:
+     - DOMAIN=ad.example.edu
+     - DOMAINPASS=Supersecret1!
+    networks:
+      net:
+    volumes:
+     - ad_samba_data:/var/lib/samba
+     - ad_samba_cfg:/etc/samba/external
+    ports:
+      - 53:53
+      - 53:53/udp
+      - 88:88
+      - 88:88/udp
+      - 135:135
+      - 137-138:137-138/udp
+      - 139:139
+      - 389:389
+      - 389:389/udp
+      - 445:445
+      - 464:464
+      - 464:464/udp
+      - 636:636
+      - 3268-3269:3268-3269
+
 networks:
   net:    
     driver: bridge
@@ -604,3 +633,5 @@ volumes:
   generated-metadata:
   mariadb-data:
   idpui_data:
+  ad_samba_data:
+  ad_samba_cfg:
diff --git a/.../midpoint_server/container_files/mp-home/post-initial-objects/resources/100-target-ad.xml b/.../midpoint_server/container_files/mp-home/post-initial-objects/resources/100-target-ad.xml
@@ -0,0 +1,61 @@
+<resource xmlns="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:c="http://midpoint.evolveum.com/xml/ns/public/common/common-3" xmlns:icfs="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/resource-schema-3" xmlns:org="http://midpoint.evolveum.com/xml/ns/public/common/org-3" xmlns:q="http://prism.evolveum.com/xml/ns/public/query-3" xmlns:ri="http://midpoint.evolveum.com/xml/ns/public/resource/instance-3" xmlns:t="http://prism.evolveum.com/xml/ns/public/types-3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" oid="6597e333-3f18-478d-84e7-58521a5eec2b" version="1">
+    <name>Target: AD</name>
+    <iteration>0</iteration>
+    <iterationToken/>
+    <connectorRef type="ConnectorType">
+        <filter>
+            <q:equal>
+            <q:path>c:connectorType</q:path>
+                <q:value>com.evolveum.polygon.connector.ldap.ad.AdLdapConnector</q:value>
+            </q:equal>
+        </filter>
+    </connectorRef>
+    <connectorConfiguration xmlns:icfc="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/connector-schema-3">
+        <icfc:configurationProperties xmlns:gen475="http://midpoint.evolveum.com/xml/ns/public/connector/icf-1/bundle/com.evolveum.polygon.connector-ldap/com.evolveum.polygon.connector.ldap.ad.AdLdapConnector">
+            <gen475:host>ad</gen475:host>
+            <gen475:port>636</gen475:port>
+            <gen475:connectionSecurity>ssl</gen475:connectionSecurity>
+            <gen475:authenticationType>simple</gen475:authenticationType>
+            <gen475:bindDn>CN=Administrator,CN=Users,DC=ad,DC=example,DC=edu</gen475:bindDn>
+            <gen475:bindPassword>
+                <t:clearValue>Supersecret1!</t:clearValue>
+            </gen475:bindPassword>
+            <gen475:baseContext>DC=ad,DC=example,DC=edu</gen475:baseContext>
+            <gen475:readSchema>true</gen475:readSchema>
+            <gen475:allowUntrustedSsl>true</gen475:allowUntrustedSsl>
+        </icfc:configurationProperties>
+    </connectorConfiguration>
+    <capabilities>
+        <native xmlns:cap="http://midpoint.evolveum.com/xml/ns/public/resource/capabilities-3">
+            <cap:schema/>
+            <cap:discoverConfiguration/>
+            <cap:activation>
+                <cap:status/>
+            </cap:activation>
+            <cap:credentials>
+                <cap:password>
+                    <cap:returnedByDefault>false</cap:returnedByDefault>
+                </cap:password>
+            </cap:credentials>
+            <cap:liveSync/>
+            <cap:create/>
+            <cap:read>
+                <cap:returnDefaultAttributesOption>true</cap:returnDefaultAttributesOption>
+            </cap:read>
+            <cap:update>
+                <cap:delta>true</cap:delta>
+                <cap:addRemoveAttributeValues>true</cap:addRemoveAttributeValues>
+            </cap:update>
+            <cap:delete/>
+            <cap:testConnection/>
+            <cap:script>
+                <cap:host id="1">
+                    <cap:type>connector</cap:type>
+                </cap:host>
+            </cap:script>
+            <cap:pagedSearch/>
+            <cap:auxiliaryObjectClasses/>
+        </native>
+    </capabilities>
+</resource>
+
diff --git a/Workbench/webproxy/Dockerfile b/Workbench/webproxy/Dockerfile
@@ -36,7 +36,7 @@ RUN chmod 755 /usr/local/bin/startWithMDLoad.sh && chmod 755 /mdload/*.sh
 
 #install updated curl (for --data-raw)
 # see http://www.city-fan.org/ftp/contrib/yum-repo/ for more info and for correct version numbers
-RUN rpm -Uvh http://www.city-fan.org/ftp/contrib/yum-repo/city-fan.org-release-3-7.rhel7.noarch.rpm
+RUN rpm -Uvh http://www.city-fan.org/ftp/contrib/yum-repo/city-fan.org-release-3-8.rhel7.noarch.rpm
 RUN yum-config-manager --enable city-fan.org
 RUN yum update curl -y