#!/bin/bash V="0.8-B6" # This script is use and tested on a Debian Buster Samba MEMBER # This is tested with and AD Backend. # https://wiki.samba.org/index.php/Idmap_config_ad # # This script will create and setup and configure a basic but secure Samba setup # ! Not tested on AD-DC's (yet) # ! Not tested with RID backends. (yet) # # # BEFORE YOU RUN THIS SCRIPT, THERE ARE A FEW OBLIGATED THINGS TODO FIRST. # 1) The group "Domain Uses" MUST have a GID assigned. # 2) There might be more points .. ;-) if i have them, they will be added here. # Copyright (C) Louis van Belle 2021 # Special thanks to : # Rowland Penny @samba.org # Robert E. Wooden @donelsontrophy.com # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # Into # The script will create some default folders and setup rights and a shares.conf files # which can be used to setup your server shares. # This setup also assumes your running this on a DOMAIN MEMBER. # Below is has been tested on a Debian Buster with Samba 4.12.5 # Adviced, if you "DISK" is /dev/sdaX and your mounting it in /somefolder # You always create a subfolder and you put your data in that. # Dont use the disk its root. like dont mount /dev/sdaX into /samba # use mount it for example in /srv and create the folder samba. # And sure it works, but if you setting up more advanced, it will bite you. # We try to setup as compatible as we can. # Adjust the below variables to your needs. # Read the text in the functions why. (todo, make this part better.) ## The folder for all your Samba/Windows stuff. ## Default created with root:root 4775 rights. ( see tekst in: function SambaRootFolder) SAMBA_BASEFOLDER="/srv/samba" # Override the default rights for the samba base folder. (empty=default 4775) SAMBA_BASEFOLDER_CHMOD="" ## The share name for "companydata" the folder with all you company data. SAMBA_SHARE_COMPDATA="companydata" # Override the default rights for the users folder (empty=default 3750) SAMBA_SHARE_COMPDATA_CHMOD="" ## The share name for and will contain all the \"windows\" users there homedirs. SAMBA_SHARE_USERS="users" # Override the default rights for the users folder (empty=default 2750) SAMBA_SHARE_USERS_CHMOD="" ## The share name with will contain all \"windows\" users there profiles. SAMBA_SHARE_USERSPROFILES="profiles" # Override the default rights for the profile folder (empty=default 1750) SAMBA_SHARE_USERSPROFILES_CHMOD="" ## The share with will be open for all Domain Users. ## Adminstrators control the Share/Folder rights, ## Domain Users can create/write folders/files here. SAMBA_SHARE_COMPPUBLIC="public" # Override the default rights for the profile folder (empty=default 4770) SAMBA_SHARE_COMPPUBLIC_CHMOD="" ####### Dont adjust below here, should not be needed. ######## ## Program Variables SAMBA_BASE="${SAMBA_BASEFOLDER}" SAMBA_BASE_CHMOD="${SAMBA_BASEFOLDER_CHMOD:-4775}" SAMBA_COMPDATA_CHMOD="${SAMBA_SHARE_COMPDATA_CHMOD:-3750}" SAMBA_USERS_CHMOD="${SAMBA_SHARE_USERS_CHMOD:-2750}" SAMBA_USERSPROFILES_CHMOD="${SAMBA_SHARE_USERSPROFILES_CHMOD:-1750}" SAMBA_COMPPUBLIC_CHMOD="${SAMBA_SHARE_COMPPUBLIC_CHMOD:-4770}" # clear screen clear ## Program functions function SambaRootFolder(){ # Finished. INFO=" This is the Administrative share for admins or folder managers only. # # Group Everyone needs read-execute on /srv/samba or you cant enter the server (\\server.fqdn ) # 4775: 4=creator owner and creator group, where creator group is always and # end up in \"Domain Users\" (primary group) when your windows users write files on the share. # Only Administrator or \"Domain Admins\" members are allowed to create folders here. # The underlaying folder will be the samba shares your \"domain users\" will be using. # (or add a folder manager group for it.) # The !root = DOM\Administrator DOM\administrator, makes this work, so dont forget the usermapping file in smb.conf ########################################################" if [ ! -d "${SAMBA_BASE}" ] then install -oroot -groot -m"${SAMBA_BASE_CHMOD}" -d "${SAMBA_BASE}" echo "########################################################" echo " Notice, creating ${SAMBA_BASE} with rights ${SAMBA_BASE_CHMOD}" echo " This share can be accessed as Administrator or as a member of Domain Admins share: \\\\$(hostname -f)\samba\$" echo "${INFO}" echo else echo "########################################################" echo " Warning: ${SAMBA_BASE} already exist" echo " Try to accesse the share as Adminsitrator or as a member of Domain Admins share: \\\\$(hostname -f)\samba\$" echo " And verify if this share is set as [samba\$] in smb.conf" echo echo "${INFO}" echo fi unset INFO } function SambaShare_companydata(){ # Finished. INFO=" This is the Administrative share for the companydata. # # Company Data, This one uses \"Domain Users\" (primary group) and is used to allow all \"Domain Users\" # to modify the data, we assume you are creating department groups and folders. # accessing these folders needs (example) to me a member of \"groupX\" and created files are owned by group \"Domain Users\" # This way folders are protected and everybody can read/write in it, depending if you member of GroupX or not. # # Example in samba/Windows Explorer \\server.fqdn\companydata. # The members of Domain Admins, can create the subfolder and set the needed rights on these subfolders. # \\\\server.fqdn\companydata\dep1, security group dep1. # \\\\server.fqdn\companydata\dep2, security group dep2. # rights, 3750 is base, 3Creater Group. 7user(root) 5group(root) 0(world/everyone) # The \"!root = NTDOM\Administrator NTDOM\administrator\", makes this work, so dont forget the usermapping file in smb.conf # Administrator or a member of Domain Admins/Foldermanagers, will be needed to create the subfolder. # Folder managers needs to be setup by yourself, the script does not do it for you. # # Setup the departments folders, all groups needs a GID, assign these BEFORE you assign the rights.!!! # And assign \"Domain Users \" a GID, this is strongly adviced/obligated in my optinion. # wbinfo --name-to-sid groupname_here # Add the output (SID) of the above command here in this, replace PUT_THE_SID_HERE # # run : samba-tool ntacl set \"O:S-1-22-1-0G:S-1-22-2-0D:AI(A;OICI;0x001301bf;;;PUT_THE_SID_HERE)(A;ID;0x001200a9;;;S-1-22-2-0)(A;OICIIOID;0x001200a9;;;CG)(A;OICIID;0x001f01ff;;;LA)(A;OICIID;0x001f01ff;;;DA)\" \"${SAMBA_BASE}/${SAMBA_SHARE_COMPDATA}/department1\" # # verify the rights (as user NTDOM\Administrator) on the security tab in Windows Explorer and test. # An example can be : samba-tool ntacl set \"O:S-1-22-1-0G:S-1-22-2-0D:AI(A;OICI;0x001301bf;;;\$(wbinfo --name-to-sid department1_HERE |awk '{ print \$1 }'))(A;ID;0x001200a9;;;S-1-22-2-0)(A;OICIIOID;0x001200a9;;;CG)(A;OICIID;0x001f01ff;;;LA)(A;OICIID;0x001f01ff;;;DA)\" \"/srv/samba/${SAMBA_SHARE_COMPDATA}/department1/\" ########################################################" if [ ! -d "${SAMBA_BASE}/${SAMBA_SHARE_COMPDATA}" ] then ## With folder OWNER Administrator : O:LAG:S-1-22-2-0D:PAI(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DU) ## With folder OWNER root : O:S-1-22-1-0G:S-1-22-2-0D:PAI(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DU) ## Default is set to : Administrator COMPDATA_SDDL="O:LAG:S-1-22-2-0D:PAI(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DU)" #COMPDATA_SDDL="O:S-1-22-1-0G:S-1-22-2-0D:PAI(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DU)" install -oroot -groot -m"${SAMBA_COMPDATA_CHMOD}" -d "${SAMBA_BASE}/${SAMBA_SHARE_COMPDATA}" samba-tool ntacl set "${COMPDATA_SDDL}" "${SAMBA_BASE}/${SAMBA_SHARE_COMPDATA}" echo "########################################################" echo " Notice, creating ${SAMBA_BASE}/${SAMBA_SHARE_COMPDATA} with rights ${SAMBA_COMPDATA_CHMOD}" echo " This share can be accessed as Administrator or as a member of Domain Users share: \\\\$(hostname -f)\\${SAMBA_SHARE_COMPDATA}" echo echo "${INFO}" echo else echo "########################################################" echo " Warning: ${SAMBA_BASE}/${SAMBA_SHARE_COMPDATA} already exist." echo " Try to accesse the share as Adminsitrator or as a member of Domain Admins share: \\\\$(hostname -f)\\${SAMBA_SHARE_COMPDATA}" echo " And verify if this share is set as [${SAMBA_SHARE_COMPDATA}] in smb.conf" echo echo "${INFO}" echo fi unset INFO unset COMPDATA_SDDL } function SambaShare_users(){ # Finished. INFO=" User folder setup. # The rights are already setup for you. Review these from within a Windows Client. # You can now set in ADUC \\\\server.fqdn\users\%username% for the homedir drive mapping # The new created folder from ADUC, wil get username:root add default rights. # Only the user and Adminstrator(s) are allowed in an user there home folder. # # If you make the HomeDir Private for the user only. ( so not by root accessable ). # And if you use kerberos auth with NFS(v4), you might need to add this to # #/etc/krb5.conf in [libdefaults] # # Source: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/1484262 # # ignore the attempt to read $HOME/.k5login by or running services (as root) # # The Automounter needs it, dont forget adding the nfs/spn to the keytab file. # ignore_k5login = true # # More info : https://wiki.samba.org/index.php/User_Home_Folders ########################################################" if [ ! -d "${SAMBA_BASE}/${SAMBA_SHARE_USERS}" ] then ## With folder OWNER Administrator : O:LAG:S-1-22-2-0D:PAI(A;;0x001200a9;;;BU)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;BA) ## With folder OWNER root : O:S-1-22-1-0G:S-1-22-2-0D:PAI(A;;0x001200a9;;;BU)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;BA) ## Default is set to : Administrator USER_SDDL="O:LAG:S-1-22-2-0D:PAI(A;;0x001200a9;;;BU)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;BA)" #USER_SDDL="O:S-1-22-1-0G:S-1-22-2-0D:PAI(A;;0x001200a9;;;BU)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;BA)" install -oroot -groot -m"${SAMBA_USERS_CHMOD}" -d "${SAMBA_BASE}/${SAMBA_SHARE_USERS}" samba-tool ntacl set "${USER_SDDL}" "${SAMBA_BASE}/${SAMBA_SHARE_USERS}" echo "########################################################" echo " Notice, creating ${SAMBA_BASE}/${SAMBA_SHARE_USERS} with rights ${SAMBA_USERS_CHMOD}" echo " Set in ADUC USERHOME DRIVELETTER: \\\\$(hostname -f)\\${SAMBA_SHARE_USERS}\%username%" echo echo "${INFO}" echo else echo "########################################################" echo " Warning: ${SAMBA_BASE}/${SAMBA_SHARE_USERS} already exist." echo " Try to accesse the share as Adminsitrator or as a member of Domain Admins share: \\\\$(hostname -f)\\${SAMBA_SHARE_USERS}" echo " And verify if this share is set as [${SAMBA_SHARE_USERS}] in smb.conf" echo echo "${INFO}" echo fi unset INFO unset USER_SDDL } function SambaShare_profiles(){ INFO=" This is the share setup for the Windows Users (and optional computer ) there profiles # Profile folder setup, there is a setup for the user profiles AND computer profiles. # for the computer profiles please read also this link. # https://docs.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-4-optionally-create-a-gpo-for-roaming-user-profiles # # Note, \"Domain Users\" is used in this setup, the link of Microsoft above used a different group because it shows the setup for computer profiles. # Both work, you can change this later if needed and/or add it, if added, you most probely want to change this setup also a little bit. # Just follow the Microsoft link # # Domain users include also all computer, but in cased you dont want that (think laptops), setup as above link suggested. # Replace \"Domain Users\" for the assigned security group and dont forget to add the users and the computers. # # This samba-tool command will result in whats shown here: # More info : https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles ########################################################" if [ ! -d "${SAMBA_BASE}/${SAMBA_SHARE_USERSPROFILES}" ] then ## With folder OWNER Administrator : O:LAG:S-1-22-2-0D:PAI(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;DA)(A;;0x00100025;;;DU) ## With folder OWNER root : O:S-1-22-1-0G:S-1-22-2-0D:PAI(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;DA)(A;;0x00100025;;;DU) ## Default is set to : Adminisitrator PROFILE_SDDL="O:LAG:S-1-22-2-0D:PAI(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;DA)(A;;0x00100025;;;DU)" #PROFILE_SDDL="O:S-1-22-1-0G:S-1-22-2-0D:PAI(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;DA)(A;;0x00100025;;;DU)" install -oroot -groot -m"${SAMBA_USERSPROFILES_CHMOD}" -d "${SAMBA_BASE}/${SAMBA_SHARE_USERSPROFILES}" samba-tool ntacl set "${PROFILE_SDDL}" "${SAMBA_BASE}/${SAMBA_SHARE_USERSPROFILES}" echo "########################################################" echo " Notice, creating ${SAMBA_BASE}/${SAMBA_SHARE_USERSPROFILES} with rights ${SAMBA_USERPROFILES_CHMOD}" echo " Set in ADUC USERPROFILE: \\\\$(hostname -f)\\${SAMBA_SHARE_USERSPROFILES}\%username%" echo echo "${INFO}" echo else echo "########################################################" echo " Warning: ${SAMBA_BASE}/${SAMBA_SHARE_USERSPROFILES} already exist." echo " Try to accesse the share as Adminsitrator or as a member of Domain Admins share: \\\\$(hostname -f)\\${SAMBA_SHARE_USERSPROFILES}" echo " And verify if this share is set as [${SAMBA_SHARE_USERSPROFILES}] in smb.conf" echo echo "${INFO}" echo fi unset INFO unset PROFILE_SDDL } function SambaShare_public(){ INFO=" Public folder setup. # # By default \"Domain users\" are allowed to read/write create files and folders. # By default \"Domain Admins\" Full control. # Pretty simple setup ;-) # More info : https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs ########################################################" if [ ! -d "${SAMBA_BASE}/${SAMBA_SHARE_COMPPUBLIC}" ] then ## With folder OWNER Administrator : O:LAG:S-1-22-2-0D:PAI(A;OICI;0x001301bf;;;DU)(A;;0x001200a9;;;WD)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01ff;;;DA) ## With folder OWNER root : O:S-1-22-1-0G:S-1-22-2-0D:PAI(A;OICI;0x001301bf;;;DU)(A;;0x001200a9;;;WD)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01ff;;;DA) ## Default is set to : Adminisitrator COMPPUBLIC_SDDL="O:LAG:S-1-22-2-0D:PAI(A;OICI;0x001301bf;;;DU)(A;;0x001200a9;;;WD)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01ff;;;DA)" #COMPPUBLIC_SDDL="O:S-1-22-1-0G:S-1-22-2-0D:PAI(A;OICI;0x001301bf;;;DU)(A;;0x001200a9;;;WD)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01ff;;;DA)" install -oroot -groot -m"${SAMBA_COMPPUBLIC_CHMOD}" -d "${SAMBA_BASE}/${SAMBA_SHARE_COMPPUBLIC}" samba-tool ntacl set "O:S-1-22-1-0G:S-1-22-2-0D:PAI(A;OICI;0x001301bf;;;DU)(A;;0x001200a9;;;WD)(A;OICIIO;0x001200a9;;;CG)(A;OICI;0x001f01ff;;;DA)" "${SAMBA_BASE}/${SAMBA_SHARE_COMPPUBLIC}" echo "########################################################" echo echo "${INFO}" echo else echo "########################################################" echo " Warning: ${SAMBA_BASE}/${SAMBA_SHARE_COMPPUBLIC} already exist." echo " Try to accesse the share as Adminsitrator or as a member of Domain Admins share: \\\\$(hostname -f)\\${SAMBA_SHARE_USERSPROFILES}" echo " And verify if this share is set as [${SAMBA_SHARE_USERSPROFILES}] in smb.conf" echo echo "${INFO}" echo fi unset INFO unset COMPPUBLIC_SDDL } function SambaSharesAll(){ # File you can include in smb.conf echo "[samba\$] # Hidden share for Adminstrator and \"Domain Admins\" members/Folder managers # By default \"Domain Admins\" are allowed to read/write path = ${SAMBA_BASE} browseable = yes read only = no [${SAMBA_SHARE_COMPDATA}] # main share for all company data. path = ${SAMBA_BASE}/${SAMBA_SHARE_COMPDATA} browseable = yes read only = no [${SAMBA_SHARE_USERSPROFILES}] # Windows user profiles, Used for/by windows only share. # Add a $ on the end to hide the share-name. # By default \"Domain users\" are allowed to read/write # https://www.samba.org/samba/docs/current/man-html/vfs_acl_xattr.8.html # Optional, yes and windows defaults are: no/posix # acl_xattr:ignore system acls = [yes|no] # acl_xattr:default acl style = [posix|windows|everyone] path = ${SAMBA_BASE}/${SAMBA_SHARE_USERSPROFILES} browseable = yes read only = no [${SAMBA_SHARE_USERS}] # Samba/Windows User homedirs. # By default the User (And root/Administrator/Domain Admins) are allowed to read/write path = ${SAMBA_BASE}/${SAMBA_SHARE_USERS} browseable = yes read only = no [${SAMBA_SHARE_COMPPUBLIC}] # A public share. # By default \"Domain users\" are allowed to read/write path = ${SAMBA_BASE}/${SAMBA_SHARE_COMPPUBLIC} browseable = yes read only = no " > /etc/samba/smb-shares.conf echo "Share examples can be found here: /etc/samba/smb-shares.conf" echo "You can include this by adding : include = /etc/samba/smb-shares.conf to your smb.conf" echo "And reload/restart samba : systemctl restart/reload smbd winbind" echo } SambaRootFolder SambaShare_companydata SambaShare_users SambaShare_profiles SambaShare_public SambaSharesAll