samba.set('global', 'host msdfs', 'yes')
samba.set('global', 'tls enabled', 'yes')
samba.set('global', 'tls keyfile', constants.SSLDIR + '/server.key.pem')
samba.set('global', 'tls certfile', constants.SSLDIR + '/server.cert.pem')
samba.set('global', 'tls cafile', constants.CACERT)
samba.set('global', 'tls verify peer', 'ca_and_name')
samba.set('global', 'ldap server require strong auth', 'no')
with open(smbconf, 'w') as outfile:
samba.write(outfile)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# repair smb.conf's idmap option
replaceInFile(smbconf, 'idmap_ldb = use rfc2307 = yes',
'idmap_ldb:use rfc2307 = yes')
# restart services
msg = 'Restarting samba services '
printScript(msg, '', False, False, True)
try:
subProc('systemctl daemon-reload', logfile)
for s in services:
subProc('systemctl stop ' + s, logfile)
# start only samba-ad-dc service
subProc('systemctl unmask samba-ad-dc.service', logfile)
subProc('systemctl enable samba-ad-dc.service', logfile)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
'ssh-keygen -t ' + a + ' -f ' + hostkey_prefix + a + '_key -N ""',
logfile)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
msg = '* ' + a + ' root key '
printScript(msg, '', False, False, True)
try:
subProc('ssh-keygen -t ' + a + ' -f ' + rootkey_prefix + a + ' -N ""',
logfile)
if a == 'rsa':
subProc(
'base64 ' + constants.SSHPUBKEY + ' > ' +
constants.SSHPUBKEYB64, logfile)
rc = replaceInFile(constants.SSHPUBKEYB64, '\n', '')
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# restart ssh service
msg = 'Restarting ssh service '
printScript(msg, '', False, False, True)
try:
subProc('service ssh restart', logfile)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
subProc(
'openssl req -batch -x509 ' + subj + ' -new -nodes ' + passin +
' -key ' + constants.CAKEY + shadays + ' -out ' + constants.CACERT,
logfile)
subProc(
'openssl x509 -in ' + constants.CACERT + ' -inform PEM -out ' +
constants.CACERTCRT, logfile)
# install crt
subProc(
'ln -sf ' + constants.CACERTCRT +
' /usr/local/share/ca-certificates/linuxmuster_cacert.crt', logfile)
subProc('update-ca-certificates', logfile)
# create base64 encoded version for opnsense's config.xml
subProc('base64 ' + constants.CACERT + ' > ' + constants.CACERTB64,
logfile)
rc = replaceInFile(constants.CACERTB64, '\n', '')
if not os.path.isfile(constants.CACERTB64):
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# iterate through certlist
for item in certlist:
# skip firewall cert
if item == 'firewall' and skipfw:
continue
fqdn = item + '.' + domainname
csrfile = constants.SSLDIR + '/' + item + '.csr'
# script header
filename = os.path.basename(__file__).replace('.py', '')
logfile = constants.LOGDIR + '/' + filename + '.log'
title = 'Creating test users for default-school'
printScript('', 'begin')
printScript(title)
msg = 'Logging to ' + logfile
printScript(msg)
# set password policy
msg = 'password policy setup '
printScript(msg, '', False, False, True)
try:
replaceInFile(constants.SCHOOLCONF, 'RANDOM_PWD=yes', 'RANDOM_PWD=no')
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)
# check
msg = 'sophomorix-check '
printScript(msg, '', False, False, True)
try:
subProc('sophomorix-check', logfile)
printScript(' Success!', '', True, True, False, len(msg))
except:
printScript(' Failed!', '', True, True, False, len(msg))
sys.exit(1)