.

2026-03-20 10:21:45 +00:00
parent de0fb75f84
commit c6e35991ec
1 changed files with 41 additions and 19 deletions
--- a/samba-directory/dc1.yaml
+++ b/samba-directory/dc1.yaml
@@ -129,7 +129,9 @@ spec:
          command: ["/bin/bash", "-ec"]
          args:
            - |
-              set -euxo pipefail
+              set -euo pipefail
+              # disable command echo to avoid leaking passwords
+              set +x

              if [ ! -f /var/lib/samba/.provisioned ] || [ ! -f /etc/samba/smb.conf ]; then
                rm -f /var/lib/samba/.provisioned
@@ -153,26 +155,46 @@ spec:
              cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

              if [ ! -f /var/lib/samba/.bootstrap-ldif-applied ]; then
-                ldbadd -H /var/lib/samba/private/sam.ldb /bootstrap/bootstrap.ldif
+                set_password_if_user_exists() {
+                  local user="$1"
+                  local password="$2"
+                  if samba-tool user show "$user" >/dev/null 2>&1; then
+                    echo "setting password for $user"
+                    samba-tool user setpassword "$user" --newpassword="$password" >/dev/null
+                  else
+                    echo "user $user does not exist yet, skipping password set" >&2
+                    return 1
+                  fi
+                }

-                samba-tool user setpassword sebastian --newpassword="${SEBASTIAN_PASSWORD}" >/dev/null 2>&1
-                samba-tool user setpassword glados --newpassword="${GLADOS_PASSWORD}" >/dev/null 2>&1
-                samba-tool user setpassword shodan --newpassword="${SHODAN_PASSWORD}" >/dev/null 2>&1
-                samba-tool user setpassword lam --newpassword="${LAM_PASSWORD}" >/dev/null 2>&1
-                samba-tool user setpassword argocd --newpassword="${ARGOCD_PASSWORD}" >/dev/null 2>&1
-                samba-tool user setpassword gitea --newpassword="${GITEA_PASSWORD}" >/dev/null 2>&1
-                samba-tool user setpassword firewall --newpassword="${FIREWALL_PASSWORD}" >/dev/null 2>&1
-                samba-tool user setpassword mailserver --newpassword="${MAILSERVER_PASSWORD}" >/dev/null 2>&1
-                samba-tool user setpassword bookstack --newpassword="${BOOKSTACK_PASSWORD}" >/dev/null 2>&1
-                samba-tool user setpassword nextcloud --newpassword="${NEXTCLOUD_PASSWORD}" >/dev/null 2>&1
-                samba-tool user setpassword jellyfin --newpassword="${JELLYFIN_PASSWORD}" >/dev/null 2>&1
-                samba-tool user setpassword bastillion --newpassword="${BASTILLION_PASSWORD}" >/dev/null 2>&1
-                samba-tool user setpassword guacamole --newpassword="${GUACAMOLE_PASSWORD}" >/dev/null 2>&1
-                samba-tool user setpassword synapse --newpassword="${SYNAPSE_PASSWORD}" >/dev/null 2>&1
-                samba-tool user setpassword samba --newpassword="${SAMBA_PASSWORD}" >/dev/null 2>&1
+                add_group_member_if_possible() {
+                  local group="$1"
+                  local member="$2"
+                  echo "adding $member to $group"
+                  samba-tool group addmembers "$group" "$member" >/dev/null 2>&1 || true
+                }

-                samba-tool group addmembers "Domain Admins" undercloud-administrators
-                samba-tool group addmembers "Domain Admins" lam
+                # Apply LDIF in continue mode so reruns survive partially-created objects.
+                ldbmodify -c -H /var/lib/samba/private/sam.ldb /bootstrap/bootstrap.ldif || true
+
+                set_password_if_user_exists sebastian "${SEBASTIAN_PASSWORD}"
+                set_password_if_user_exists glados "${GLADOS_PASSWORD}"
+                set_password_if_user_exists shodan "${SHODAN_PASSWORD}"
+                set_password_if_user_exists lam "${LAM_PASSWORD}"
+                set_password_if_user_exists argocd "${ARGOCD_PASSWORD}"
+                set_password_if_user_exists gitea "${GITEA_PASSWORD}"
+                set_password_if_user_exists firewall "${FIREWALL_PASSWORD}"
+                set_password_if_user_exists mailserver "${MAILSERVER_PASSWORD}"
+                set_password_if_user_exists bookstack "${BOOKSTACK_PASSWORD}"
+                set_password_if_user_exists nextcloud "${NEXTCLOUD_PASSWORD}"
+                set_password_if_user_exists jellyfin "${JELLYFIN_PASSWORD}"
+                set_password_if_user_exists bastillion "${BASTILLION_PASSWORD}"
+                set_password_if_user_exists guacamole "${GUACAMOLE_PASSWORD}"
+                set_password_if_user_exists synapse "${SYNAPSE_PASSWORD}"
+                set_password_if_user_exists samba "${SAMBA_PASSWORD}"
+
+                add_group_member_if_possible "Domain Admins" undercloud-administrators
+                add_group_member_if_possible "Domain Admins" lam

                touch /var/lib/samba/.bootstrap-ldif-applied
              fi