Difference between revisions of "Managing the Samba AD DC Service Using an Init Script"

(Debian)
m (/* added debian init.d script, old link nolonger worked.)
 
(2 intermediate revisions by one other user not shown)
Line 100: Line 100:
 
* Create the <code>/etc/init.d/samba-ad-dc</code> file with the following content:
 
* Create the <code>/etc/init.d/samba-ad-dc</code> file with the following content:
  
(Originally downloaded from "<nowiki>http://anonscm.debian.org/gitweb/?p=pkg-samba/samba.git;a=blob_plain;f=debian/samba.samba-ad-dc.init;h=3132d2e367675f822342a5b7bc2e50c046aa3b8f;hb=HEAD</nowiki>" but has since been removed
+
  #!/bin/sh
 
 
  #! /bin/sh
 
 
   
 
   
 
  ### BEGIN INIT INFO
 
  ### BEGIN INIT INFO
Line 117: Line 115:
 
  # Adapted from the Samba 3 packages.
 
  # Adapted from the Samba 3 packages.
 
  #
 
  #
 +
 +
PATH=/usr/local/samba/sbin:/usr/local/samba/bin:$PATH
 
   
 
   
 
  PIDDIR=/usr/local/samba/var/run
 
  PIDDIR=/usr/local/samba/var/run
 
  SAMBAPID=$PIDDIR/samba.pid
 
  SAMBAPID=$PIDDIR/samba.pid
 
   
 
   
  # clear conflicting settings from the environment              
+
  # clear conflicting settings from the environment
 
  unset TMPDIR
 
  unset TMPDIR
 
   
 
   
Line 131: Line 131:
 
  case "$1" in
 
  case "$1" in
 
         start)
 
         start)
                 SERVER_ROLE=`/usr/local/samba/bin/samba-tool testparm --parameter-name="server role"  2>/dev/null | tail -1`
+
                 SERVER_ROLE=`samba-tool testparm --parameter-name="server role"  2>/dev/null | tail -1`
 
                 if [ "$SERVER_ROLE" != "active directory domain controller" ]; then
 
                 if [ "$SERVER_ROLE" != "active directory domain controller" ]; then
 
                     exit 0
 
                     exit 0
 
                 fi
 
                 fi
 
   
 
   
                 if init_is_upstart; then
+
                # CVE-2013-4475
 +
                KEYFILE=/usr/local/samba/private/tls/key.pem
 +
                 if [ -e $KEYFILE ]; then
 +
                    KEYPERMS=`stat -c %a $KEYFILE`
 +
                    if [ "$KEYPERMS" != "600" ]; then
 +
                        echo "wrong permission on $KEYFILE, must be 600"
 +
                        echo "samba will not start (CVE-2013-4475)"
 +
                        echo "Removing all tls .pem files will cause an auto-regeneration with the correct permissions."
 
                         exit 1
 
                         exit 1
                fi
+
                    i
 +
                fi
 
   
 
   
                # CVE-2013-4475
+
                log_daemon_msg "Starting Samba AD DC daemon" "samba"
                KEYFILE=/var/lib/samba/private/tls/key.pem
+
                # Make sure we have our PIDDIR, even if it's on a tmpfs
                if [ -e $KEYFILE ]
+
                install -o root -g root -m 755 -d $PIDDIR
                then
+
 
                                KEYPERMS=`stat -c %a $KEYFILE`
+
                if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/samba -- -D; then
                                if [ "$KEYPERMS" != "600" ]
+
                    log_end_msg 1
                                then
+
                    exit 1
                                                echo "wrong permission on $KEYFILE, must be 600"
+
                fi
                                                echo "samba will not start (CVE-2013-4475)"
 
                                                echo "Removing all tls .pem files will cause an auto-regeneration with the correct permissions."
 
                                                exit 1
 
                                fi
 
                fi
 
 
   
 
   
                log_daemon_msg "Starting Samba AD DC daemon" "samba"
+
                log_end_msg 0
                # Make sure we have our PIDDIR, even if it's on a tmpfs
+
                ;;
                install -o root -g root -m 755 -d $PIDDIR
+
        stop)
 +
                log_daemon_msg "Stopping Samba AD DC daemon" "samba"
 
   
 
   
                if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/samba -- -D; then
+
              start-stop-daemon --stop --quiet --pidfile $SAMBAPID
                        log_end_msg 1
+
                # Wait a little and remove stale PID file
                        exit 1
+
                sleep 1
                fi
+
                if [ -f $SAMBAPID ] && ! ps h `cat $SAMBAPID` > /dev/null
+
                then
                log_end_msg 0
+
                    # Stale PID file (samba was succesfully stopped),
                ;;
+
                    # remove it (should be removed by samba itself IMHO.)
        stop)
+
                    rm -f $SAMBAPID
                if init_is_upstart; then
+
                fi
                        exit 0
 
                fi
 
                log_daemon_msg "Stopping Samba AD DC daemon" "samba"
 
 
                start-stop-daemon --stop --quiet --pidfile $SAMBAPID
 
                # Wait a little and remove stale PID file
 
                sleep 1
 
                if [ -f $SAMBAPID ] && ! ps h `cat $SAMBAPID` > /dev/null
 
                then
 
                        # Stale PID file (samba was succesfully stopped),
 
                        # remove it (should be removed by samba itself IMHO.)
 
                        rm -f $SAMBAPID
 
                fi
 
 
   
 
   
                log_end_msg 0
+
              log_end_msg 0
 
   
 
   
                ;;
+
                ;;
        restart|force-reload)
+
        restart|force-reload)
                if init_is_upstart; then
+
                $0 stop
                        exit 1
+
                sleep 1
                fi
+
                $0 start
                $0 stop
+
                ;;
                sleep 1
+
        status)
                $0 start
+
                status_of_proc -p $SAMBAPID /usr/local/samba/sbin/samba samba
                ;;
+
                exit $?
        status)
+
                ;;
                status_of_proc -p $SAMBAPID /usr/local/samba/sbin/samba samba
+
        *)
                exit $?
+
                echo "Usage: /etc/init.d/samba-ad-dc {start|stop|restart|force-reload|status}"
                ;;
+
                exit 1
        *)
+
                ;;
                echo "Usage: /etc/init.d/samba-ad-dc {start|stop|restart|force-reload|status}"
 
                exit 1
 
                ;;
 
 
  esac
 
  esac
 
   
 
   
 
  exit 0
 
  exit 0
 +
  
 
* If necessary, update the locations to the <code>samba</code> service, the <code>samba-tool</code> utility, and the <code>smb.conf</code> file in the <code>/etc/init.d/samba-ad-dc</code> file.
 
* If necessary, update the locations to the <code>samba</code> service, the <code>samba-tool</code> utility, and the <code>smb.conf</code> file in the <code>/etc/init.d/samba-ad-dc</code> file.
  
* Make the script executable:
+
* Make the script executeable:
  
 
  # chmod 755 /etc/init.d/samba-ad-dc
 
  # chmod 755 /etc/init.d/samba-ad-dc
 +
 +
 +
 +
  
 
= Managing the Samba AD DC Service =
 
= Managing the Samba AD DC Service =
Line 224: Line 217:
  
 
To enable the Samba Active Directory (AD) domain controller (DC) service to start automatically when the system boots, enter:
 
To enable the Samba Active Directory (AD) domain controller (DC) service to start automatically when the system boots, enter:
 +
 +
== Red Hat Enterprise Linux 6 ==
  
 
  # chkconfig samba-ad-dc enable
 
  # chkconfig samba-ad-dc enable
Line 230: Line 225:
  
 
  # chkconfig samba-ad-dc disable
 
  # chkconfig samba-ad-dc disable
 +
 +
 +
== Debian ==
 +
 +
# update-rc.d samba-ad-dc defaults
 +
 +
To disable the automatic start of the Samba AD DC service, enter:
 +
 +
# update-rc.d -f samba-ad-dc remove
  
  

Latest revision as of 17:57, 23 September 2018

Introduction

The following describes how to use an init script to manage the Samba Active Directory (AD) domain controller (DC) service. Depending on your operating system, the location of the init script, its content, and the procedures how to manage the service can be different. For details, see your operating system's documentation.



Creating the Init Script

Red Hat Enterprise Linux 6

  • Create the /etc/init.d/samba-ad-dc file with the following content:
#!/bin/bash
#
# samba-ad-dc	This shell script takes care of starting and stopping
# 		samba AD daemons.
#
# chkconfig: - 58 74
# description: Samba Active Directory Domain Controller

### BEGIN INIT INFO
# Provides: samba-ad-dc
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $network $local_fs $remote_fs
# Should-Start: $syslog $named
# Should-Stop: $syslog $named
# Short-Description: start and stop samba-ad-dc
# Description: Samba Active Directory Domain Controller
### END INIT INFO

# Source function library.
. /etc/init.d/functions
 
# Source networking configuration.
. /etc/sysconfig/network
 
prog=samba
prog_dir=/usr/local/samba/sbin/
lockfile=/var/lock/subsys/$prog
 
start() {
	[ "$NETWORKING" = "no" ] && exit 1
	echo -n $"Starting Samba AD DC: "
	daemon $prog_dir/$prog -D
	RETVAL=$?
	echo
	[ $RETVAL -eq 0 ] && touch $lockfile
	return $RETVAL
}

 stop() {
	[ "$EUID" != "0" ] && exit 4
	echo -n $"Shutting down Samba AD DC: "
	killproc $prog_dir/$prog
	RETVAL=$?
	echo
	[ $RETVAL -eq 0 ] && rm -f $lockfile
	return $RETVAL
}
 
case "$1" in
start)
	start
	;;
stop)
	stop
	;;
status)
	status $prog
	;;
restart)
	stop
	start
	;;
*)
	echo $"Usage: $0 {start|stop|status|restart}"
	exit 2
esac
  • Make the script executeable:
# chmod 755 /etc/init.d/samba-ad-dc


Debian

  • Create the /etc/init.d/samba-ad-dc file with the following content:
#!/bin/sh

### BEGIN INIT INFO
# Provides:          samba-ad-dc
# Required-Start:    $network $local_fs $remote_fs
# Required-Stop:     $network $local_fs $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: start Samba daemons for the AD DC
### END INIT INFO

#
# Start/stops the Samba daemon (samba).
# Adapted from the Samba 3 packages.
#

PATH=/usr/local/samba/sbin:/usr/local/samba/bin:$PATH

PIDDIR=/usr/local/samba/var/run
SAMBAPID=$PIDDIR/samba.pid

# clear conflicting settings from the environment
unset TMPDIR

# See if the daemon and the config file are there
test -x /usr/local/samba/sbin/samba -a -r /usr/local/samba/etc/smb.conf || exit 0

. /lib/lsb/init-functions

case "$1" in
        start)
                SERVER_ROLE=`samba-tool testparm --parameter-name="server role"  2>/dev/null | tail -1`
                if [ "$SERVER_ROLE" != "active directory domain controller" ]; then
                    exit 0
                fi

                # CVE-2013-4475
                KEYFILE=/usr/local/samba/private/tls/key.pem
                if [ -e $KEYFILE ]; then
                    KEYPERMS=`stat -c %a $KEYFILE`
                    if [ "$KEYPERMS" != "600" ]; then
                        echo "wrong permission on $KEYFILE, must be 600"
                        echo "samba will not start (CVE-2013-4475)"
                        echo "Removing all tls .pem files will cause an auto-regeneration with the correct permissions."
                        exit 1
                    i
               fi

               log_daemon_msg "Starting Samba AD DC daemon" "samba"
               # Make sure we have our PIDDIR, even if it's on a tmpfs
               install -o root -g root -m 755 -d $PIDDIR
 
               if ! start-stop-daemon --start --quiet --oknodo --exec /usr/local/samba/sbin/samba -- -D; then
                   log_end_msg 1
                   exit 1
               fi

               log_end_msg 0
               ;;
       stop)
               log_daemon_msg "Stopping Samba AD DC daemon" "samba"

              start-stop-daemon --stop --quiet --pidfile $SAMBAPID
               # Wait a little and remove stale PID file
               sleep 1
               if [ -f $SAMBAPID ] && ! ps h `cat $SAMBAPID` > /dev/null
               then
                   # Stale PID file (samba was succesfully stopped),
                   # remove it (should be removed by samba itself IMHO.)
                   rm -f $SAMBAPID
               fi

              log_end_msg 0

               ;;
       restart|force-reload)
               $0 stop
               sleep 1
               $0 start
               ;;
       status)
               status_of_proc -p $SAMBAPID /usr/local/samba/sbin/samba samba
               exit $?
               ;;
       *)
               echo "Usage: /etc/init.d/samba-ad-dc {start|stop|restart|force-reload|status}"
               exit 1
               ;;
esac

exit 0


  • If necessary, update the locations to the samba service, the samba-tool utility, and the smb.conf file in the /etc/init.d/samba-ad-dc file.
  • Make the script executeable:
# chmod 755 /etc/init.d/samba-ad-dc



Managing the Samba AD DC Service

The following assumes that the Samba Active Directory (AD) domain controller (DC) service is managed by the /etc/init.d/samba-ad-dc init script. If you have not created the script manually, see your operating system's documentation for the name of the Samba AD DC service.


Enabling and Disabling the Samba AD DC Service

To enable the Samba Active Directory (AD) domain controller (DC) service to start automatically when the system boots, enter:

Red Hat Enterprise Linux 6

# chkconfig samba-ad-dc enable

To disable the automatic start of the Samba AD DC service, enter:

# chkconfig samba-ad-dc disable


Debian

# update-rc.d samba-ad-dc defaults

To disable the automatic start of the Samba AD DC service, enter:

# update-rc.d -f samba-ad-dc remove


Manually Starting and Stopping the Samba AD DC Service

To manually start the Samba Active Directory (AD) domain controller (DC) service, enter:

# service start samba-ad-dc

To manually stop the Samba AD DC service, enter:

# service stop samba-ad-dc