Undercloud/k8s-apps
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

multiple files

Browse Source
This commit is contained in:
Gitea Root Administrator
2026-03-20 09:59:00 +00:00
parent ad28c77cc2
commit 78b2ce85c7
4 changed files with 903 additions and 902 deletions
Download Patch File Download Diff File Expand all files Collapse all files

290
samba-directory/dc1.yaml Normal file
View File

@@ -0,0 +1,290 @@
apiVersion: v1
kind: Service
metadata:
name: samba-ad-dc1
namespace: samba-directory
labels:
app: samba-ad
samba-role: dc1
spec:
clusterIP: None
publishNotReadyAddresses: true
selector:
app: samba-ad
samba-role: dc1
ports:
- { name: dns-tcp, port: 53, protocol: TCP, targetPort: 53 }
- { name: dns-udp, port: 53, protocol: UDP, targetPort: 53 }
- { name: kerberos-tcp, port: 88, protocol: TCP, targetPort: 88 }
- { name: kerberos-udp, port: 88, protocol: UDP, targetPort: 88 }
- { name: ntp, port: 123, protocol: UDP, targetPort: 123 }
- { name: epm, port: 135, protocol: TCP, targetPort: 135 }
- { name: netbios-ns, port: 137, protocol: UDP, targetPort: 137 }
- { name: netbios-dgm, port: 138, protocol: UDP, targetPort: 138 }
- { name: netbios-ssn, port: 139, protocol: TCP, targetPort: 139 }
- { name: ldap-tcp, port: 389, protocol: TCP, targetPort: 389 }
- { name: ldap-udp, port: 389, protocol: UDP, targetPort: 389 }
- { name: smb, port: 445, protocol: TCP, targetPort: 445 }
- { name: kpasswd-tcp, port: 464, protocol: TCP, targetPort: 464 }
- { name: kpasswd-udp, port: 464, protocol: UDP, targetPort: 464 }
- { name: ldaps, port: 636, protocol: TCP, targetPort: 636 }
- { name: gc, port: 3268, protocol: TCP, targetPort: 3268 }
- { name: gc-ssl, port: 3269, protocol: TCP, targetPort: 3269 }
- { name: rpc-base, port: 5000, protocol: TCP, targetPort: 5000 }
- { name: rpc-netlogon, port: 5001, protocol: TCP, targetPort: 5001 }
- { name: rpc-lsarpc, port: 5002, protocol: TCP, targetPort: 5002 }
- { name: rpc-samr, port: 5003, protocol: TCP, targetPort: 5003 }
- { name: rpc-drsuapi, port: 5004, protocol: TCP, targetPort: 5004 }
- { name: rpc-dnsserver, port: 5005, protocol: TCP, targetPort: 5005 }
---
apiVersion: v1
kind: ConfigMap
metadata:
name: samba-ad-config-dc1
namespace: samba-directory
data:
smb.conf: |
[global]
workgroup = UNDERCLOUD
realm = UNDERCLOUD.LOCAL
netbios name = DC1
server role = active directory domain controller
rpc server port = 5000
rpc server port:netlogon = 5001
rpc server port:lsarpc = 5002
rpc server port:samr = 5003
rpc server port:drsuapi = 5004
rpc server port:dnsserver = 5005
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/undercloud.local/scripts
read only = No
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: dc1
namespace: samba-directory
spec:
serviceName: samba-ad-dc1
replicas: 1
selector:
matchLabels:
app: samba-ad
samba-role: dc1
template:
metadata:
labels:
app: samba-ad
samba-role: dc1
spec:
terminationGracePeriodSeconds: 30
hostname: dc1
containers:
- name: samba-ad
image: quay.io/samba.org/samba-ad-server:latest
securityContext:
capabilities:
add: ["SYS_ADMIN"]
envFrom:
- secretRef:
name: samba-ad-secrets
ports:
- { name: dns-tcp, containerPort: 53, protocol: TCP }
- { name: dns-udp, containerPort: 53, protocol: UDP }
- { name: kerberos-tcp, containerPort: 88, protocol: TCP }
- { name: kerberos-udp, containerPort: 88, protocol: UDP }
- { name: ldap-tcp, containerPort: 389, protocol: TCP }
- { name: ldap-udp, containerPort: 389, protocol: UDP }
- { name: smb, containerPort: 445, protocol: TCP }
- { name: kpasswd-tcp, containerPort: 464, protocol: TCP }
- { name: kpasswd-udp, containerPort: 464, protocol: UDP }
- { name: ldaps, containerPort: 636, protocol: TCP }
- { name: gc, containerPort: 3268, protocol: TCP }
- { name: gc-ssl, containerPort: 3269, protocol: TCP }
- { name: rpc-epmap, containerPort: 135, protocol: TCP }
- { name: rpc-base, containerPort: 5000, protocol: TCP }
- { name: rpc-netlogon, containerPort: 5001, protocol: TCP }
- { name: rpc-lsarpc, containerPort: 5002, protocol: TCP }
- { name: rpc-samr, containerPort: 5003, protocol: TCP }
- { name: rpc-drsuapi, containerPort: 5004, protocol: TCP }
- { name: rpc-dnsserver, containerPort: 5005, protocol: TCP }
volumeMounts:
- name: samba-state
mountPath: /var/lib/samba
- name: samba-etc
mountPath: /etc/samba
- name: samba-bootstrap
mountPath: /bootstrap
readOnly: true
- name: samba-config
mountPath: /etc/samba/smb.conf
subPath: smb.conf
command: ["/bin/bash", "-ec"]
args:
- |
set -euxo pipefail
if [ ! -f /var/lib/samba/.provisioned ] || [ ! -f /etc/samba/smb.conf ]; then
rm -f /var/lib/samba/.provisioned
rm -f /var/lib/samba/.bootstrap-ldif-applied
samba-tool domain provision \
--server-role=dc \
--use-rfc2307 \
--dns-backend=SAMBA_INTERNAL \
--realm=UNDERCLOUD.LOCAL \
--domain=UNDERCLOUD \
--host-name=dc1 \
-d 3 \
--adminpass="${ADMIN_PASSWORD}"
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
touch /var/lib/samba/.provisioned
fi
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
if [ ! -f /var/lib/samba/.bootstrap-ldif-applied ]; then
ldbadd -H /var/lib/samba/private/sam.ldb /bootstrap/bootstrap.ldif
samba-tool user setpassword sebastian --newpassword="${SEBASTIAN_PASSWORD}" >/dev/null 2>&1
samba-tool user setpassword glados --newpassword="${GLADOS_PASSWORD}" >/dev/null 2>&1
samba-tool user setpassword shodan --newpassword="${SHODAN_PASSWORD}" >/dev/null 2>&1
samba-tool user setpassword lam --newpassword="${LAM_PASSWORD}" >/dev/null 2>&1
samba-tool user setpassword argocd --newpassword="${ARGOCD_PASSWORD}" >/dev/null 2>&1
samba-tool user setpassword gitea --newpassword="${GITEA_PASSWORD}" >/dev/null 2>&1
samba-tool user setpassword firewall --newpassword="${FIREWALL_PASSWORD}" >/dev/null 2>&1
samba-tool user setpassword mailserver --newpassword="${MAILSERVER_PASSWORD}" >/dev/null 2>&1
samba-tool user setpassword bookstack --newpassword="${BOOKSTACK_PASSWORD}" >/dev/null 2>&1
samba-tool user setpassword nextcloud --newpassword="${NEXTCLOUD_PASSWORD}" >/dev/null 2>&1
samba-tool user setpassword jellyfin --newpassword="${JELLYFIN_PASSWORD}" >/dev/null 2>&1
samba-tool user setpassword bastillion --newpassword="${BASTILLION_PASSWORD}" >/dev/null 2>&1
samba-tool user setpassword guacamole --newpassword="${GUACAMOLE_PASSWORD}" >/dev/null 2>&1
samba-tool user setpassword synapse --newpassword="${SYNAPSE_PASSWORD}" >/dev/null 2>&1
samba-tool user setpassword samba --newpassword="${SAMBA_PASSWORD}" >/dev/null 2>&1
samba-tool group addmembers "Domain Admins" undercloud-administrators
samba-tool group addmembers "Domain Admins" lam
touch /var/lib/samba/.bootstrap-ldif-applied
fi
exec samba -i
volumes:
- name: samba-bootstrap
configMap:
name: samba-ad-bootstrap
- name: samba-config
configMap:
name: samba-ad-config-dc1
volumeClaimTemplates:
- metadata:
name: samba-state
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
storageClassName: cephfs-hyper
- metadata:
name: samba-etc
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
storageClassName: cephfs-hyper
---
apiVersion: v1
kind: Service
metadata:
name: samba-ad-dc1-direct
namespace: samba-directory
labels:
app: samba-ad
samba-role: dc1
spec:
internalTrafficPolicy: Cluster
clusterIP: 2001:470:7116:f:1::21
clusterIPs:
- 2001:470:7116:f:1::21
- 10.0.91.21
ipFamilies:
- IPv6
- IPv4
ipFamilyPolicy: PreferDualStack
type: ClusterIP
selector:
app: samba-ad
samba-role: dc1
ports:
- { name: dns-tcp, port: 53, protocol: TCP, targetPort: 53 }
- { name: dns-udp, port: 53, protocol: UDP, targetPort: 53 }
- { name: kerberos-tcp, port: 88, protocol: TCP, targetPort: 88 }
- { name: kerberos-udp, port: 88, protocol: UDP, targetPort: 88 }
- { name: ldap-tcp, port: 389, protocol: TCP, targetPort: 389 }
- { name: ldap-udp, port: 389, protocol: UDP, targetPort: 389 }
- { name: smb, port: 445, protocol: TCP, targetPort: 445 }
- { name: kpasswd-tcp, port: 464, protocol: TCP, targetPort: 464 }
- { name: kpasswd-udp, port: 464, protocol: UDP, targetPort: 464 }
- { name: ldaps, port: 636, protocol: TCP, targetPort: 636 }
- { name: gc, port: 3268, protocol: TCP, targetPort: 3268 }
- { name: gc-ssl, port: 3269, protocol: TCP, targetPort: 3269 }
- { name: rpc-epmap, port: 135, protocol: TCP, targetPort: 135 }
- { name: rpc-base, port: 5000, protocol: TCP, targetPort: 5000 }
- { name: rpc-netlogon, port: 5001, protocol: TCP, targetPort: 5001 }
- { name: rpc-lsarpc, port: 5002, protocol: TCP, targetPort: 5002 }
- { name: rpc-samr, port: 5003, protocol: TCP, targetPort: 5003 }
- { name: rpc-drsuapi, port: 5004, protocol: TCP, targetPort: 5004 }
- { name: rpc-dnsserver, port: 5005, protocol: TCP, targetPort: 5005 }
---
apiVersion: v1
kind: Service
metadata:
name: samba-ad
namespace: samba-directory
labels:
app: samba-ad
spec:
internalTrafficPolicy: Cluster
clusterIP: 2001:470:7116:f:1::20
clusterIPs:
- 2001:470:7116:f:1::20
- 10.0.91.20
ipFamilies:
- IPv6
- IPv4
ipFamilyPolicy: PreferDualStack
type: ClusterIP
selector:
app: samba-ad
ports:
- { name: dns-tcp, port: 53, protocol: TCP, targetPort: 53 }
- { name: dns-udp, port: 53, protocol: UDP, targetPort: 53 }
- { name: kerberos-tcp, port: 88, protocol: TCP, targetPort: 88 }
- { name: kerberos-udp, port: 88, protocol: UDP, targetPort: 88 }
- { name: ldap-tcp, port: 389, protocol: TCP, targetPort: 389 }
- { name: ldap-udp, port: 389, protocol: UDP, targetPort: 389 }
- { name: smb, port: 445, protocol: TCP, targetPort: 445 }
- { name: kpasswd-tcp, port: 464, protocol: TCP, targetPort: 464 }
- { name: kpasswd-udp, port: 464, protocol: UDP, targetPort: 464 }
- { name: ldaps, port: 636, protocol: TCP, targetPort: 636 }
- { name: gc, port: 3268, protocol: TCP, targetPort: 3268 }
- { name: gc-ssl, port: 3269, protocol: TCP, targetPort: 3269 }
- { name: rpc-epmap, port: 135, protocol: TCP, targetPort: 135 }
- { name: rpc-base, port: 5000, protocol: TCP, targetPort: 5000 }
- { name: rpc-netlogon, port: 5001, protocol: TCP, targetPort: 5001 }
- { name: rpc-lsarpc, port: 5002, protocol: TCP, targetPort: 5002 }
- { name: rpc-samr, port: 5003, protocol: TCP, targetPort: 5003 }
- { name: rpc-drsuapi, port: 5004, protocol: TCP, targetPort: 5004 }
- { name: rpc-dnsserver, port: 5005, protocol: TCP, targetPort: 5005 }

226
samba-directory/dc2.yaml Normal file
View File

@@ -0,0 +1,226 @@
apiVersion: v1
kind: Service
metadata:
name: samba-ad-dc2
namespace: samba-directory
labels:
app: samba-ad
samba-role: dc2
spec:
clusterIP: None
publishNotReadyAddresses: true
selector:
app: samba-ad
samba-role: dc2
ports:
- { name: dns-tcp, port: 53, protocol: TCP, targetPort: 53 }
- { name: dns-udp, port: 53, protocol: UDP, targetPort: 53 }
- { name: kerberos-tcp, port: 88, protocol: TCP, targetPort: 88 }
- { name: kerberos-udp, port: 88, protocol: UDP, targetPort: 88 }
- { name: ntp, port: 123, protocol: UDP, targetPort: 123 }
- { name: netbios-ns, port: 137, protocol: UDP, targetPort: 137 }
- { name: netbios-dgm, port: 138, protocol: UDP, targetPort: 138 }
- { name: netbios-ssn, port: 139, protocol: TCP, targetPort: 139 }
- { name: ldap-tcp, port: 389, protocol: TCP, targetPort: 389 }
- { name: ldap-udp, port: 389, protocol: UDP, targetPort: 389 }
- { name: smb, port: 445, protocol: TCP, targetPort: 445 }
- { name: kpasswd-tcp, port: 464, protocol: TCP, targetPort: 464 }
- { name: kpasswd-udp, port: 464, protocol: UDP, targetPort: 464 }
- { name: ldaps, port: 636, protocol: TCP, targetPort: 636 }
- { name: gc, port: 3268, protocol: TCP, targetPort: 3268 }
- { name: gc-ssl, port: 3269, protocol: TCP, targetPort: 3269 }
- { name: rpc-epmap, port: 135, protocol: TCP, targetPort: 135 }
- { name: rpc-base, port: 5000, protocol: TCP, targetPort: 5000 }
- { name: rpc-netlogon, port: 5001, protocol: TCP, targetPort: 5001 }
- { name: rpc-lsarpc, port: 5002, protocol: TCP, targetPort: 5002 }
- { name: rpc-samr, port: 5003, protocol: TCP, targetPort: 5003 }
- { name: rpc-drsuapi, port: 5004, protocol: TCP, targetPort: 5004 }
- { name: rpc-dnsserver, port: 5005, protocol: TCP, targetPort: 5005 }
---
apiVersion: v1
kind: ConfigMap
metadata:
name: samba-ad-config-dc2
namespace: samba-directory
data:
smb.conf: |
[global]
workgroup = UNDERCLOUD
realm = UNDERCLOUD.LOCAL
netbios name = DC2
server role = active directory domain controller
rpc server port = 5000
rpc server port:netlogon = 5001
rpc server port:lsarpc = 5002
rpc server port:samr = 5003
rpc server port:drsuapi = 5004
rpc server port:dnsserver = 5005
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/undercloud.local/scripts
read only = No
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: dc2
namespace: samba-directory
spec:
serviceName: samba-ad-dc2
replicas: 1
selector:
matchLabels:
app: samba-ad
samba-role: dc2
template:
metadata:
labels:
app: samba-ad
samba-role: dc2
spec:
terminationGracePeriodSeconds: 30
hostname: dc2
containers:
- name: samba-ad
image: quay.io/samba.org/samba-ad-server:latest
securityContext:
capabilities:
add: ["SYS_ADMIN"]
envFrom:
- secretRef:
name: samba-ad-secrets
ports:
- { name: dns-tcp, containerPort: 53, protocol: TCP }
- { name: dns-udp, containerPort: 53, protocol: UDP }
- { name: kerberos-tcp, containerPort: 88, protocol: TCP }
- { name: kerberos-udp, containerPort: 88, protocol: UDP }
- { name: ldap-tcp, containerPort: 389, protocol: TCP }
- { name: ldap-udp, containerPort: 389, protocol: UDP }
- { name: smb, containerPort: 445, protocol: TCP }
- { name: kpasswd-tcp, containerPort: 464, protocol: TCP }
- { name: kpasswd-udp, containerPort: 464, protocol: UDP }
- { name: ldaps, containerPort: 636, protocol: TCP }
- { name: gc, containerPort: 3268, protocol: TCP }
- { name: gc-ssl, containerPort: 3269, protocol: TCP }
- { name: rpc-epmap, containerPort: 135, protocol: TCP }
- { name: rpc-base, containerPort: 5000, protocol: TCP }
- { name: rpc-netlogon, containerPort: 5001, protocol: TCP }
- { name: rpc-lsarpc, containerPort: 5002, protocol: TCP }
- { name: rpc-samr, containerPort: 5003, protocol: TCP }
- { name: rpc-drsuapi, containerPort: 5004, protocol: TCP }
- { name: rpc-dnsserver, containerPort: 5005, protocol: TCP }
volumeMounts:
- name: samba-state
mountPath: /var/lib/samba
- name: samba-etc
mountPath: /etc/samba
- name: samba-config
mountPath: /etc/samba/smb.conf
subPath: smb.conf
command: ["/bin/bash", "-ec"]
args:
- |
set -euxo pipefail
DC1_FQDN="dc1.undercloud.local"
if [ ! -f /var/lib/samba/.joined ] || [ ! -f /etc/samba/smb.conf ]; then
rm -f /var/lib/samba/.joined
until getent hosts "${DC1_FQDN}"; do
echo "waiting for dc1 dns"
sleep 5
done
until bash -c "</dev/tcp/${DC1_FQDN}/389" 2>/dev/null; do
echo "waiting for dc1 ldap"
sleep 5
done
sleep 30
samba-tool domain join UNDERCLOUD.LOCAL DC \
--server="${DC1_FQDN}" \
-d 3 \
-U"Administrator%${ADMIN_PASSWORD}"
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
touch /var/lib/samba/.joined
fi
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
exec samba -i
volumes:
- name: samba-config
configMap:
name: samba-ad-config-dc2
volumeClaimTemplates:
- metadata:
name: samba-state
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
storageClassName: cephfs-hyper
- metadata:
name: samba-etc
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
storageClassName: cephfs-hyper
---
apiVersion: v1
kind: Service
metadata:
name: samba-ad-dc2-direct
namespace: samba-directory
labels:
app: samba-ad
samba-role: dc2
spec:
internalTrafficPolicy: Cluster
clusterIP: 2001:470:7116:f:1::22
clusterIPs:
- 2001:470:7116:f:1::22
- 10.0.91.22
ipFamilies:
- IPv6
- IPv4
ipFamilyPolicy: PreferDualStack
type: ClusterIP
selector:
app: samba-ad
samba-role: dc2
ports:
- { name: dns-tcp, port: 53, protocol: TCP, targetPort: 53 }
- { name: dns-udp, port: 53, protocol: UDP, targetPort: 53 }
- { name: kerberos-tcp, port: 88, protocol: TCP, targetPort: 88 }
- { name: kerberos-udp, port: 88, protocol: UDP, targetPort: 88 }
- { name: ldap-tcp, port: 389, protocol: TCP, targetPort: 389 }
- { name: ldap-udp, port: 389, protocol: UDP, targetPort: 389 }
- { name: smb, port: 445, protocol: TCP, targetPort: 445 }
- { name: kpasswd-tcp, port: 464, protocol: TCP, targetPort: 464 }
- { name: kpasswd-udp, port: 464, protocol: UDP, targetPort: 464 }
- { name: ldaps, port: 636, protocol: TCP, targetPort: 636 }
- { name: gc, port: 3268, protocol: TCP, targetPort: 3268 }
- { name: gc-ssl, port: 3269, protocol: TCP, targetPort: 3269 }
- { name: rpc-epmap, port: 135, protocol: TCP, targetPort: 135 }
- { name: rpc-base, port: 5000, protocol: TCP, targetPort: 5000 }
- { name: rpc-netlogon, port: 5001, protocol: TCP, targetPort: 5001 }
- { name: rpc-lsarpc, port: 5002, protocol: TCP, targetPort: 5002 }
- { name: rpc-samr, port: 5003, protocol: TCP, targetPort: 5003 }
- { name: rpc-drsuapi, port: 5004, protocol: TCP, targetPort: 5004 }
- { name: rpc-dnsserver, port: 5005, protocol: TCP, targetPort: 5005 }
---

387
samba-directory/ldif.yaml Normal file
View File

@@ -0,0 +1,387 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: samba-ad-bootstrap
namespace: samba-directory
data:
bootstrap.ldif: |
# -----------------------------
# OU structure
# -----------------------------
dn: OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: Undercloud
description: Root OU for all Undercloud directory objects
dn: OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: users
description: Human user accounts
dn: OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: serviceaccounts
description: Non-interactive service accounts
dn: OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: groups
description: Security and role groups
# -----------------------------
# Groups (CREATE FIRST)
# -----------------------------
dn: CN=undercloud-users,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: group
cn: undercloud-users
sAMAccountName: undercloud-users
description: All standard user accounts
groupType: -2147483646
dn: CN=undercloud-administrators,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: group
cn: undercloud-administrators
sAMAccountName: undercloud-administrators
description: Global administrators for Undercloud
groupType: -2147483646
dn: CN=fileserver-access,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: group
cn: fileserver-access
sAMAccountName: fileserver-access
description: Access control group for SMB file shares
groupType: -2147483646
dn: CN=gitea-admins,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: group
cn: gitea-admins
sAMAccountName: gitea-admins
description: Administrative access to Gitea
groupType: -2147483646
dn: CN=argocd-admins,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: group
cn: argocd-admins
sAMAccountName: argocd-admins
description: Administrative access to Argo CD
groupType: -2147483646
dn: CN=firewall-admins,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: group
cn: firewall-admins
sAMAccountName: firewall-admins
description: Administrative access to firewall systems
groupType: -2147483646
dn: CN=bookstack-admins,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: group
cn: bookstack-admins
sAMAccountName: bookstack-admins
description: Administrative access to BookStack
groupType: -2147483646
dn: CN=nextcloud-admins,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: group
cn: nextcloud-admins
sAMAccountName: nextcloud-admins
description: Administrative access to Nextcloud
groupType: -2147483646
dn: CN=samba-service,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: group
cn: samba-service
sAMAccountName: samba-service
description: Service group for Samba / SMB integration
groupType: -2147483646
# -----------------------------
# Users
# -----------------------------
dn: CN=sebastian,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: sebastian
sn: Gurlin
givenName: Sebastian
displayName: Sebastian Gurlin
sAMAccountName: sebastian
userPrincipalName: sebastian@undercloud.local
description: Primary human user account
userAccountControl: 512
dn: CN=glados,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: glados
sn: Glados
givenName: Glados
displayName: Glados
sAMAccountName: glados
userPrincipalName: glados@undercloud.local
description: Administrative AI persona account
userAccountControl: 512
dn: CN=shodan,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: shodan
sn: Shodan
givenName: Shodan
displayName: Shodan
sAMAccountName: shodan
userPrincipalName: shodan@undercloud.local
description: Administrative AI persona account
userAccountControl: 512
dn: CN=lam,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: lam
sn: Service
givenName: LAM
displayName: LAM
sAMAccountName: lam
userPrincipalName: lam@undercloud.local
mail: lam@undercloud.local
description: LDAP Account Manager service account
userAccountControl: 512
dn: CN=argocd,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: argocd
sn: Service
givenName: ArgoCD
displayName: ArgoCD
sAMAccountName: argocd
userPrincipalName: argocd@undercloud.local
mail: argocd@undercloud.local
description: ArgoCD service account
userAccountControl: 512
dn: CN=gitea,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: gitea
sn: Service
givenName: Gitea
displayName: Gitea
sAMAccountName: gitea
userPrincipalName: gitea@undercloud.local
mail: gitea@undercloud.local
description: Gitea service account
userAccountControl: 512
dn: CN=firewall,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: firewall
sn: Service
givenName: Firewall
displayName: Firewall
sAMAccountName: firewall
userPrincipalName: firewall@undercloud.local
mail: firewall@undercloud.local
description: Firewall service account
userAccountControl: 512
dn: CN=mailserver,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: mailserver
sn: Service
givenName: Mailserver
displayName: Mailserver
sAMAccountName: mailserver
userPrincipalName: mailserver@undercloud.local
mail: mailserver@undercloud.local
description: Mailserver service account
userAccountControl: 512
dn: CN=bookstack,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: bookstack
sn: Service
givenName: BookStack
displayName: BookStack
sAMAccountName: bookstack
userPrincipalName: bookstack@undercloud.local
mail: bookstack@undercloud.local
description: BookStack service account
userAccountControl: 512
dn: CN=nextcloud,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: nextcloud
sn: Service
givenName: Nextcloud
displayName: Nextcloud
sAMAccountName: nextcloud
userPrincipalName: nextcloud@undercloud.local
mail: nextcloud@undercloud.local
description: Nextcloud service account
userAccountControl: 512
dn: CN=jellyfin,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: jellyfin
sn: Service
givenName: Jellyfin
displayName: Jellyfin
sAMAccountName: jellyfin
userPrincipalName: jellyfin@undercloud.local
mail: jellyfin@undercloud.local
description: Jellyfin service account
userAccountControl: 512
dn: CN=bastillion,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: bastillion
sn: Service
givenName: Bastillion
displayName: Bastillion
sAMAccountName: bastillion
userPrincipalName: bastillion@undercloud.local
mail: bastillion@undercloud.local
description: Bastillion service account
userAccountControl: 512
dn: CN=guacamole,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: guacamole
sn: Service
givenName: Guacamole
displayName: Guacamole
sAMAccountName: guacamole
userPrincipalName: guacamole@undercloud.local
mail: guacamole@undercloud.local
description: Guacamole service account
userAccountControl: 512
dn: CN=synapse,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: synapse
sn: Service
givenName: Synapse
displayName: Synapse
sAMAccountName: synapse
userPrincipalName: synapse@undercloud.local
mail: synapse@undercloud.local
description: Synapse service account
userAccountControl: 512
dn: CN=samba,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: samba
sn: Service
givenName: Samba
displayName: Samba
sAMAccountName: samba
userPrincipalName: samba@undercloud.local
mail: samba@undercloud.local
description: Service account for SMB / CSI access
userAccountControl: 512
# -----------------------------
# Memberships (AFTER CREATION)
# -----------------------------
dn: CN=undercloud-users,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: modify
add: member
member: CN=sebastian,OU=users,OU=Undercloud,DC=undercloud,DC=local
member: CN=glados,OU=users,OU=Undercloud,DC=undercloud,DC=local
member: CN=shodan,OU=users,OU=Undercloud,DC=undercloud,DC=local
dn: CN=undercloud-administrators,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: modify
add: member
member: CN=glados,OU=users,OU=Undercloud,DC=undercloud,DC=local
member: CN=shodan,OU=users,OU=Undercloud,DC=undercloud,DC=local
dn: CN=fileserver-access,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: modify
add: member
member: CN=sebastian,OU=users,OU=Undercloud,DC=undercloud,DC=local
member: CN=glados,OU=users,OU=Undercloud,DC=undercloud,DC=local
member: CN=shodan,OU=users,OU=Undercloud,DC=undercloud,DC=local
member: CN=samba,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
---

902
samba-directory/samba-ad-server.yaml
View File

@@ -1,902 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: samba-ad-bootstrap
namespace: samba-directory
data:
bootstrap.ldif: |
# -----------------------------
# OU structure
# -----------------------------
dn: OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: Undercloud
description: Root OU for all Undercloud directory objects
dn: OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: users
description: Human user accounts
dn: OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: serviceaccounts
description: Non-interactive service accounts
dn: OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: groups
description: Security and role groups
# -----------------------------
# Groups (CREATE FIRST)
# -----------------------------
dn: CN=undercloud-users,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: group
cn: undercloud-users
sAMAccountName: undercloud-users
description: All standard user accounts
groupType: -2147483646
dn: CN=undercloud-administrators,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: group
cn: undercloud-administrators
sAMAccountName: undercloud-administrators
description: Global administrators for Undercloud
groupType: -2147483646
dn: CN=fileserver-access,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: group
cn: fileserver-access
sAMAccountName: fileserver-access
description: Access control group for SMB file shares
groupType: -2147483646
dn: CN=gitea-admins,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: group
cn: gitea-admins
sAMAccountName: gitea-admins
description: Administrative access to Gitea
groupType: -2147483646
dn: CN=argocd-admins,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: group
cn: argocd-admins
sAMAccountName: argocd-admins
description: Administrative access to Argo CD
groupType: -2147483646
dn: CN=firewall-admins,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: group
cn: firewall-admins
sAMAccountName: firewall-admins
description: Administrative access to firewall systems
groupType: -2147483646
dn: CN=bookstack-admins,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: group
cn: bookstack-admins
sAMAccountName: bookstack-admins
description: Administrative access to BookStack
groupType: -2147483646
dn: CN=nextcloud-admins,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: group
cn: nextcloud-admins
sAMAccountName: nextcloud-admins
description: Administrative access to Nextcloud
groupType: -2147483646
dn: CN=samba-service,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: group
cn: samba-service
sAMAccountName: samba-service
description: Service group for Samba / SMB integration
groupType: -2147483646
# -----------------------------
# Users
# -----------------------------
dn: CN=sebastian,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: sebastian
sn: Gurlin
givenName: Sebastian
displayName: Sebastian Gurlin
sAMAccountName: sebastian
userPrincipalName: sebastian@undercloud.local
description: Primary human user account
userAccountControl: 512
dn: CN=glados,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: glados
sn: Glados
givenName: Glados
displayName: Glados
sAMAccountName: glados
userPrincipalName: glados@undercloud.local
description: Administrative AI persona account
userAccountControl: 512
dn: CN=shodan,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: shodan
sn: Shodan
givenName: Shodan
displayName: Shodan
sAMAccountName: shodan
userPrincipalName: shodan@undercloud.local
description: Administrative AI persona account
userAccountControl: 512
dn: CN=lam,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: lam
sn: Service
givenName: LAM
displayName: LAM
sAMAccountName: lam
userPrincipalName: lam@undercloud.local
mail: lam@undercloud.local
description: LDAP Account Manager service account
userAccountControl: 512
dn: CN=argocd,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: argocd
sn: Service
givenName: ArgoCD
displayName: ArgoCD
sAMAccountName: argocd
userPrincipalName: argocd@undercloud.local
mail: argocd@undercloud.local
description: ArgoCD service account
userAccountControl: 512
dn: CN=gitea,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: gitea
sn: Service
givenName: Gitea
displayName: Gitea
sAMAccountName: gitea
userPrincipalName: gitea@undercloud.local
mail: gitea@undercloud.local
description: Gitea service account
userAccountControl: 512
dn: CN=firewall,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: firewall
sn: Service
givenName: Firewall
displayName: Firewall
sAMAccountName: firewall
userPrincipalName: firewall@undercloud.local
mail: firewall@undercloud.local
description: Firewall service account
userAccountControl: 512
dn: CN=mailserver,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: mailserver
sn: Service
givenName: Mailserver
displayName: Mailserver
sAMAccountName: mailserver
userPrincipalName: mailserver@undercloud.local
mail: mailserver@undercloud.local
description: Mailserver service account
userAccountControl: 512
dn: CN=bookstack,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: bookstack
sn: Service
givenName: BookStack
displayName: BookStack
sAMAccountName: bookstack
userPrincipalName: bookstack@undercloud.local
mail: bookstack@undercloud.local
description: BookStack service account
userAccountControl: 512
dn: CN=nextcloud,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: nextcloud
sn: Service
givenName: Nextcloud
displayName: Nextcloud
sAMAccountName: nextcloud
userPrincipalName: nextcloud@undercloud.local
mail: nextcloud@undercloud.local
description: Nextcloud service account
userAccountControl: 512
dn: CN=jellyfin,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: jellyfin
sn: Service
givenName: Jellyfin
displayName: Jellyfin
sAMAccountName: jellyfin
userPrincipalName: jellyfin@undercloud.local
mail: jellyfin@undercloud.local
description: Jellyfin service account
userAccountControl: 512
dn: CN=bastillion,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: bastillion
sn: Service
givenName: Bastillion
displayName: Bastillion
sAMAccountName: bastillion
userPrincipalName: bastillion@undercloud.local
mail: bastillion@undercloud.local
description: Bastillion service account
userAccountControl: 512
dn: CN=guacamole,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: guacamole
sn: Service
givenName: Guacamole
displayName: Guacamole
sAMAccountName: guacamole
userPrincipalName: guacamole@undercloud.local
mail: guacamole@undercloud.local
description: Guacamole service account
userAccountControl: 512
dn: CN=synapse,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: synapse
sn: Service
givenName: Synapse
displayName: Synapse
sAMAccountName: synapse
userPrincipalName: synapse@undercloud.local
mail: synapse@undercloud.local
description: Synapse service account
userAccountControl: 512
dn: CN=samba,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: samba
sn: Service
givenName: Samba
displayName: Samba
sAMAccountName: samba
userPrincipalName: samba@undercloud.local
mail: samba@undercloud.local
description: Service account for SMB / CSI access
userAccountControl: 512
# -----------------------------
# Memberships (AFTER CREATION)
# -----------------------------
dn: CN=undercloud-users,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: modify
add: member
member: CN=sebastian,OU=users,OU=Undercloud,DC=undercloud,DC=local
member: CN=glados,OU=users,OU=Undercloud,DC=undercloud,DC=local
member: CN=shodan,OU=users,OU=Undercloud,DC=undercloud,DC=local
dn: CN=undercloud-administrators,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: modify
add: member
member: CN=glados,OU=users,OU=Undercloud,DC=undercloud,DC=local
member: CN=shodan,OU=users,OU=Undercloud,DC=undercloud,DC=local
dn: CN=fileserver-access,OU=groups,OU=Undercloud,DC=undercloud,DC=local
changetype: modify
add: member
member: CN=sebastian,OU=users,OU=Undercloud,DC=undercloud,DC=local
member: CN=glados,OU=users,OU=Undercloud,DC=undercloud,DC=local
member: CN=shodan,OU=users,OU=Undercloud,DC=undercloud,DC=local
member: CN=samba,OU=serviceaccounts,OU=users,OU=Undercloud,DC=undercloud,DC=local
---
apiVersion: v1
kind: Service
metadata:
name: samba-ad-dc1
namespace: samba-directory
labels:
app: samba-ad
samba-role: dc1
spec:
clusterIP: None
publishNotReadyAddresses: true
selector:
app: samba-ad
samba-role: dc1
ports:
- { name: dns-tcp, port: 53, protocol: TCP, targetPort: 53 }
- { name: dns-udp, port: 53, protocol: UDP, targetPort: 53 }
- { name: kerberos-tcp, port: 88, protocol: TCP, targetPort: 88 }
- { name: kerberos-udp, port: 88, protocol: UDP, targetPort: 88 }
- { name: ntp, port: 123, protocol: UDP, targetPort: 123 }
- { name: epm, port: 135, protocol: TCP, targetPort: 135 }
- { name: netbios-ns, port: 137, protocol: UDP, targetPort: 137 }
- { name: netbios-dgm, port: 138, protocol: UDP, targetPort: 138 }
- { name: netbios-ssn, port: 139, protocol: TCP, targetPort: 139 }
- { name: ldap-tcp, port: 389, protocol: TCP, targetPort: 389 }
- { name: ldap-udp, port: 389, protocol: UDP, targetPort: 389 }
- { name: smb, port: 445, protocol: TCP, targetPort: 445 }
- { name: kpasswd-tcp, port: 464, protocol: TCP, targetPort: 464 }
- { name: kpasswd-udp, port: 464, protocol: UDP, targetPort: 464 }
- { name: ldaps, port: 636, protocol: TCP, targetPort: 636 }
- { name: gc, port: 3268, protocol: TCP, targetPort: 3268 }
- { name: gc-ssl, port: 3269, protocol: TCP, targetPort: 3269 }
- { name: rpc-base, port: 5000, protocol: TCP, targetPort: 5000 }
- { name: rpc-netlogon, port: 5001, protocol: TCP, targetPort: 5001 }
- { name: rpc-lsarpc, port: 5002, protocol: TCP, targetPort: 5002 }
- { name: rpc-samr, port: 5003, protocol: TCP, targetPort: 5003 }
- { name: rpc-drsuapi, port: 5004, protocol: TCP, targetPort: 5004 }
- { name: rpc-dnsserver, port: 5005, protocol: TCP, targetPort: 5005 }
---
apiVersion: v1
kind: Service
metadata:
name: samba-ad-dc2
namespace: samba-directory
labels:
app: samba-ad
samba-role: dc2
spec:
clusterIP: None
publishNotReadyAddresses: true
selector:
app: samba-ad
samba-role: dc2
ports:
- { name: dns-tcp, port: 53, protocol: TCP, targetPort: 53 }
- { name: dns-udp, port: 53, protocol: UDP, targetPort: 53 }
- { name: kerberos-tcp, port: 88, protocol: TCP, targetPort: 88 }
- { name: kerberos-udp, port: 88, protocol: UDP, targetPort: 88 }
- { name: ntp, port: 123, protocol: UDP, targetPort: 123 }
- { name: netbios-ns, port: 137, protocol: UDP, targetPort: 137 }
- { name: netbios-dgm, port: 138, protocol: UDP, targetPort: 138 }
- { name: netbios-ssn, port: 139, protocol: TCP, targetPort: 139 }
- { name: ldap-tcp, port: 389, protocol: TCP, targetPort: 389 }
- { name: ldap-udp, port: 389, protocol: UDP, targetPort: 389 }
- { name: smb, port: 445, protocol: TCP, targetPort: 445 }
- { name: kpasswd-tcp, port: 464, protocol: TCP, targetPort: 464 }
- { name: kpasswd-udp, port: 464, protocol: UDP, targetPort: 464 }
- { name: ldaps, port: 636, protocol: TCP, targetPort: 636 }
- { name: gc, port: 3268, protocol: TCP, targetPort: 3268 }
- { name: gc-ssl, port: 3269, protocol: TCP, targetPort: 3269 }
- { name: rpc-epmap, port: 135, protocol: TCP, targetPort: 135 }
- { name: rpc-base, port: 5000, protocol: TCP, targetPort: 5000 }
- { name: rpc-netlogon, port: 5001, protocol: TCP, targetPort: 5001 }
- { name: rpc-lsarpc, port: 5002, protocol: TCP, targetPort: 5002 }
- { name: rpc-samr, port: 5003, protocol: TCP, targetPort: 5003 }
- { name: rpc-drsuapi, port: 5004, protocol: TCP, targetPort: 5004 }
- { name: rpc-dnsserver, port: 5005, protocol: TCP, targetPort: 5005 }
---
apiVersion: v1
kind: ConfigMap
metadata:
name: samba-ad-config-dc1
namespace: samba-directory
data:
smb.conf: |
[global]
workgroup = UNDERCLOUD
realm = UNDERCLOUD.LOCAL
netbios name = DC1
server role = active directory domain controller
rpc server port = 5000
rpc server port:netlogon = 5001
rpc server port:lsarpc = 5002
rpc server port:samr = 5003
rpc server port:drsuapi = 5004
rpc server port:dnsserver = 5005
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/undercloud.local/scripts
read only = No
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: dc1
namespace: samba-directory
spec:
serviceName: samba-ad-dc1
replicas: 1
selector:
matchLabels:
app: samba-ad
samba-role: dc1
template:
metadata:
labels:
app: samba-ad
samba-role: dc1
spec:
terminationGracePeriodSeconds: 30
hostname: dc1
containers:
- name: samba-ad
image: quay.io/samba.org/samba-ad-server:latest
securityContext:
capabilities:
add: ["SYS_ADMIN"]
envFrom:
- secretRef:
name: samba-ad-secrets
ports:
- { name: dns-tcp, containerPort: 53, protocol: TCP }
- { name: dns-udp, containerPort: 53, protocol: UDP }
- { name: kerberos-tcp, containerPort: 88, protocol: TCP }
- { name: kerberos-udp, containerPort: 88, protocol: UDP }
- { name: ldap-tcp, containerPort: 389, protocol: TCP }
- { name: ldap-udp, containerPort: 389, protocol: UDP }
- { name: smb, containerPort: 445, protocol: TCP }
- { name: kpasswd-tcp, containerPort: 464, protocol: TCP }
- { name: kpasswd-udp, containerPort: 464, protocol: UDP }
- { name: ldaps, containerPort: 636, protocol: TCP }
- { name: gc, containerPort: 3268, protocol: TCP }
- { name: gc-ssl, containerPort: 3269, protocol: TCP }
- { name: rpc-epmap, containerPort: 135, protocol: TCP }
- { name: rpc-base, containerPort: 5000, protocol: TCP }
- { name: rpc-netlogon, containerPort: 5001, protocol: TCP }
- { name: rpc-lsarpc, containerPort: 5002, protocol: TCP }
- { name: rpc-samr, containerPort: 5003, protocol: TCP }
- { name: rpc-drsuapi, containerPort: 5004, protocol: TCP }
- { name: rpc-dnsserver, containerPort: 5005, protocol: TCP }
volumeMounts:
- name: samba-state
mountPath: /var/lib/samba
- name: samba-etc
mountPath: /etc/samba
- name: samba-bootstrap
mountPath: /bootstrap
readOnly: true
- name: samba-config
mountPath: /etc/samba/smb.conf
subPath: smb.conf
command: ["/bin/bash", "-ec"]
args:
- |
set -euxo pipefail
if [ ! -f /var/lib/samba/.provisioned ] || [ ! -f /etc/samba/smb.conf ]; then
rm -f /var/lib/samba/.provisioned
rm -f /var/lib/samba/.bootstrap-ldif-applied
samba-tool domain provision \
--server-role=dc \
--use-rfc2307 \
--dns-backend=SAMBA_INTERNAL \
--realm=UNDERCLOUD.LOCAL \
--domain=UNDERCLOUD \
--host-name=dc1 \
-d 3 \
--adminpass="${ADMIN_PASSWORD}"
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
touch /var/lib/samba/.provisioned
fi
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
if [ ! -f /var/lib/samba/.bootstrap-ldif-applied ]; then
ldbadd -H /var/lib/samba/private/sam.ldb /bootstrap/bootstrap.ldif
samba-tool user setpassword sebastian --newpassword="${SEBASTIAN_PASSWORD}"
samba-tool user setpassword glados --newpassword="${GLADOS_PASSWORD}"
samba-tool user setpassword shodan --newpassword="${SHODAN_PASSWORD}"
samba-tool user setpassword lam --newpassword="${LAM_PASSWORD}"
samba-tool user setpassword argocd --newpassword="${ARGOCD_PASSWORD}"
samba-tool user setpassword gitea --newpassword="${GITEA_PASSWORD}"
samba-tool user setpassword firewall --newpassword="${FIREWALL_PASSWORD}"
samba-tool user setpassword mailserver --newpassword="${MAILSERVER_PASSWORD}"
samba-tool user setpassword bookstack --newpassword="${BOOKSTACK_PASSWORD}"
samba-tool user setpassword nextcloud --newpassword="${NEXTCLOUD_PASSWORD}"
samba-tool user setpassword jellyfin --newpassword="${JELLYFIN_PASSWORD}"
samba-tool user setpassword bastillion --newpassword="${BASTILLION_PASSWORD}"
samba-tool user setpassword guacamole --newpassword="${GUACAMOLE_PASSWORD}"
samba-tool user setpassword synapse --newpassword="${SYNAPSE_PASSWORD}"
samba-tool user setpassword samba --newpassword="${SAMBA_PASSWORD}"
samba-tool group addmembers "Domain Admins" undercloud-administrators
samba-tool group addmembers "Domain Admins" lam
touch /var/lib/samba/.bootstrap-ldif-applied
fi
exec samba -i
volumes:
- name: samba-bootstrap
configMap:
name: samba-ad-bootstrap
- name: samba-config
configMap:
name: samba-ad-config-dc1
volumeClaimTemplates:
- metadata:
name: samba-state
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
storageClassName: cephfs-hyper
- metadata:
name: samba-etc
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
storageClassName: cephfs-hyper
---
apiVersion: v1
kind: ConfigMap
metadata:
name: samba-ad-config-dc2
namespace: samba-directory
data:
smb.conf: |
[global]
workgroup = UNDERCLOUD
realm = UNDERCLOUD.LOCAL
netbios name = DC2
server role = active directory domain controller
rpc server port = 5000
rpc server port:netlogon = 5001
rpc server port:lsarpc = 5002
rpc server port:samr = 5003
rpc server port:drsuapi = 5004
rpc server port:dnsserver = 5005
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/undercloud.local/scripts
read only = No
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: dc2
namespace: samba-directory
spec:
serviceName: samba-ad-dc2
replicas: 1
selector:
matchLabels:
app: samba-ad
samba-role: dc2
template:
metadata:
labels:
app: samba-ad
samba-role: dc2
spec:
terminationGracePeriodSeconds: 30
hostname: dc2
containers:
- name: samba-ad
image: quay.io/samba.org/samba-ad-server:latest
securityContext:
capabilities:
add: ["SYS_ADMIN"]
envFrom:
- secretRef:
name: samba-ad-secrets
ports:
- { name: dns-tcp, containerPort: 53, protocol: TCP }
- { name: dns-udp, containerPort: 53, protocol: UDP }
- { name: kerberos-tcp, containerPort: 88, protocol: TCP }
- { name: kerberos-udp, containerPort: 88, protocol: UDP }
- { name: ldap-tcp, containerPort: 389, protocol: TCP }
- { name: ldap-udp, containerPort: 389, protocol: UDP }
- { name: smb, containerPort: 445, protocol: TCP }
- { name: kpasswd-tcp, containerPort: 464, protocol: TCP }
- { name: kpasswd-udp, containerPort: 464, protocol: UDP }
- { name: ldaps, containerPort: 636, protocol: TCP }
- { name: gc, containerPort: 3268, protocol: TCP }
- { name: gc-ssl, containerPort: 3269, protocol: TCP }
- { name: rpc-epmap, containerPort: 135, protocol: TCP }
- { name: rpc-base, containerPort: 5000, protocol: TCP }
- { name: rpc-netlogon, containerPort: 5001, protocol: TCP }
- { name: rpc-lsarpc, containerPort: 5002, protocol: TCP }
- { name: rpc-samr, containerPort: 5003, protocol: TCP }
- { name: rpc-drsuapi, containerPort: 5004, protocol: TCP }
- { name: rpc-dnsserver, containerPort: 5005, protocol: TCP }
volumeMounts:
- name: samba-state
mountPath: /var/lib/samba
- name: samba-etc
mountPath: /etc/samba
- name: samba-config
mountPath: /etc/samba/smb.conf
subPath: smb.conf
command: ["/bin/bash", "-ec"]
args:
- |
set -euxo pipefail
DC1_FQDN="dc1.undercloud.local"
if [ ! -f /var/lib/samba/.joined ] || [ ! -f /etc/samba/smb.conf ]; then
rm -f /var/lib/samba/.joined
until getent hosts "${DC1_FQDN}"; do
echo "waiting for dc1 dns"
sleep 5
done
until bash -c "</dev/tcp/${DC1_FQDN}/389" 2>/dev/null; do
echo "waiting for dc1 ldap"
sleep 5
done
sleep 30
samba-tool domain join UNDERCLOUD.LOCAL DC \
--server="${DC1_FQDN}" \
-d 3 \
-U"Administrator%${ADMIN_PASSWORD}"
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
touch /var/lib/samba/.joined
fi
cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
exec samba -i
volumes:
- name: samba-config
configMap:
name: samba-ad-config-dc2
volumeClaimTemplates:
- metadata:
name: samba-state
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
storageClassName: cephfs-hyper
- metadata:
name: samba-etc
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
storageClassName: cephfs-hyper
---
apiVersion: v1
kind: Service
metadata:
name: samba-ad-dc1-direct
namespace: samba-directory
labels:
app: samba-ad
samba-role: dc1
spec:
internalTrafficPolicy: Cluster
clusterIP: 2001:470:7116:f:1::21
clusterIPs:
- 2001:470:7116:f:1::21
- 10.0.91.21
ipFamilies:
- IPv6
- IPv4
ipFamilyPolicy: PreferDualStack
type: ClusterIP
selector:
app: samba-ad
samba-role: dc1
ports:
- { name: dns-tcp, port: 53, protocol: TCP, targetPort: 53 }
- { name: dns-udp, port: 53, protocol: UDP, targetPort: 53 }
- { name: kerberos-tcp, port: 88, protocol: TCP, targetPort: 88 }
- { name: kerberos-udp, port: 88, protocol: UDP, targetPort: 88 }
- { name: ldap-tcp, port: 389, protocol: TCP, targetPort: 389 }
- { name: ldap-udp, port: 389, protocol: UDP, targetPort: 389 }
- { name: smb, port: 445, protocol: TCP, targetPort: 445 }
- { name: kpasswd-tcp, port: 464, protocol: TCP, targetPort: 464 }
- { name: kpasswd-udp, port: 464, protocol: UDP, targetPort: 464 }
- { name: ldaps, port: 636, protocol: TCP, targetPort: 636 }
- { name: gc, port: 3268, protocol: TCP, targetPort: 3268 }
- { name: gc-ssl, port: 3269, protocol: TCP, targetPort: 3269 }
- { name: rpc-epmap, port: 135, protocol: TCP, targetPort: 135 }
- { name: rpc-base, port: 5000, protocol: TCP, targetPort: 5000 }
- { name: rpc-netlogon, port: 5001, protocol: TCP, targetPort: 5001 }
- { name: rpc-lsarpc, port: 5002, protocol: TCP, targetPort: 5002 }
- { name: rpc-samr, port: 5003, protocol: TCP, targetPort: 5003 }
- { name: rpc-drsuapi, port: 5004, protocol: TCP, targetPort: 5004 }
- { name: rpc-dnsserver, port: 5005, protocol: TCP, targetPort: 5005 }
---
apiVersion: v1
kind: Service
metadata:
name: samba-ad-dc2-direct
namespace: samba-directory
labels:
app: samba-ad
samba-role: dc2
spec:
internalTrafficPolicy: Cluster
clusterIP: 2001:470:7116:f:1::22
clusterIPs:
- 2001:470:7116:f:1::22
- 10.0.91.22
ipFamilies:
- IPv6
- IPv4
ipFamilyPolicy: PreferDualStack
type: ClusterIP
selector:
app: samba-ad
samba-role: dc2
ports:
- { name: dns-tcp, port: 53, protocol: TCP, targetPort: 53 }
- { name: dns-udp, port: 53, protocol: UDP, targetPort: 53 }
- { name: kerberos-tcp, port: 88, protocol: TCP, targetPort: 88 }
- { name: kerberos-udp, port: 88, protocol: UDP, targetPort: 88 }
- { name: ldap-tcp, port: 389, protocol: TCP, targetPort: 389 }
- { name: ldap-udp, port: 389, protocol: UDP, targetPort: 389 }
- { name: smb, port: 445, protocol: TCP, targetPort: 445 }
- { name: kpasswd-tcp, port: 464, protocol: TCP, targetPort: 464 }
- { name: kpasswd-udp, port: 464, protocol: UDP, targetPort: 464 }
- { name: ldaps, port: 636, protocol: TCP, targetPort: 636 }
- { name: gc, port: 3268, protocol: TCP, targetPort: 3268 }
- { name: gc-ssl, port: 3269, protocol: TCP, targetPort: 3269 }
- { name: rpc-epmap, port: 135, protocol: TCP, targetPort: 135 }
- { name: rpc-base, port: 5000, protocol: TCP, targetPort: 5000 }
- { name: rpc-netlogon, port: 5001, protocol: TCP, targetPort: 5001 }
- { name: rpc-lsarpc, port: 5002, protocol: TCP, targetPort: 5002 }
- { name: rpc-samr, port: 5003, protocol: TCP, targetPort: 5003 }
- { name: rpc-drsuapi, port: 5004, protocol: TCP, targetPort: 5004 }
- { name: rpc-dnsserver, port: 5005, protocol: TCP, targetPort: 5005 }
---
apiVersion: v1
kind: Service
metadata:
name: samba-ad
namespace: samba-directory
labels:
app: samba-ad
spec:
internalTrafficPolicy: Cluster
clusterIP: 2001:470:7116:f:1::20
clusterIPs:
- 2001:470:7116:f:1::20
- 10.0.91.20
ipFamilies:
- IPv6
- IPv4
ipFamilyPolicy: PreferDualStack
type: ClusterIP
selector:
app: samba-ad
ports:
- { name: dns-tcp, port: 53, protocol: TCP, targetPort: 53 }
- { name: dns-udp, port: 53, protocol: UDP, targetPort: 53 }
- { name: kerberos-tcp, port: 88, protocol: TCP, targetPort: 88 }
- { name: kerberos-udp, port: 88, protocol: UDP, targetPort: 88 }
- { name: ldap-tcp, port: 389, protocol: TCP, targetPort: 389 }
- { name: ldap-udp, port: 389, protocol: UDP, targetPort: 389 }
- { name: smb, port: 445, protocol: TCP, targetPort: 445 }
- { name: kpasswd-tcp, port: 464, protocol: TCP, targetPort: 464 }
- { name: kpasswd-udp, port: 464, protocol: UDP, targetPort: 464 }
- { name: ldaps, port: 636, protocol: TCP, targetPort: 636 }
- { name: gc, port: 3268, protocol: TCP, targetPort: 3268 }
- { name: gc-ssl, port: 3269, protocol: TCP, targetPort: 3269 }
- { name: rpc-epmap, port: 135, protocol: TCP, targetPort: 135 }
- { name: rpc-base, port: 5000, protocol: TCP, targetPort: 5000 }
- { name: rpc-netlogon, port: 5001, protocol: TCP, targetPort: 5001 }
- { name: rpc-lsarpc, port: 5002, protocol: TCP, targetPort: 5002 }
- { name: rpc-samr, port: 5003, protocol: TCP, targetPort: 5003 }
- { name: rpc-drsuapi, port: 5004, protocol: TCP, targetPort: 5004 }
- { name: rpc-dnsserver, port: 5005, protocol: TCP, targetPort: 5005 }