initial commit
This commit is contained in:
Ludwig Lehnert
19
samba/Dockerfile
Normal file
19
samba/Dockerfile
Normal file
@@ -0,0 +1,19 @@
|
||||
FROM debian:bookworm-slim
|
||||
|
||||
RUN apt-get update \
|
||||
&& DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
|
||||
samba winbind krb5-user smbclient inotify-tools gettext-base \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
COPY smb.conf.template /etc/samba/smb.conf.template
|
||||
COPY entrypoint.sh /usr/local/bin/entrypoint.sh
|
||||
COPY samba-private-mkdir.sh /usr/local/bin/samba-private-mkdir
|
||||
COPY watch-reload.sh /usr/local/bin/watch-reload
|
||||
|
||||
RUN chmod +x /usr/local/bin/entrypoint.sh \
|
||||
/usr/local/bin/samba-private-mkdir \
|
||||
/usr/local/bin/watch-reload
|
||||
|
||||
EXPOSE 445
|
||||
|
||||
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
|
||||
57
samba/entrypoint.sh
Normal file
57
samba/entrypoint.sh
Normal file
@@ -0,0 +1,57 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
FILESVC_UID="${FILESVC_UID:-10050}"
|
||||
FILESVC_GID="${FILESVC_GID:-10050}"
|
||||
|
||||
if ! getent group filesvc >/dev/null 2>&1; then
|
||||
groupadd -g "${FILESVC_GID}" filesvc
|
||||
fi
|
||||
|
||||
if ! id filesvc >/dev/null 2>&1; then
|
||||
useradd -u "${FILESVC_UID}" -g filesvc -M -s /usr/sbin/nologin filesvc
|
||||
fi
|
||||
|
||||
if [ -n "${DOMAIN_REALM:-}" ]; then
|
||||
cat > /etc/krb5.conf <<EOF
|
||||
[libdefaults]
|
||||
default_realm = ${DOMAIN_REALM}
|
||||
dns_lookup_realm = true
|
||||
dns_lookup_kdc = true
|
||||
EOF
|
||||
fi
|
||||
|
||||
if [ -f /etc/samba/smb.conf.template ]; then
|
||||
envsubst < /etc/samba/smb.conf.template > /etc/samba/smb.conf
|
||||
fi
|
||||
|
||||
if ! grep -q "winbind" /etc/nsswitch.conf; then
|
||||
sed -i 's/^passwd:.*/& winbind/' /etc/nsswitch.conf
|
||||
sed -i 's/^group:.*/& winbind/' /etc/nsswitch.conf
|
||||
fi
|
||||
|
||||
mkdir -p /samba-generated
|
||||
touch /samba-generated/shares.generated.conf
|
||||
ln -sf /samba-generated/shares.generated.conf /etc/samba/shares.generated.conf
|
||||
|
||||
if [ ! -f /var/lib/samba/private/secrets.tdb ]; then
|
||||
if [ -z "${DOMAIN_JOIN_USER:-}" ] || [ -z "${DOMAIN_JOIN_PASSWORD:-}" ]; then
|
||||
echo "DOMAIN_JOIN_USER and DOMAIN_JOIN_PASSWORD must be set to join the domain." >&2
|
||||
exit 1
|
||||
fi
|
||||
echo "Joining AD domain ${DOMAIN_REALM}..."
|
||||
net ads join -U "${DOMAIN_JOIN_USER}%${DOMAIN_JOIN_PASSWORD}"
|
||||
fi
|
||||
|
||||
winbindd -F &
|
||||
WINBIND_PID=$!
|
||||
|
||||
smbd -F &
|
||||
SMBD_PID=$!
|
||||
|
||||
/usr/local/bin/watch-reload &
|
||||
WATCH_PID=$!
|
||||
|
||||
trap 'kill ${WINBIND_PID} ${SMBD_PID} ${WATCH_PID}' TERM INT
|
||||
|
||||
wait -n ${WINBIND_PID} ${SMBD_PID} ${WATCH_PID}
|
||||
24
samba/samba-private-mkdir.sh
Normal file
24
samba/samba-private-mkdir.sh
Normal file
@@ -0,0 +1,24 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
user="$1"
|
||||
domain="${2:-}"
|
||||
target="/data/private/${user}"
|
||||
|
||||
if [ ! -d "${target}" ]; then
|
||||
mkdir -p "${target}"
|
||||
chmod 0700 "${target}"
|
||||
fi
|
||||
|
||||
if getent passwd "${user}" >/dev/null 2>&1; then
|
||||
uid=$(getent passwd "${user}" | cut -d: -f3)
|
||||
gid=$(getent passwd "${user}" | cut -d: -f4)
|
||||
chown "${uid}:${gid}" "${target}"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ -n "${domain}" ] && getent passwd "${domain}\\${user}" >/dev/null 2>&1; then
|
||||
uid=$(getent passwd "${domain}\\${user}" | cut -d: -f3)
|
||||
gid=$(getent passwd "${domain}\\${user}" | cut -d: -f4)
|
||||
chown "${uid}:${gid}" "${target}"
|
||||
fi
|
||||
47
samba/smb.conf.template
Normal file
47
samba/smb.conf.template
Normal file
@@ -0,0 +1,47 @@
|
||||
[global]
|
||||
workgroup = ${DOMAIN_WORKGROUP}
|
||||
realm = ${DOMAIN_REALM}
|
||||
netbios name = ${SAMBA_NETBIOS_NAME}
|
||||
security = ADS
|
||||
kerberos method = secrets and keytab
|
||||
dedicated keytab file = /etc/krb5.keytab
|
||||
|
||||
server min protocol = SMB2
|
||||
server max protocol = SMB3
|
||||
ntlm auth = ntlmv2-only
|
||||
server signing = mandatory
|
||||
smb encrypt = desired
|
||||
|
||||
winbind use default domain = no
|
||||
winbind nss info = rfc2307
|
||||
winbind enum users = yes
|
||||
winbind enum groups = yes
|
||||
idmap config * : backend = tdb
|
||||
idmap config * : range = 30000-79999
|
||||
idmap config ${DOMAIN_WORKGROUP} : backend = rid
|
||||
idmap config ${DOMAIN_WORKGROUP} : range = 10000-29999
|
||||
|
||||
template shell = /bin/false
|
||||
template homedir = /home/%D/%U
|
||||
|
||||
map to guest = never
|
||||
unix extensions = no
|
||||
dos filemode = no
|
||||
nt acl support = no
|
||||
|
||||
log file = /var/log/samba/log.%m
|
||||
max log size = 1000
|
||||
logging = file
|
||||
|
||||
[private]
|
||||
path = /data/private/%U
|
||||
browseable = yes
|
||||
read only = no
|
||||
valid users = %U
|
||||
create mask = 0600
|
||||
directory mask = 0700
|
||||
root preexec = /usr/local/bin/samba-private-mkdir %U %D
|
||||
nt acl support = no
|
||||
dos filemode = no
|
||||
|
||||
include = /etc/samba/shares.generated.conf
|
||||
9
samba/watch-reload.sh
Normal file
9
samba/watch-reload.sh
Normal file
@@ -0,0 +1,9 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
WATCH_DIR="/etc/samba"
|
||||
|
||||
while true; do
|
||||
inotifywait -e close_write,move,create,delete "${WATCH_DIR}" >/dev/null 2>&1 || true
|
||||
smbcontrol all reload-config || true
|
||||
done
|
||||
Reference in New Issue
Block a user