diff --git a/samba-directory/dc1.yaml b/samba-directory/dc1.yaml new file mode 100644 index 0000000..73c9ce9 --- /dev/null +++ b/samba-directory/dc1.yaml @@ -0,0 +1,290 @@ +apiVersion: v1 +kind: Service +metadata: + name: samba-ad-dc1 + namespace: samba-directory + labels: + app: samba-ad + samba-role: dc1 +spec: + clusterIP: None + publishNotReadyAddresses: true + selector: + app: samba-ad + samba-role: dc1 + ports: + - { name: dns-tcp, port: 53, protocol: TCP, targetPort: 53 } + - { name: dns-udp, port: 53, protocol: UDP, targetPort: 53 } + - { name: kerberos-tcp, port: 88, protocol: TCP, targetPort: 88 } + - { name: kerberos-udp, port: 88, protocol: UDP, targetPort: 88 } + - { name: ntp, port: 123, protocol: UDP, targetPort: 123 } + - { name: epm, port: 135, protocol: TCP, targetPort: 135 } + - { name: netbios-ns, port: 137, protocol: UDP, targetPort: 137 } + - { name: netbios-dgm, port: 138, protocol: UDP, targetPort: 138 } + - { name: netbios-ssn, port: 139, protocol: TCP, targetPort: 139 } + - { name: ldap-tcp, port: 389, protocol: TCP, targetPort: 389 } + - { name: ldap-udp, port: 389, protocol: UDP, targetPort: 389 } + - { name: smb, port: 445, protocol: TCP, targetPort: 445 } + - { name: kpasswd-tcp, port: 464, protocol: TCP, targetPort: 464 } + - { name: kpasswd-udp, port: 464, protocol: UDP, targetPort: 464 } + - { name: ldaps, port: 636, protocol: TCP, targetPort: 636 } + - { name: gc, port: 3268, protocol: TCP, targetPort: 3268 } + - { name: gc-ssl, port: 3269, protocol: TCP, targetPort: 3269 } + - { name: rpc-base, port: 5000, protocol: TCP, targetPort: 5000 } + - { name: rpc-netlogon, port: 5001, protocol: TCP, targetPort: 5001 } + - { name: rpc-lsarpc, port: 5002, protocol: TCP, targetPort: 5002 } + - { name: rpc-samr, port: 5003, protocol: TCP, targetPort: 5003 } + - { name: rpc-drsuapi, port: 5004, protocol: TCP, targetPort: 5004 } + - { name: rpc-dnsserver, port: 5005, protocol: TCP, targetPort: 5005 } +--- + +apiVersion: v1 +kind: ConfigMap +metadata: + name: samba-ad-config-dc1 + namespace: samba-directory +data: + smb.conf: | + [global] + workgroup = UNDERCLOUD + realm = UNDERCLOUD.LOCAL + netbios name = DC1 + server role = active directory domain controller + + rpc server port = 5000 + rpc server port:netlogon = 5001 + rpc server port:lsarpc = 5002 + rpc server port:samr = 5003 + rpc server port:drsuapi = 5004 + rpc server port:dnsserver = 5005 + + [sysvol] + path = /var/lib/samba/sysvol + read only = No + + [netlogon] + path = /var/lib/samba/sysvol/undercloud.local/scripts + read only = No +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: dc1 + namespace: samba-directory +spec: + serviceName: samba-ad-dc1 + replicas: 1 + selector: + matchLabels: + app: samba-ad + samba-role: dc1 + template: + metadata: + labels: + app: samba-ad + samba-role: dc1 + spec: + terminationGracePeriodSeconds: 30 + hostname: dc1 + containers: + - name: samba-ad + image: quay.io/samba.org/samba-ad-server:latest + securityContext: + capabilities: + add: ["SYS_ADMIN"] + envFrom: + - secretRef: + name: samba-ad-secrets + ports: + - { name: dns-tcp, containerPort: 53, protocol: TCP } + - { name: dns-udp, containerPort: 53, protocol: UDP } + - { name: kerberos-tcp, containerPort: 88, protocol: TCP } + - { name: kerberos-udp, containerPort: 88, protocol: UDP } + - { name: ldap-tcp, containerPort: 389, protocol: TCP } + - { name: ldap-udp, containerPort: 389, protocol: UDP } + - { name: smb, containerPort: 445, protocol: TCP } + - { name: kpasswd-tcp, containerPort: 464, protocol: TCP } + - { name: kpasswd-udp, containerPort: 464, protocol: UDP } + - { name: ldaps, containerPort: 636, protocol: TCP } + - { name: gc, containerPort: 3268, protocol: TCP } + - { name: gc-ssl, containerPort: 3269, protocol: TCP } + - { name: rpc-epmap, containerPort: 135, protocol: TCP } + - { name: rpc-base, containerPort: 5000, protocol: TCP } + - { name: rpc-netlogon, containerPort: 5001, protocol: TCP } + - { name: rpc-lsarpc, containerPort: 5002, protocol: TCP } + - { name: rpc-samr, containerPort: 5003, protocol: TCP } + - { name: rpc-drsuapi, containerPort: 5004, protocol: TCP } + - { name: rpc-dnsserver, containerPort: 5005, protocol: TCP } + volumeMounts: + - name: samba-state + mountPath: /var/lib/samba + - name: samba-etc + mountPath: /etc/samba + - name: samba-bootstrap + mountPath: /bootstrap + readOnly: true + - name: samba-config + mountPath: /etc/samba/smb.conf + subPath: smb.conf + command: ["/bin/bash", "-ec"] + args: + - | + set -euxo pipefail + + if [ ! -f /var/lib/samba/.provisioned ] || [ ! -f /etc/samba/smb.conf ]; then + rm -f /var/lib/samba/.provisioned + rm -f /var/lib/samba/.bootstrap-ldif-applied + + samba-tool domain provision \ + --server-role=dc \ + --use-rfc2307 \ + --dns-backend=SAMBA_INTERNAL \ + --realm=UNDERCLOUD.LOCAL \ + --domain=UNDERCLOUD \ + --host-name=dc1 \ + -d 3 \ + --adminpass="${ADMIN_PASSWORD}" + + cp /var/lib/samba/private/krb5.conf /etc/krb5.conf + + touch /var/lib/samba/.provisioned + fi + + cp /var/lib/samba/private/krb5.conf /etc/krb5.conf + + if [ ! -f /var/lib/samba/.bootstrap-ldif-applied ]; then + ldbadd -H /var/lib/samba/private/sam.ldb /bootstrap/bootstrap.ldif + + samba-tool user setpassword sebastian --newpassword="${SEBASTIAN_PASSWORD}" >/dev/null 2>&1 + samba-tool user setpassword glados --newpassword="${GLADOS_PASSWORD}" >/dev/null 2>&1 + samba-tool user setpassword shodan --newpassword="${SHODAN_PASSWORD}" >/dev/null 2>&1 + samba-tool user setpassword lam --newpassword="${LAM_PASSWORD}" >/dev/null 2>&1 + samba-tool user setpassword argocd --newpassword="${ARGOCD_PASSWORD}" >/dev/null 2>&1 + samba-tool user setpassword gitea --newpassword="${GITEA_PASSWORD}" >/dev/null 2>&1 + samba-tool user setpassword firewall --newpassword="${FIREWALL_PASSWORD}" >/dev/null 2>&1 + samba-tool user setpassword mailserver --newpassword="${MAILSERVER_PASSWORD}" >/dev/null 2>&1 + samba-tool user setpassword bookstack --newpassword="${BOOKSTACK_PASSWORD}" >/dev/null 2>&1 + samba-tool user setpassword nextcloud --newpassword="${NEXTCLOUD_PASSWORD}" >/dev/null 2>&1 + samba-tool user setpassword jellyfin --newpassword="${JELLYFIN_PASSWORD}" >/dev/null 2>&1 + samba-tool user setpassword bastillion --newpassword="${BASTILLION_PASSWORD}" >/dev/null 2>&1 + samba-tool user setpassword guacamole --newpassword="${GUACAMOLE_PASSWORD}" >/dev/null 2>&1 + samba-tool user setpassword synapse --newpassword="${SYNAPSE_PASSWORD}" >/dev/null 2>&1 + samba-tool user setpassword samba --newpassword="${SAMBA_PASSWORD}" >/dev/null 2>&1 + + samba-tool group addmembers "Domain Admins" undercloud-administrators + samba-tool group addmembers "Domain Admins" lam + + touch /var/lib/samba/.bootstrap-ldif-applied + fi + + exec samba -i + volumes: + - name: samba-bootstrap + configMap: + name: samba-ad-bootstrap + - name: samba-config + configMap: + name: samba-ad-config-dc1 + volumeClaimTemplates: + - metadata: + name: samba-state + spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 10Gi + storageClassName: cephfs-hyper + - metadata: + name: samba-etc + spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + storageClassName: cephfs-hyper +--- +apiVersion: v1 +kind: Service +metadata: + name: samba-ad-dc1-direct + namespace: samba-directory + labels: + app: samba-ad + samba-role: dc1 +spec: + internalTrafficPolicy: Cluster + clusterIP: 2001:470:7116:f:1::21 + clusterIPs: + - 2001:470:7116:f:1::21 + - 10.0.91.21 + ipFamilies: + - IPv6 + - IPv4 + ipFamilyPolicy: PreferDualStack + type: ClusterIP + selector: + app: samba-ad + samba-role: dc1 + ports: + - { name: dns-tcp, port: 53, protocol: TCP, targetPort: 53 } + - { name: dns-udp, port: 53, protocol: UDP, targetPort: 53 } + - { name: kerberos-tcp, port: 88, protocol: TCP, targetPort: 88 } + - { name: kerberos-udp, port: 88, protocol: UDP, targetPort: 88 } + - { name: ldap-tcp, port: 389, protocol: TCP, targetPort: 389 } + - { name: ldap-udp, port: 389, protocol: UDP, targetPort: 389 } + - { name: smb, port: 445, protocol: TCP, targetPort: 445 } + - { name: kpasswd-tcp, port: 464, protocol: TCP, targetPort: 464 } + - { name: kpasswd-udp, port: 464, protocol: UDP, targetPort: 464 } + - { name: ldaps, port: 636, protocol: TCP, targetPort: 636 } + - { name: gc, port: 3268, protocol: TCP, targetPort: 3268 } + - { name: gc-ssl, port: 3269, protocol: TCP, targetPort: 3269 } + - { name: rpc-epmap, port: 135, protocol: TCP, targetPort: 135 } + - { name: rpc-base, port: 5000, protocol: TCP, targetPort: 5000 } + - { name: rpc-netlogon, port: 5001, protocol: TCP, targetPort: 5001 } + - { name: rpc-lsarpc, port: 5002, protocol: TCP, targetPort: 5002 } + - { name: rpc-samr, port: 5003, protocol: TCP, targetPort: 5003 } + - { name: rpc-drsuapi, port: 5004, protocol: TCP, targetPort: 5004 } + - { name: rpc-dnsserver, port: 5005, protocol: TCP, targetPort: 5005 } +--- +apiVersion: v1 +kind: Service +metadata: + name: samba-ad + namespace: samba-directory + labels: + app: samba-ad +spec: + internalTrafficPolicy: Cluster + clusterIP: 2001:470:7116:f:1::20 + clusterIPs: + - 2001:470:7116:f:1::20 + - 10.0.91.20 + ipFamilies: + - IPv6 + - IPv4 + ipFamilyPolicy: PreferDualStack + type: ClusterIP + selector: + app: samba-ad + ports: + - { name: dns-tcp, port: 53, protocol: TCP, targetPort: 53 } + - { name: dns-udp, port: 53, protocol: UDP, targetPort: 53 } + - { name: kerberos-tcp, port: 88, protocol: TCP, targetPort: 88 } + - { name: kerberos-udp, port: 88, protocol: UDP, targetPort: 88 } + - { name: ldap-tcp, port: 389, protocol: TCP, targetPort: 389 } + - { name: ldap-udp, port: 389, protocol: UDP, targetPort: 389 } + - { name: smb, port: 445, protocol: TCP, targetPort: 445 } + - { name: kpasswd-tcp, port: 464, protocol: TCP, targetPort: 464 } + - { name: kpasswd-udp, port: 464, protocol: UDP, targetPort: 464 } + - { name: ldaps, port: 636, protocol: TCP, targetPort: 636 } + - { name: gc, port: 3268, protocol: TCP, targetPort: 3268 } + - { name: gc-ssl, port: 3269, protocol: TCP, targetPort: 3269 } + - { name: rpc-epmap, port: 135, protocol: TCP, targetPort: 135 } + - { name: rpc-base, port: 5000, protocol: TCP, targetPort: 5000 } + - { name: rpc-netlogon, port: 5001, protocol: TCP, targetPort: 5001 } + - { name: rpc-lsarpc, port: 5002, protocol: TCP, targetPort: 5002 } + - { name: rpc-samr, port: 5003, protocol: TCP, targetPort: 5003 } + - { name: rpc-drsuapi, port: 5004, protocol: TCP, targetPort: 5004 } + - { name: rpc-dnsserver, port: 5005, protocol: TCP, targetPort: 5005 } \ No newline at end of file diff --git a/samba-directory/dc2.yaml b/samba-directory/dc2.yaml new file mode 100644 index 0000000..de02eb4 --- /dev/null +++ b/samba-directory/dc2.yaml @@ -0,0 +1,226 @@ +apiVersion: v1 +kind: Service +metadata: + name: samba-ad-dc2 + namespace: samba-directory + labels: + app: samba-ad + samba-role: dc2 +spec: + clusterIP: None + publishNotReadyAddresses: true + selector: + app: samba-ad + samba-role: dc2 + ports: + - { name: dns-tcp, port: 53, protocol: TCP, targetPort: 53 } + - { name: dns-udp, port: 53, protocol: UDP, targetPort: 53 } + - { name: kerberos-tcp, port: 88, protocol: TCP, targetPort: 88 } + - { name: kerberos-udp, port: 88, protocol: UDP, targetPort: 88 } + - { name: ntp, port: 123, protocol: UDP, targetPort: 123 } + - { name: netbios-ns, port: 137, protocol: UDP, targetPort: 137 } + - { name: netbios-dgm, port: 138, protocol: UDP, targetPort: 138 } + - { name: netbios-ssn, port: 139, protocol: TCP, targetPort: 139 } + - { name: ldap-tcp, port: 389, protocol: TCP, targetPort: 389 } + - { name: ldap-udp, port: 389, protocol: UDP, targetPort: 389 } + - { name: smb, port: 445, protocol: TCP, targetPort: 445 } + - { name: kpasswd-tcp, port: 464, protocol: TCP, targetPort: 464 } + - { name: kpasswd-udp, port: 464, protocol: UDP, targetPort: 464 } + - { name: ldaps, port: 636, protocol: TCP, targetPort: 636 } + - { name: gc, port: 3268, protocol: TCP, targetPort: 3268 } + - { name: gc-ssl, port: 3269, protocol: TCP, targetPort: 3269 } + - { name: rpc-epmap, port: 135, protocol: TCP, targetPort: 135 } + - { name: rpc-base, port: 5000, protocol: TCP, targetPort: 5000 } + - { name: rpc-netlogon, port: 5001, protocol: TCP, targetPort: 5001 } + - { name: rpc-lsarpc, port: 5002, protocol: TCP, targetPort: 5002 } + - { name: rpc-samr, port: 5003, protocol: TCP, targetPort: 5003 } + - { name: rpc-drsuapi, port: 5004, protocol: TCP, targetPort: 5004 } + - { name: rpc-dnsserver, port: 5005, protocol: TCP, targetPort: 5005 } +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: samba-ad-config-dc2 + namespace: samba-directory +data: + smb.conf: | + [global] + workgroup = UNDERCLOUD + realm = UNDERCLOUD.LOCAL + netbios name = DC2 + server role = active directory domain controller + + rpc server port = 5000 + rpc server port:netlogon = 5001 + rpc server port:lsarpc = 5002 + rpc server port:samr = 5003 + rpc server port:drsuapi = 5004 + rpc server port:dnsserver = 5005 + + [sysvol] + path = /var/lib/samba/sysvol + read only = No + + [netlogon] + path = /var/lib/samba/sysvol/undercloud.local/scripts + read only = No +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: dc2 + namespace: samba-directory +spec: + serviceName: samba-ad-dc2 + replicas: 1 + selector: + matchLabels: + app: samba-ad + samba-role: dc2 + template: + metadata: + labels: + app: samba-ad + samba-role: dc2 + spec: + terminationGracePeriodSeconds: 30 + hostname: dc2 + containers: + - name: samba-ad + image: quay.io/samba.org/samba-ad-server:latest + securityContext: + capabilities: + add: ["SYS_ADMIN"] + envFrom: + - secretRef: + name: samba-ad-secrets + ports: + - { name: dns-tcp, containerPort: 53, protocol: TCP } + - { name: dns-udp, containerPort: 53, protocol: UDP } + - { name: kerberos-tcp, containerPort: 88, protocol: TCP } + - { name: kerberos-udp, containerPort: 88, protocol: UDP } + - { name: ldap-tcp, containerPort: 389, protocol: TCP } + - { name: ldap-udp, containerPort: 389, protocol: UDP } + - { name: smb, containerPort: 445, protocol: TCP } + - { name: kpasswd-tcp, containerPort: 464, protocol: TCP } + - { name: kpasswd-udp, containerPort: 464, protocol: UDP } + - { name: ldaps, containerPort: 636, protocol: TCP } + - { name: gc, containerPort: 3268, protocol: TCP } + - { name: gc-ssl, containerPort: 3269, protocol: TCP } + - { name: rpc-epmap, containerPort: 135, protocol: TCP } + - { name: rpc-base, containerPort: 5000, protocol: TCP } + - { name: rpc-netlogon, containerPort: 5001, protocol: TCP } + - { name: rpc-lsarpc, containerPort: 5002, protocol: TCP } + - { name: rpc-samr, containerPort: 5003, protocol: TCP } + - { name: rpc-drsuapi, containerPort: 5004, protocol: TCP } + - { name: rpc-dnsserver, containerPort: 5005, protocol: TCP } + volumeMounts: + - name: samba-state + mountPath: /var/lib/samba + - name: samba-etc + mountPath: /etc/samba + - name: samba-config + mountPath: /etc/samba/smb.conf + subPath: smb.conf + command: ["/bin/bash", "-ec"] + args: + - | + set -euxo pipefail + + DC1_FQDN="dc1.undercloud.local" + + if [ ! -f /var/lib/samba/.joined ] || [ ! -f /etc/samba/smb.conf ]; then + rm -f /var/lib/samba/.joined + + until getent hosts "${DC1_FQDN}"; do + echo "waiting for dc1 dns" + sleep 5 + done + + until bash -c "/dev/null; do + echo "waiting for dc1 ldap" + sleep 5 + done + + sleep 30 + + samba-tool domain join UNDERCLOUD.LOCAL DC \ + --server="${DC1_FQDN}" \ + -d 3 \ + -U"Administrator%${ADMIN_PASSWORD}" + + cp /var/lib/samba/private/krb5.conf /etc/krb5.conf + + touch /var/lib/samba/.joined + fi + + cp /var/lib/samba/private/krb5.conf /etc/krb5.conf + + exec samba -i + volumes: + - name: samba-config + configMap: + name: samba-ad-config-dc2 + volumeClaimTemplates: + - metadata: + name: samba-state + spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 10Gi + storageClassName: cephfs-hyper + - metadata: + name: samba-etc + spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + storageClassName: cephfs-hyper +--- +apiVersion: v1 +kind: Service +metadata: + name: samba-ad-dc2-direct + namespace: samba-directory + labels: + app: samba-ad + samba-role: dc2 +spec: + internalTrafficPolicy: Cluster + clusterIP: 2001:470:7116:f:1::22 + clusterIPs: + - 2001:470:7116:f:1::22 + - 10.0.91.22 + ipFamilies: + - IPv6 + - IPv4 + ipFamilyPolicy: PreferDualStack + type: ClusterIP + selector: + app: samba-ad + samba-role: dc2 + ports: + - { name: dns-tcp, port: 53, protocol: TCP, targetPort: 53 } + - { name: dns-udp, port: 53, protocol: UDP, targetPort: 53 } + - { name: kerberos-tcp, port: 88, protocol: TCP, targetPort: 88 } + - { name: kerberos-udp, port: 88, protocol: UDP, targetPort: 88 } + - { name: ldap-tcp, port: 389, protocol: TCP, targetPort: 389 } + - { name: ldap-udp, port: 389, protocol: UDP, targetPort: 389 } + - { name: smb, port: 445, protocol: TCP, targetPort: 445 } + - { name: kpasswd-tcp, port: 464, protocol: TCP, targetPort: 464 } + - { name: kpasswd-udp, port: 464, protocol: UDP, targetPort: 464 } + - { name: ldaps, port: 636, protocol: TCP, targetPort: 636 } + - { name: gc, port: 3268, protocol: TCP, targetPort: 3268 } + - { name: gc-ssl, port: 3269, protocol: TCP, targetPort: 3269 } + - { name: rpc-epmap, port: 135, protocol: TCP, targetPort: 135 } + - { name: rpc-base, port: 5000, protocol: TCP, targetPort: 5000 } + - { name: rpc-netlogon, port: 5001, protocol: TCP, targetPort: 5001 } + - { name: rpc-lsarpc, port: 5002, protocol: TCP, targetPort: 5002 } + - { name: rpc-samr, port: 5003, protocol: TCP, targetPort: 5003 } + - { name: rpc-drsuapi, port: 5004, protocol: TCP, targetPort: 5004 } + - { name: rpc-dnsserver, port: 5005, protocol: TCP, targetPort: 5005 } +--- \ No newline at end of file diff --git a/samba-directory/ldif.yaml b/samba-directory/ldif.yaml new file mode 100644 index 0000000..274f029 --- /dev/null +++ b/samba-directory/ldif.yaml @@ -0,0 +1,387 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: samba-ad-bootstrap + namespace: samba-directory +data: + bootstrap.ldif: | + # ----------------------------- + # OU structure + # ----------------------------- + dn: OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: organizationalUnit + ou: Undercloud + description: Root OU for all Undercloud directory objects + + dn: OU=users,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: organizationalUnit + ou: users + description: Human user accounts + + dn: OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: organizationalUnit + ou: serviceaccounts + description: Non-interactive service accounts + + dn: OU=groups,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: organizationalUnit + ou: groups + description: Security and role groups + + # ----------------------------- + # Groups (CREATE FIRST) + # ----------------------------- + dn: CN=undercloud-users,OU=groups,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: group + cn: undercloud-users + sAMAccountName: undercloud-users + description: All standard user accounts + groupType: -2147483646 + + dn: CN=undercloud-administrators,OU=groups,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: group + cn: undercloud-administrators + sAMAccountName: undercloud-administrators + description: Global administrators for Undercloud + groupType: -2147483646 + + + dn: CN=fileserver-access,OU=groups,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: group + cn: fileserver-access + sAMAccountName: fileserver-access + description: Access control group for SMB file shares + groupType: -2147483646 + + dn: CN=gitea-admins,OU=groups,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: group + cn: gitea-admins + sAMAccountName: gitea-admins + description: Administrative access to Gitea + groupType: -2147483646 + + dn: CN=argocd-admins,OU=groups,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: group + cn: argocd-admins + sAMAccountName: argocd-admins + description: Administrative access to Argo CD + groupType: -2147483646 + + dn: CN=firewall-admins,OU=groups,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: group + cn: firewall-admins + sAMAccountName: firewall-admins + description: Administrative access to firewall systems + groupType: -2147483646 + + dn: CN=bookstack-admins,OU=groups,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: group + cn: bookstack-admins + sAMAccountName: bookstack-admins + description: Administrative access to BookStack + groupType: -2147483646 + + dn: CN=nextcloud-admins,OU=groups,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: group + cn: nextcloud-admins + sAMAccountName: nextcloud-admins + description: Administrative access to Nextcloud + groupType: -2147483646 + + dn: CN=samba-service,OU=groups,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: group + cn: samba-service + sAMAccountName: samba-service + description: Service group for Samba / SMB integration + groupType: -2147483646 + + # ----------------------------- + # Users + # ----------------------------- + dn: CN=sebastian,OU=users,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: person + objectClass: organizationalPerson + objectClass: user + cn: sebastian + sn: Gurlin + givenName: Sebastian + displayName: Sebastian Gurlin + sAMAccountName: sebastian + userPrincipalName: sebastian@undercloud.local + description: Primary human user account + userAccountControl: 512 + + dn: CN=glados,OU=users,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: person + objectClass: organizationalPerson + objectClass: user + cn: glados + sn: Glados + givenName: Glados + displayName: Glados + sAMAccountName: glados + userPrincipalName: glados@undercloud.local + description: Administrative AI persona account + userAccountControl: 512 + + dn: CN=shodan,OU=users,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: person + objectClass: organizationalPerson + objectClass: user + cn: shodan + sn: Shodan + givenName: Shodan + displayName: Shodan + sAMAccountName: shodan + userPrincipalName: shodan@undercloud.local + description: Administrative AI persona account + userAccountControl: 512 + + dn: CN=lam,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: person + objectClass: organizationalPerson + objectClass: user + cn: lam + sn: Service + givenName: LAM + displayName: LAM + sAMAccountName: lam + userPrincipalName: lam@undercloud.local + mail: lam@undercloud.local + description: LDAP Account Manager service account + userAccountControl: 512 + + dn: CN=argocd,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: person + objectClass: organizationalPerson + objectClass: user + cn: argocd + sn: Service + givenName: ArgoCD + displayName: ArgoCD + sAMAccountName: argocd + userPrincipalName: argocd@undercloud.local + mail: argocd@undercloud.local + description: ArgoCD service account + userAccountControl: 512 + + dn: CN=gitea,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: person + objectClass: organizationalPerson + objectClass: user + cn: gitea + sn: Service + givenName: Gitea + displayName: Gitea + sAMAccountName: gitea + userPrincipalName: gitea@undercloud.local + mail: gitea@undercloud.local + description: Gitea service account + userAccountControl: 512 + + dn: CN=firewall,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: person + objectClass: organizationalPerson + objectClass: user + cn: firewall + sn: Service + givenName: Firewall + displayName: Firewall + sAMAccountName: firewall + userPrincipalName: firewall@undercloud.local + mail: firewall@undercloud.local + description: Firewall service account + userAccountControl: 512 + + dn: CN=mailserver,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: person + objectClass: organizationalPerson + objectClass: user + cn: mailserver + sn: Service + givenName: Mailserver + displayName: Mailserver + sAMAccountName: mailserver + userPrincipalName: mailserver@undercloud.local + mail: mailserver@undercloud.local + description: Mailserver service account + userAccountControl: 512 + + dn: CN=bookstack,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: person + objectClass: organizationalPerson + objectClass: user + cn: bookstack + sn: Service + givenName: BookStack + displayName: BookStack + sAMAccountName: bookstack + userPrincipalName: bookstack@undercloud.local + mail: bookstack@undercloud.local + description: BookStack service account + userAccountControl: 512 + + dn: CN=nextcloud,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: person + objectClass: organizationalPerson + objectClass: user + cn: nextcloud + sn: Service + givenName: Nextcloud + displayName: Nextcloud + sAMAccountName: nextcloud + userPrincipalName: nextcloud@undercloud.local + mail: nextcloud@undercloud.local + description: Nextcloud service account + userAccountControl: 512 + + dn: CN=jellyfin,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: person + objectClass: organizationalPerson + objectClass: user + cn: jellyfin + sn: Service + givenName: Jellyfin + displayName: Jellyfin + sAMAccountName: jellyfin + userPrincipalName: jellyfin@undercloud.local + mail: jellyfin@undercloud.local + description: Jellyfin service account + userAccountControl: 512 + + dn: CN=bastillion,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: person + objectClass: organizationalPerson + objectClass: user + cn: bastillion + sn: Service + givenName: Bastillion + displayName: Bastillion + sAMAccountName: bastillion + userPrincipalName: bastillion@undercloud.local + mail: bastillion@undercloud.local + description: Bastillion service account + userAccountControl: 512 + + dn: CN=guacamole,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: person + objectClass: organizationalPerson + objectClass: user + cn: guacamole + sn: Service + givenName: Guacamole + displayName: Guacamole + sAMAccountName: guacamole + userPrincipalName: guacamole@undercloud.local + mail: guacamole@undercloud.local + description: Guacamole service account + userAccountControl: 512 + + dn: CN=synapse,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: person + objectClass: organizationalPerson + objectClass: user + cn: synapse + sn: Service + givenName: Synapse + displayName: Synapse + sAMAccountName: synapse + userPrincipalName: synapse@undercloud.local + mail: synapse@undercloud.local + description: Synapse service account + userAccountControl: 512 + + dn: CN=samba,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local + changetype: add + objectClass: top + objectClass: person + objectClass: organizationalPerson + objectClass: user + cn: samba + sn: Service + givenName: Samba + displayName: Samba + sAMAccountName: samba + userPrincipalName: samba@undercloud.local + mail: samba@undercloud.local + description: Service account for SMB / CSI access + userAccountControl: 512 + + # ----------------------------- + # Memberships (AFTER CREATION) + # ----------------------------- + dn: CN=undercloud-users,OU=groups,OU=Undercloud,DC=undercloud,DC=local + changetype: modify + add: member + member: CN=sebastian,OU=users,OU=Undercloud,DC=undercloud,DC=local + member: CN=glados,OU=users,OU=Undercloud,DC=undercloud,DC=local + member: CN=shodan,OU=users,OU=Undercloud,DC=undercloud,DC=local + + dn: CN=undercloud-administrators,OU=groups,OU=Undercloud,DC=undercloud,DC=local + changetype: modify + add: member + member: CN=glados,OU=users,OU=Undercloud,DC=undercloud,DC=local + member: CN=shodan,OU=users,OU=Undercloud,DC=undercloud,DC=local + + dn: CN=fileserver-access,OU=groups,OU=Undercloud,DC=undercloud,DC=local + changetype: modify + add: member + member: CN=sebastian,OU=users,OU=Undercloud,DC=undercloud,DC=local + member: CN=glados,OU=users,OU=Undercloud,DC=undercloud,DC=local + member: CN=shodan,OU=users,OU=Undercloud,DC=undercloud,DC=local + member: CN=samba,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local +--- \ No newline at end of file diff --git a/samba-directory/samba-ad-server.yaml b/samba-directory/samba-ad-server.yaml deleted file mode 100644 index deb9436..0000000 --- a/samba-directory/samba-ad-server.yaml +++ /dev/null @@ -1,902 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: samba-ad-bootstrap - namespace: samba-directory -data: - bootstrap.ldif: | - # ----------------------------- - # OU structure - # ----------------------------- - dn: OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: organizationalUnit - ou: Undercloud - description: Root OU for all Undercloud directory objects - - dn: OU=users,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: organizationalUnit - ou: users - description: Human user accounts - - dn: OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: organizationalUnit - ou: serviceaccounts - description: Non-interactive service accounts - - dn: OU=groups,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: organizationalUnit - ou: groups - description: Security and role groups - - # ----------------------------- - # Groups (CREATE FIRST) - # ----------------------------- - dn: CN=undercloud-users,OU=groups,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: group - cn: undercloud-users - sAMAccountName: undercloud-users - description: All standard user accounts - groupType: -2147483646 - - dn: CN=undercloud-administrators,OU=groups,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: group - cn: undercloud-administrators - sAMAccountName: undercloud-administrators - description: Global administrators for Undercloud - groupType: -2147483646 - - - dn: CN=fileserver-access,OU=groups,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: group - cn: fileserver-access - sAMAccountName: fileserver-access - description: Access control group for SMB file shares - groupType: -2147483646 - - dn: CN=gitea-admins,OU=groups,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: group - cn: gitea-admins - sAMAccountName: gitea-admins - description: Administrative access to Gitea - groupType: -2147483646 - - dn: CN=argocd-admins,OU=groups,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: group - cn: argocd-admins - sAMAccountName: argocd-admins - description: Administrative access to Argo CD - groupType: -2147483646 - - dn: CN=firewall-admins,OU=groups,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: group - cn: firewall-admins - sAMAccountName: firewall-admins - description: Administrative access to firewall systems - groupType: -2147483646 - - dn: CN=bookstack-admins,OU=groups,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: group - cn: bookstack-admins - sAMAccountName: bookstack-admins - description: Administrative access to BookStack - groupType: -2147483646 - - dn: CN=nextcloud-admins,OU=groups,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: group - cn: nextcloud-admins - sAMAccountName: nextcloud-admins - description: Administrative access to Nextcloud - groupType: -2147483646 - - dn: CN=samba-service,OU=groups,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: group - cn: samba-service - sAMAccountName: samba-service - description: Service group for Samba / SMB integration - groupType: -2147483646 - - # ----------------------------- - # Users - # ----------------------------- - dn: CN=sebastian,OU=users,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: person - objectClass: organizationalPerson - objectClass: user - cn: sebastian - sn: Gurlin - givenName: Sebastian - displayName: Sebastian Gurlin - sAMAccountName: sebastian - userPrincipalName: sebastian@undercloud.local - description: Primary human user account - userAccountControl: 512 - - dn: CN=glados,OU=users,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: person - objectClass: organizationalPerson - objectClass: user - cn: glados - sn: Glados - givenName: Glados - displayName: Glados - sAMAccountName: glados - userPrincipalName: glados@undercloud.local - description: Administrative AI persona account - userAccountControl: 512 - - dn: CN=shodan,OU=users,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: person - objectClass: organizationalPerson - objectClass: user - cn: shodan - sn: Shodan - givenName: Shodan - displayName: Shodan - sAMAccountName: shodan - userPrincipalName: shodan@undercloud.local - description: Administrative AI persona account - userAccountControl: 512 - - dn: CN=lam,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: person - objectClass: organizationalPerson - objectClass: user - cn: lam - sn: Service - givenName: LAM - displayName: LAM - sAMAccountName: lam - userPrincipalName: lam@undercloud.local - mail: lam@undercloud.local - description: LDAP Account Manager service account - userAccountControl: 512 - - dn: CN=argocd,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: person - objectClass: organizationalPerson - objectClass: user - cn: argocd - sn: Service - givenName: ArgoCD - displayName: ArgoCD - sAMAccountName: argocd - userPrincipalName: argocd@undercloud.local - mail: argocd@undercloud.local - description: ArgoCD service account - userAccountControl: 512 - - dn: CN=gitea,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: person - objectClass: organizationalPerson - objectClass: user - cn: gitea - sn: Service - givenName: Gitea - displayName: Gitea - sAMAccountName: gitea - userPrincipalName: gitea@undercloud.local - mail: gitea@undercloud.local - description: Gitea service account - userAccountControl: 512 - - dn: CN=firewall,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: person - objectClass: organizationalPerson - objectClass: user - cn: firewall - sn: Service - givenName: Firewall - displayName: Firewall - sAMAccountName: firewall - userPrincipalName: firewall@undercloud.local - mail: firewall@undercloud.local - description: Firewall service account - userAccountControl: 512 - - dn: CN=mailserver,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: person - objectClass: organizationalPerson - objectClass: user - cn: mailserver - sn: Service - givenName: Mailserver - displayName: Mailserver - sAMAccountName: mailserver - userPrincipalName: mailserver@undercloud.local - mail: mailserver@undercloud.local - description: Mailserver service account - userAccountControl: 512 - - dn: CN=bookstack,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: person - objectClass: organizationalPerson - objectClass: user - cn: bookstack - sn: Service - givenName: BookStack - displayName: BookStack - sAMAccountName: bookstack - userPrincipalName: bookstack@undercloud.local - mail: bookstack@undercloud.local - description: BookStack service account - userAccountControl: 512 - - dn: CN=nextcloud,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: person - objectClass: organizationalPerson - objectClass: user - cn: nextcloud - sn: Service - givenName: Nextcloud - displayName: Nextcloud - sAMAccountName: nextcloud - userPrincipalName: nextcloud@undercloud.local - mail: nextcloud@undercloud.local - description: Nextcloud service account - userAccountControl: 512 - - dn: CN=jellyfin,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: person - objectClass: organizationalPerson - objectClass: user - cn: jellyfin - sn: Service - givenName: Jellyfin - displayName: Jellyfin - sAMAccountName: jellyfin - userPrincipalName: jellyfin@undercloud.local - mail: jellyfin@undercloud.local - description: Jellyfin service account - userAccountControl: 512 - - dn: CN=bastillion,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: person - objectClass: organizationalPerson - objectClass: user - cn: bastillion - sn: Service - givenName: Bastillion - displayName: Bastillion - sAMAccountName: bastillion - userPrincipalName: bastillion@undercloud.local - mail: bastillion@undercloud.local - description: Bastillion service account - userAccountControl: 512 - - dn: CN=guacamole,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: person - objectClass: organizationalPerson - objectClass: user - cn: guacamole - sn: Service - givenName: Guacamole - displayName: Guacamole - sAMAccountName: guacamole - userPrincipalName: guacamole@undercloud.local - mail: guacamole@undercloud.local - description: Guacamole service account - userAccountControl: 512 - - dn: CN=synapse,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: person - objectClass: organizationalPerson - objectClass: user - cn: synapse - sn: Service - givenName: Synapse - displayName: Synapse - sAMAccountName: synapse - userPrincipalName: synapse@undercloud.local - mail: synapse@undercloud.local - description: Synapse service account - userAccountControl: 512 - - dn: CN=samba,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local - changetype: add - objectClass: top - objectClass: person - objectClass: organizationalPerson - objectClass: user - cn: samba - sn: Service - givenName: Samba - displayName: Samba - sAMAccountName: samba - userPrincipalName: samba@undercloud.local - mail: samba@undercloud.local - description: Service account for SMB / CSI access - userAccountControl: 512 - - # ----------------------------- - # Memberships (AFTER CREATION) - # ----------------------------- - dn: CN=undercloud-users,OU=groups,OU=Undercloud,DC=undercloud,DC=local - changetype: modify - add: member - member: CN=sebastian,OU=users,OU=Undercloud,DC=undercloud,DC=local - member: CN=glados,OU=users,OU=Undercloud,DC=undercloud,DC=local - member: CN=shodan,OU=users,OU=Undercloud,DC=undercloud,DC=local - - dn: CN=undercloud-administrators,OU=groups,OU=Undercloud,DC=undercloud,DC=local - changetype: modify - add: member - member: CN=glados,OU=users,OU=Undercloud,DC=undercloud,DC=local - member: CN=shodan,OU=users,OU=Undercloud,DC=undercloud,DC=local - - dn: CN=fileserver-access,OU=groups,OU=Undercloud,DC=undercloud,DC=local - changetype: modify - add: member - member: CN=sebastian,OU=users,OU=Undercloud,DC=undercloud,DC=local - member: CN=glados,OU=users,OU=Undercloud,DC=undercloud,DC=local - member: CN=shodan,OU=users,OU=Undercloud,DC=undercloud,DC=local - member: CN=samba,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local ---- -apiVersion: v1 -kind: Service -metadata: - name: samba-ad-dc1 - namespace: samba-directory - labels: - app: samba-ad - samba-role: dc1 -spec: - clusterIP: None - publishNotReadyAddresses: true - selector: - app: samba-ad - samba-role: dc1 - ports: - - { name: dns-tcp, port: 53, protocol: TCP, targetPort: 53 } - - { name: dns-udp, port: 53, protocol: UDP, targetPort: 53 } - - { name: kerberos-tcp, port: 88, protocol: TCP, targetPort: 88 } - - { name: kerberos-udp, port: 88, protocol: UDP, targetPort: 88 } - - { name: ntp, port: 123, protocol: UDP, targetPort: 123 } - - { name: epm, port: 135, protocol: TCP, targetPort: 135 } - - { name: netbios-ns, port: 137, protocol: UDP, targetPort: 137 } - - { name: netbios-dgm, port: 138, protocol: UDP, targetPort: 138 } - - { name: netbios-ssn, port: 139, protocol: TCP, targetPort: 139 } - - { name: ldap-tcp, port: 389, protocol: TCP, targetPort: 389 } - - { name: ldap-udp, port: 389, protocol: UDP, targetPort: 389 } - - { name: smb, port: 445, protocol: TCP, targetPort: 445 } - - { name: kpasswd-tcp, port: 464, protocol: TCP, targetPort: 464 } - - { name: kpasswd-udp, port: 464, protocol: UDP, targetPort: 464 } - - { name: ldaps, port: 636, protocol: TCP, targetPort: 636 } - - { name: gc, port: 3268, protocol: TCP, targetPort: 3268 } - - { name: gc-ssl, port: 3269, protocol: TCP, targetPort: 3269 } - - { name: rpc-base, port: 5000, protocol: TCP, targetPort: 5000 } - - { name: rpc-netlogon, port: 5001, protocol: TCP, targetPort: 5001 } - - { name: rpc-lsarpc, port: 5002, protocol: TCP, targetPort: 5002 } - - { name: rpc-samr, port: 5003, protocol: TCP, targetPort: 5003 } - - { name: rpc-drsuapi, port: 5004, protocol: TCP, targetPort: 5004 } - - { name: rpc-dnsserver, port: 5005, protocol: TCP, targetPort: 5005 } ---- -apiVersion: v1 -kind: Service -metadata: - name: samba-ad-dc2 - namespace: samba-directory - labels: - app: samba-ad - samba-role: dc2 -spec: - clusterIP: None - publishNotReadyAddresses: true - selector: - app: samba-ad - samba-role: dc2 - ports: - - { name: dns-tcp, port: 53, protocol: TCP, targetPort: 53 } - - { name: dns-udp, port: 53, protocol: UDP, targetPort: 53 } - - { name: kerberos-tcp, port: 88, protocol: TCP, targetPort: 88 } - - { name: kerberos-udp, port: 88, protocol: UDP, targetPort: 88 } - - { name: ntp, port: 123, protocol: UDP, targetPort: 123 } - - { name: netbios-ns, port: 137, protocol: UDP, targetPort: 137 } - - { name: netbios-dgm, port: 138, protocol: UDP, targetPort: 138 } - - { name: netbios-ssn, port: 139, protocol: TCP, targetPort: 139 } - - { name: ldap-tcp, port: 389, protocol: TCP, targetPort: 389 } - - { name: ldap-udp, port: 389, protocol: UDP, targetPort: 389 } - - { name: smb, port: 445, protocol: TCP, targetPort: 445 } - - { name: kpasswd-tcp, port: 464, protocol: TCP, targetPort: 464 } - - { name: kpasswd-udp, port: 464, protocol: UDP, targetPort: 464 } - - { name: ldaps, port: 636, protocol: TCP, targetPort: 636 } - - { name: gc, port: 3268, protocol: TCP, targetPort: 3268 } - - { name: gc-ssl, port: 3269, protocol: TCP, targetPort: 3269 } - - { name: rpc-epmap, port: 135, protocol: TCP, targetPort: 135 } - - { name: rpc-base, port: 5000, protocol: TCP, targetPort: 5000 } - - { name: rpc-netlogon, port: 5001, protocol: TCP, targetPort: 5001 } - - { name: rpc-lsarpc, port: 5002, protocol: TCP, targetPort: 5002 } - - { name: rpc-samr, port: 5003, protocol: TCP, targetPort: 5003 } - - { name: rpc-drsuapi, port: 5004, protocol: TCP, targetPort: 5004 } - - { name: rpc-dnsserver, port: 5005, protocol: TCP, targetPort: 5005 } ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: samba-ad-config-dc1 - namespace: samba-directory -data: - smb.conf: | - [global] - workgroup = UNDERCLOUD - realm = UNDERCLOUD.LOCAL - netbios name = DC1 - server role = active directory domain controller - - rpc server port = 5000 - rpc server port:netlogon = 5001 - rpc server port:lsarpc = 5002 - rpc server port:samr = 5003 - rpc server port:drsuapi = 5004 - rpc server port:dnsserver = 5005 - - [sysvol] - path = /var/lib/samba/sysvol - read only = No - - [netlogon] - path = /var/lib/samba/sysvol/undercloud.local/scripts - read only = No ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: dc1 - namespace: samba-directory -spec: - serviceName: samba-ad-dc1 - replicas: 1 - selector: - matchLabels: - app: samba-ad - samba-role: dc1 - template: - metadata: - labels: - app: samba-ad - samba-role: dc1 - spec: - terminationGracePeriodSeconds: 30 - hostname: dc1 - containers: - - name: samba-ad - image: quay.io/samba.org/samba-ad-server:latest - securityContext: - capabilities: - add: ["SYS_ADMIN"] - envFrom: - - secretRef: - name: samba-ad-secrets - ports: - - { name: dns-tcp, containerPort: 53, protocol: TCP } - - { name: dns-udp, containerPort: 53, protocol: UDP } - - { name: kerberos-tcp, containerPort: 88, protocol: TCP } - - { name: kerberos-udp, containerPort: 88, protocol: UDP } - - { name: ldap-tcp, containerPort: 389, protocol: TCP } - - { name: ldap-udp, containerPort: 389, protocol: UDP } - - { name: smb, containerPort: 445, protocol: TCP } - - { name: kpasswd-tcp, containerPort: 464, protocol: TCP } - - { name: kpasswd-udp, containerPort: 464, protocol: UDP } - - { name: ldaps, containerPort: 636, protocol: TCP } - - { name: gc, containerPort: 3268, protocol: TCP } - - { name: gc-ssl, containerPort: 3269, protocol: TCP } - - { name: rpc-epmap, containerPort: 135, protocol: TCP } - - { name: rpc-base, containerPort: 5000, protocol: TCP } - - { name: rpc-netlogon, containerPort: 5001, protocol: TCP } - - { name: rpc-lsarpc, containerPort: 5002, protocol: TCP } - - { name: rpc-samr, containerPort: 5003, protocol: TCP } - - { name: rpc-drsuapi, containerPort: 5004, protocol: TCP } - - { name: rpc-dnsserver, containerPort: 5005, protocol: TCP } - volumeMounts: - - name: samba-state - mountPath: /var/lib/samba - - name: samba-etc - mountPath: /etc/samba - - name: samba-bootstrap - mountPath: /bootstrap - readOnly: true - - name: samba-config - mountPath: /etc/samba/smb.conf - subPath: smb.conf - command: ["/bin/bash", "-ec"] - args: - - | - set -euxo pipefail - - if [ ! -f /var/lib/samba/.provisioned ] || [ ! -f /etc/samba/smb.conf ]; then - rm -f /var/lib/samba/.provisioned - rm -f /var/lib/samba/.bootstrap-ldif-applied - - samba-tool domain provision \ - --server-role=dc \ - --use-rfc2307 \ - --dns-backend=SAMBA_INTERNAL \ - --realm=UNDERCLOUD.LOCAL \ - --domain=UNDERCLOUD \ - --host-name=dc1 \ - -d 3 \ - --adminpass="${ADMIN_PASSWORD}" - - cp /var/lib/samba/private/krb5.conf /etc/krb5.conf - - touch /var/lib/samba/.provisioned - fi - - cp /var/lib/samba/private/krb5.conf /etc/krb5.conf - - if [ ! -f /var/lib/samba/.bootstrap-ldif-applied ]; then - ldbadd -H /var/lib/samba/private/sam.ldb /bootstrap/bootstrap.ldif - - samba-tool user setpassword sebastian --newpassword="${SEBASTIAN_PASSWORD}" - samba-tool user setpassword glados --newpassword="${GLADOS_PASSWORD}" - samba-tool user setpassword shodan --newpassword="${SHODAN_PASSWORD}" - samba-tool user setpassword lam --newpassword="${LAM_PASSWORD}" - samba-tool user setpassword argocd --newpassword="${ARGOCD_PASSWORD}" - samba-tool user setpassword gitea --newpassword="${GITEA_PASSWORD}" - samba-tool user setpassword firewall --newpassword="${FIREWALL_PASSWORD}" - samba-tool user setpassword mailserver --newpassword="${MAILSERVER_PASSWORD}" - samba-tool user setpassword bookstack --newpassword="${BOOKSTACK_PASSWORD}" - samba-tool user setpassword nextcloud --newpassword="${NEXTCLOUD_PASSWORD}" - samba-tool user setpassword jellyfin --newpassword="${JELLYFIN_PASSWORD}" - samba-tool user setpassword bastillion --newpassword="${BASTILLION_PASSWORD}" - samba-tool user setpassword guacamole --newpassword="${GUACAMOLE_PASSWORD}" - samba-tool user setpassword synapse --newpassword="${SYNAPSE_PASSWORD}" - samba-tool user setpassword samba --newpassword="${SAMBA_PASSWORD}" - - samba-tool group addmembers "Domain Admins" undercloud-administrators - samba-tool group addmembers "Domain Admins" lam - - touch /var/lib/samba/.bootstrap-ldif-applied - fi - - exec samba -i - volumes: - - name: samba-bootstrap - configMap: - name: samba-ad-bootstrap - - name: samba-config - configMap: - name: samba-ad-config-dc1 - volumeClaimTemplates: - - metadata: - name: samba-state - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 10Gi - storageClassName: cephfs-hyper - - metadata: - name: samba-etc - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi - storageClassName: cephfs-hyper ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: samba-ad-config-dc2 - namespace: samba-directory -data: - smb.conf: | - [global] - workgroup = UNDERCLOUD - realm = UNDERCLOUD.LOCAL - netbios name = DC2 - server role = active directory domain controller - - rpc server port = 5000 - rpc server port:netlogon = 5001 - rpc server port:lsarpc = 5002 - rpc server port:samr = 5003 - rpc server port:drsuapi = 5004 - rpc server port:dnsserver = 5005 - - [sysvol] - path = /var/lib/samba/sysvol - read only = No - - [netlogon] - path = /var/lib/samba/sysvol/undercloud.local/scripts - read only = No ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: dc2 - namespace: samba-directory -spec: - serviceName: samba-ad-dc2 - replicas: 1 - selector: - matchLabels: - app: samba-ad - samba-role: dc2 - template: - metadata: - labels: - app: samba-ad - samba-role: dc2 - spec: - terminationGracePeriodSeconds: 30 - hostname: dc2 - containers: - - name: samba-ad - image: quay.io/samba.org/samba-ad-server:latest - securityContext: - capabilities: - add: ["SYS_ADMIN"] - envFrom: - - secretRef: - name: samba-ad-secrets - ports: - - { name: dns-tcp, containerPort: 53, protocol: TCP } - - { name: dns-udp, containerPort: 53, protocol: UDP } - - { name: kerberos-tcp, containerPort: 88, protocol: TCP } - - { name: kerberos-udp, containerPort: 88, protocol: UDP } - - { name: ldap-tcp, containerPort: 389, protocol: TCP } - - { name: ldap-udp, containerPort: 389, protocol: UDP } - - { name: smb, containerPort: 445, protocol: TCP } - - { name: kpasswd-tcp, containerPort: 464, protocol: TCP } - - { name: kpasswd-udp, containerPort: 464, protocol: UDP } - - { name: ldaps, containerPort: 636, protocol: TCP } - - { name: gc, containerPort: 3268, protocol: TCP } - - { name: gc-ssl, containerPort: 3269, protocol: TCP } - - { name: rpc-epmap, containerPort: 135, protocol: TCP } - - { name: rpc-base, containerPort: 5000, protocol: TCP } - - { name: rpc-netlogon, containerPort: 5001, protocol: TCP } - - { name: rpc-lsarpc, containerPort: 5002, protocol: TCP } - - { name: rpc-samr, containerPort: 5003, protocol: TCP } - - { name: rpc-drsuapi, containerPort: 5004, protocol: TCP } - - { name: rpc-dnsserver, containerPort: 5005, protocol: TCP } - volumeMounts: - - name: samba-state - mountPath: /var/lib/samba - - name: samba-etc - mountPath: /etc/samba - - name: samba-config - mountPath: /etc/samba/smb.conf - subPath: smb.conf - command: ["/bin/bash", "-ec"] - args: - - | - set -euxo pipefail - - DC1_FQDN="dc1.undercloud.local" - - if [ ! -f /var/lib/samba/.joined ] || [ ! -f /etc/samba/smb.conf ]; then - rm -f /var/lib/samba/.joined - - until getent hosts "${DC1_FQDN}"; do - echo "waiting for dc1 dns" - sleep 5 - done - - until bash -c "/dev/null; do - echo "waiting for dc1 ldap" - sleep 5 - done - - sleep 30 - - samba-tool domain join UNDERCLOUD.LOCAL DC \ - --server="${DC1_FQDN}" \ - -d 3 \ - -U"Administrator%${ADMIN_PASSWORD}" - - cp /var/lib/samba/private/krb5.conf /etc/krb5.conf - - touch /var/lib/samba/.joined - fi - - cp /var/lib/samba/private/krb5.conf /etc/krb5.conf - - exec samba -i - volumes: - - name: samba-config - configMap: - name: samba-ad-config-dc2 - volumeClaimTemplates: - - metadata: - name: samba-state - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 10Gi - storageClassName: cephfs-hyper - - metadata: - name: samba-etc - spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 1Gi - storageClassName: cephfs-hyper ---- -apiVersion: v1 -kind: Service -metadata: - name: samba-ad-dc1-direct - namespace: samba-directory - labels: - app: samba-ad - samba-role: dc1 -spec: - internalTrafficPolicy: Cluster - clusterIP: 2001:470:7116:f:1::21 - clusterIPs: - - 2001:470:7116:f:1::21 - - 10.0.91.21 - ipFamilies: - - IPv6 - - IPv4 - ipFamilyPolicy: PreferDualStack - type: ClusterIP - selector: - app: samba-ad - samba-role: dc1 - ports: - - { name: dns-tcp, port: 53, protocol: TCP, targetPort: 53 } - - { name: dns-udp, port: 53, protocol: UDP, targetPort: 53 } - - { name: kerberos-tcp, port: 88, protocol: TCP, targetPort: 88 } - - { name: kerberos-udp, port: 88, protocol: UDP, targetPort: 88 } - - { name: ldap-tcp, port: 389, protocol: TCP, targetPort: 389 } - - { name: ldap-udp, port: 389, protocol: UDP, targetPort: 389 } - - { name: smb, port: 445, protocol: TCP, targetPort: 445 } - - { name: kpasswd-tcp, port: 464, protocol: TCP, targetPort: 464 } - - { name: kpasswd-udp, port: 464, protocol: UDP, targetPort: 464 } - - { name: ldaps, port: 636, protocol: TCP, targetPort: 636 } - - { name: gc, port: 3268, protocol: TCP, targetPort: 3268 } - - { name: gc-ssl, port: 3269, protocol: TCP, targetPort: 3269 } - - { name: rpc-epmap, port: 135, protocol: TCP, targetPort: 135 } - - { name: rpc-base, port: 5000, protocol: TCP, targetPort: 5000 } - - { name: rpc-netlogon, port: 5001, protocol: TCP, targetPort: 5001 } - - { name: rpc-lsarpc, port: 5002, protocol: TCP, targetPort: 5002 } - - { name: rpc-samr, port: 5003, protocol: TCP, targetPort: 5003 } - - { name: rpc-drsuapi, port: 5004, protocol: TCP, targetPort: 5004 } - - { name: rpc-dnsserver, port: 5005, protocol: TCP, targetPort: 5005 } ---- -apiVersion: v1 -kind: Service -metadata: - name: samba-ad-dc2-direct - namespace: samba-directory - labels: - app: samba-ad - samba-role: dc2 -spec: - internalTrafficPolicy: Cluster - clusterIP: 2001:470:7116:f:1::22 - clusterIPs: - - 2001:470:7116:f:1::22 - - 10.0.91.22 - ipFamilies: - - IPv6 - - IPv4 - ipFamilyPolicy: PreferDualStack - type: ClusterIP - selector: - app: samba-ad - samba-role: dc2 - ports: - - { name: dns-tcp, port: 53, protocol: TCP, targetPort: 53 } - - { name: dns-udp, port: 53, protocol: UDP, targetPort: 53 } - - { name: kerberos-tcp, port: 88, protocol: TCP, targetPort: 88 } - - { name: kerberos-udp, port: 88, protocol: UDP, targetPort: 88 } - - { name: ldap-tcp, port: 389, protocol: TCP, targetPort: 389 } - - { name: ldap-udp, port: 389, protocol: UDP, targetPort: 389 } - - { name: smb, port: 445, protocol: TCP, targetPort: 445 } - - { name: kpasswd-tcp, port: 464, protocol: TCP, targetPort: 464 } - - { name: kpasswd-udp, port: 464, protocol: UDP, targetPort: 464 } - - { name: ldaps, port: 636, protocol: TCP, targetPort: 636 } - - { name: gc, port: 3268, protocol: TCP, targetPort: 3268 } - - { name: gc-ssl, port: 3269, protocol: TCP, targetPort: 3269 } - - { name: rpc-epmap, port: 135, protocol: TCP, targetPort: 135 } - - { name: rpc-base, port: 5000, protocol: TCP, targetPort: 5000 } - - { name: rpc-netlogon, port: 5001, protocol: TCP, targetPort: 5001 } - - { name: rpc-lsarpc, port: 5002, protocol: TCP, targetPort: 5002 } - - { name: rpc-samr, port: 5003, protocol: TCP, targetPort: 5003 } - - { name: rpc-drsuapi, port: 5004, protocol: TCP, targetPort: 5004 } - - { name: rpc-dnsserver, port: 5005, protocol: TCP, targetPort: 5005 } ---- -apiVersion: v1 -kind: Service -metadata: - name: samba-ad - namespace: samba-directory - labels: - app: samba-ad -spec: - internalTrafficPolicy: Cluster - clusterIP: 2001:470:7116:f:1::20 - clusterIPs: - - 2001:470:7116:f:1::20 - - 10.0.91.20 - ipFamilies: - - IPv6 - - IPv4 - ipFamilyPolicy: PreferDualStack - type: ClusterIP - selector: - app: samba-ad - ports: - - { name: dns-tcp, port: 53, protocol: TCP, targetPort: 53 } - - { name: dns-udp, port: 53, protocol: UDP, targetPort: 53 } - - { name: kerberos-tcp, port: 88, protocol: TCP, targetPort: 88 } - - { name: kerberos-udp, port: 88, protocol: UDP, targetPort: 88 } - - { name: ldap-tcp, port: 389, protocol: TCP, targetPort: 389 } - - { name: ldap-udp, port: 389, protocol: UDP, targetPort: 389 } - - { name: smb, port: 445, protocol: TCP, targetPort: 445 } - - { name: kpasswd-tcp, port: 464, protocol: TCP, targetPort: 464 } - - { name: kpasswd-udp, port: 464, protocol: UDP, targetPort: 464 } - - { name: ldaps, port: 636, protocol: TCP, targetPort: 636 } - - { name: gc, port: 3268, protocol: TCP, targetPort: 3268 } - - { name: gc-ssl, port: 3269, protocol: TCP, targetPort: 3269 } - - { name: rpc-epmap, port: 135, protocol: TCP, targetPort: 135 } - - { name: rpc-base, port: 5000, protocol: TCP, targetPort: 5000 } - - { name: rpc-netlogon, port: 5001, protocol: TCP, targetPort: 5001 } - - { name: rpc-lsarpc, port: 5002, protocol: TCP, targetPort: 5002 } - - { name: rpc-samr, port: 5003, protocol: TCP, targetPort: 5003 } - - { name: rpc-drsuapi, port: 5004, protocol: TCP, targetPort: 5004 } - - { name: rpc-dnsserver, port: 5005, protocol: TCP, targetPort: 5005 } \ No newline at end of file