Skip to content

Instantly share code, notes, and snippets.

@rma92

rma92/readme.md

Last active November 25, 2024 10:45
Show Gist options
  • Save rma92/d916bdcc73f8f37216cd7d776ecf9151 to your computer and use it in GitHub Desktop.
Save rma92/d916bdcc73f8f37216cd7d776ecf9151 to your computer and use it in GitHub Desktop.
Download ZIP
AD Domain Controller on Alpine Linux 3.20
Raw
readme.md

Setting up a standalone DC on Alpine Linux

  • I used Alpine Linux 3.60
  • the Chrony NTP daemon in the system is sufficient for being a domain controller now.
  • Ideally, the VM should have a static IP accessible to the clients so that it is easy to set the clients to access the domain server running on the VM. This isn't strictly necessary but may cause issues if the IP address changes.
  • Replace SAMDOM and SAMDOM.EXAMPLE.COM with the names of your domain and realm.

Optional: Setup doas and add a local user so we can SSH in more easily

apk add doas
adduser user wheel
echo "permit persist :wheel" > /etc/doas.conf

Now you can SSH in as user and run doas <command> or doas -s. You could also add the user and run the su command.

Initial Setup

  • Install a base system, set a root password, a second local account is not required. The only required setup is to use chronyd as the NTP daemon (default).
  • When the system reboots, install the required components.
apk update
apk upgrade
apk add samba samba-dc samba-client openrc
  • Make a new Samba config file, and put the following info in.
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak
vi /etc/samba/smb.conf

[global]
    workgroup = SAMDOM
    realm = SAMDOM.EXAMPLE.COM
    netbios name = DC1
    server role = active directory domain controller
    dns forwarder = 8.8.8.8
    idmap_ldb:use rfc2307 = yes

[sysvol]
    path = /var/lib/samba/sysvol
    read only = no

[netlogon]
    path = /var/lib/samba/sysvol/samdom.example.com/scripts
    read only = no
  • Provision the DC interactively:
samba-tool domain provision --use-rfc2307 --interactive

Use the SAMBA_INTERNAL dns to minimize headaches.

  • configure DNS
vi /etc/resolv.conf

Set the nameserver to localhost:

nameserver 127.0.0.1
  • Remove the default Samba service scripts since it doesn't work for a domain controller (these may fail):
rc-update del samba
rc-update del smbd
rc-update del nmbd
  • Create a samba-ad-dc Init script
vi /etc/init.d/samba-ad-dc

Add the following

#!/sbin/openrc-run

description="Samba Active Directory Domain Controller"
command="/usr/sbin/samba"
command_background="yes"
pidfile="/var/run/samba/samba.pid"

depend() {
    need net
    use dns logger
    after firewall
}

start_pre() {
    checkpath --directory --owner root:root --mode 0755 /var/run/samba
}

stop() {
    ebegin "Stopping Samba AD DC"
    start-stop-daemon --stop --pidfile $pidfile
    eend $?
}

Make the script executable, and add it. Reboot, confirm the service starts.

chmod +x /etc/init.d/samba-ad-dc
rc-update add samba-ad-dc
reboot

Optional: raise the functional levels to 2016

Add a config option to set the DC functional level to /etc/samba/smb.conf:

ad dc functional level = 2016

 rc-service samba-ad-dc stop
  rc-service samba-ad-dc start

Restart samba or reboot. If you run samba-tool domain level show, and there is only a single DC, you should see the DC running a 2016 functional level.

Then run:

samba-tool domain schemaupgrade --schema=2019
samba-tool domain functionalprep --function-level=2016
samba-tool domain level raise --domain-level=2016 --forest-level=2016
samba-tool domain level show

Add a Windows computer

  • Set the Windows computer's DNS server to the IP address of the domain controller.
  • Run sysdm.cpl, and join the domain. Use the account "Administrator" with the password you set during the samba DC interactive provisioning.
Raw
softether-readme.md

Building Softether VPN for Alpine

apk add cmake build-base libsodium-dev git ncurses-dev openssl-dev zlib-dev readline-dev
git clone https://github.com/SoftEtherVPN/SoftEtherVPN.git
export USE_MUSL=YES
export CMAKE_INSTALL_PREFIX=/usr/local
cd SoftEtherVPN
git submodule update --init --recursive
cmake .
make

make install

Make a tar archive, then move it to another system

When building softether, it creates an install_manifest.txt in the root of the source directory containing all the files needed to run the program. Run make install to place the files, then create a tar.gz of all of them by running this in the directory where install_manifest.txt is located:

tar --create --gzip --file=softether_files.tar.gz --files-from=install_manifest.txt

Put softether_files.tar.gz on a new machine, for sake of simplicity, I placed it in / and ran (as root in /):

apk add --no-cache ca-certificates iptables readline zlib libsodium
tar xf softether_files.tar.gz
rm softether_files.tar.gz

Set up a qemu VM with port forwarding

From scratch, create an image, install from the virt iso (to minimize disk footprint):

qemu-img create alpine_softether.qcow2 -f qcow2 2000M
qemu-system-i386 -m 256M -drive file=alpine_softether.qcow2,format=qcow2 -cdrom \iso\alpine-virt-3.20.3-x86.iso -boot d

After installation, the following command line forwrads ports (and 2222 to the ssh server in the guest for ease of management/access)

qemu-system-i386 -m 256M -drive file=alpine_softether.qcow2,format=qcow2 -net nic -net user,hostfwd=udp::53-:53,hostfwd=udp::500-:500,hostfwd=tcp::992-:992,hostfwd=tcp::1194-:1194,hostfwd=udp::1194-:1194,hostfwd=udp::1701-:1701,hostfwd=udp::4500-:4500,hostfwd=tcp::5555-:5555,hostfwd=tcp::2222-:22

To set everything up, install the VPN Server Manager and connect to port 992 on the guest. You can use SSH forwarding if needed.

Add vpnserver and client to init.d

Here are the OpenRC init.d scripts for managing the SoftEther VPN Server (vpnserver) and VPN Client (vpnclient). These scripts assume the binaries are located in /usr/local/bin and the processes are managed with proper start and stop commands.

Script 1: /etc/init.d/vpnserver

#!/sbin/openrc-run

description="SoftEther VPN Server"
command="/usr/local/bin/vpnserver"
command_args="start"
pidfile="/run/vpnserver.pid"

depend() {
    need net
}

start() {
    ebegin "Starting SoftEther VPN Server"
    start-stop-daemon --start --exec "${command}" --pidfile "${pidfile}" --background
    eend $?
}

stop() {
    ebegin "Stopping SoftEther VPN Server"
    start-stop-daemon --stop --exec "${command}" --pidfile "${pidfile}"
    eend $?
}

Script 2: /etc/init.d/vpnclient

#!/sbin/openrc-run

description="SoftEther VPN Client"
command="/usr/local/bin/vpnclient"
command_args="start"
pidfile="/run/vpnclient.pid"

depend() {
    need net
}

start() {
    ebegin "Starting SoftEther VPN Client"
    start-stop-daemon --start --exec "${command}" --pidfile "${pidfile}" --background
    eend $?
}

stop() {
    ebegin "Stopping SoftEther VPN Client"
    start-stop-daemon --stop --exec "${command}" --pidfile "${pidfile}"
    eend $?
}

Steps to Install and Use the Scripts

  1. Create the Files:

    • Save the first script as /etc/init.d/vpnserver.
    • Save the second script as /etc/init.d/vpnclient.

  2. Make the Scripts Executable:

    chmod +x /etc/init.d/vpnserver
chmod +x /etc/init.d/vpnclient

  3. Add to Default Runlevel:

    rc-update add vpnserver default
rc-update add vpnclient default

  4. Start/Stop the Services:

    • Start: 
      rc-service vpnserver start
rc-service vpnclient start
    • Stop: 
      rc-service vpnserver stop
rc-service vpnclient stop

Assumptions

  • The vpnserver and vpnclient binaries are installed at /usr/local/bin.
  • They support start and stop as command-line arguments to manage the processes.
  • Modify paths or commands if your setup differs.

Delete the config file

rm /usr/local/libexec/softether/vpnserver/vpn_server.config

Reset the admin password

vpncmd
ServerPasswordSet
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment