-
Notifications
You must be signed in to change notification settings - Fork 24
/
Copy pathsamba-check-db-repl.sh
353 lines (311 loc) · 14 KB
/
samba-check-db-repl.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
#!/bin/bash -v
##
## Version : 1.0.8
## release d.d. : 24-03-2015
## Author : L. van Belle
## E-mail : [email protected]
## Copyright : Free as free can be, copy it, change it if needed.
## Sidenote : if you change things, please inform me
## ChangeLog : first release d.d. 23-03-2015
## 24-03-2015 : 1.0.2 few small changes, thanks Rowland for the suggestions.
## 22-04-2015 : 1.0.3 moved mailx part within check if an e-mail adres is used.
## 24-04-2015 : 1.0.4 added extra check, so if no is if found, you get an error message and not a python error.
## 21-11-2016 : 1.0.5 extra filter options. ( samba 4.5.x needs adjusting )
## ( removed the . in the hostname resolving for the DCS, this was no error, but its more clear what people want to see )
## 12-02-2018 : 1.0.6 fix the test for presence of "FAILURE" will be true even if the actual result is "successful".
## 13-02-2018 : 1.0.7 fix filter, variable was not used. optimized code, remove ^M.
## 30-01-2019 : 1.0.8 change filter defaults to whenChanged,dc,DC,cn,CN
## Samba database checker. ( samba 4.1-4.8 tested)
## This script wil check for error in the samba databases with samba-tool
## If needed adjust it to your os needs.
## !! Warning, samba 4.5.0 - 4.5.1 errors about cn CN ou OU differences.
## This is a samba bug : https://bugzilla.samba.org/show_bug.cgi?id=12399
# you may need to adjust the filter options below. (SAMBA_LDAPCMD_FILTER)
## NOTICE !! This script does only work with samba DC's
## A samba DC + Windows DC wont work and is not tested, if you get that to work,
## please share the code ;-)
## Howto use it:
## Put it on any samba4 DC and run it.
## if you put it in a cron job,
## set the mail report adres and put in the password for Administrator
## and set the relayhost.
## Test it, by remove-ing the email adres at EMAIL_REPORT_ADRES
## and you get a console output of the checks.
## Thats it, enjoy..
## All other settings are optional..
## Only tested with user "Administrator".. best is not to change this.
SAMBA_NT_ADMIN_USER="Administrator"
## if empty the script wil ask for the pass..
## for running this with cron this is a must !
SAMBA_NT_ADMIN_PASS=""
## perform 2 checkes by default for the database replication
## keep both set to yes, thats the best.
SAMBA_CHECKDB_WITH_DRS="yes"
SAMBA_CHECKDB_WITH_LDAPCMD="yes"
## Filter non-synced attributes
## Change the filter to avoid mismatching, some items can be ignored.
## Some examples. : whenChanged,usnChanged,usnCreated,msDS-NcType,serverState
## add them with "," seperated.
SAMBA_LDAPCMD_FILTER="whenChanged,dc,DC,cn,CN"
# TODO, this one is not integrated yet!
## Compare single AD partitions on Domain Controller DC1 and DC2:
## You can compair also only one for more partitions in stead of the full DB.
## The options are : domain configuration schema dnsdomain dnsforest
## Keep empty for full DB compair, or space separated partition options.
#SAMBA_LDAPCMD_PARTITIONS=""
## The email adress to report to.
## If you put an e-mail adres here the script wil also check for mail tools.. etc
## Email are only send when errors are found and no console output !
## if you want console put, dont put any email address here..
EMAIL_REPORT_ADDRESS=""
## Normaly only e-mail are send when errors are found, or set yes for always email
EMAIL_REPORT_ALWAYS="no"
## I use postfix as relay host. ( set to run on localhost only)
## Put here your mail relay host
## hostname or hostname-fqdn or ip or ip:port are ok.
## This is only used when NO sendmail program if found.
POSTFIX_RELAY_HOST=""
## postfix wil be automatily setup for your.
## If you did already setup any mail server on the server or you are able to mail
## from this server with "mail" command, then this script does not install postfix.
## cleanup the log in /tmp
## can be handy if you want to review manualy.
SETREMOVELOG="no"
## So you reached the end for the configure..
## Set this one to yes.. and your good to go.
CONFIGURED="no"
#######################################################################
## DONT CHANGE BELOW Please, if you make changes, please share them. #
#######################################################################
## hostname in single word, but you dont need to change this
SETHOSTNAME="$(hostname -s)"
## domainname.tld, but if you installed correct, you dont need to change this
SETDNSDOMAIN="$(hostname -d)"
## hostname.domainname.tld, but if you installed correct, you dont need to change this
SETFQDN="$(hostname -f)"
SETTPUT="$(which tput)"
if [ -z "${SETTPUT}" ]; then
echo "program tput not found, installing it now.. please wait"
apt-get update > /dev/null
apt-get install -y --no-install-recommends ncurses-bin > /dev/null
fi
RED="$(${SETTPUT} setaf 1)"
NORMAL="$(${SETTPUT} sgr0)"
GREEN="$(${SETTPUT} setaf 2)"
YELLOW="$(${SETTPUT} setaf 3)"
UNDERLINE="$(${SETTPUT} smul)"
WHITE="$(${SETTPUT} setaf 7)"
BOLD="$(${SETTPUT} bold)"
message() {
printf "%40s\n" "${WHITE}${BOLD}$*${NORMAL}"
}
good() {
printf "%40s\n" "${GREEN}$*${NORMAL}"
}
error() {
printf "%40s\n" "${RED}$*${NORMAL}"
}
warning() {
printf "%40s\n" "${YELLOW}$*${NORMAL}"
}
warning_underline() {
printf "%40s\n" "${YELLOW}${UNDERLINE}$*${NORMAL}"
}
check_run_as_sudo_root() {
if ! [[ $EUID -eq 0 ]]; then
error "This script should be run using sudo or by root."
exit 1
fi
}
configured_script() {
if [ "${CONFIGURED}" = "no" ]; then
error "####################################################"
error "You need to configure this script first to run it. "
echo " "
error "exiting script now... "
exit 0
fi
}
configured_script
check_run_as_sudo_root
if [ $SAMBA_CHECKDB_WITH_DRS = "no" ] && [ ${SAMBA_CHECKDB_WITH_LDAPCMD} = "no" ] ; then
error "When you set both SAMBA_CHECKBD... to NO.. then there is no point of running this script"
error "Please set at least 1 of these checks to yes"
error "exiting script now... "
exit 0
fi
SET_SAMBATOOL="$(which samba-tool)"
if [ -z "$SET_SAMBATOOL" ]; then
error "No samba-tool tool found, this script wil exit now.. this.. I cant fix."
exit 0
fi
SET_TR="$(which tr)"
if [ -z "$SET_TR" ]; then
warning "No tr tool found, running apt-get update and install coreutils, please wait.."
apt-get update > /dev/null
apt-get install -y --no-install-recommends coreutils > /dev/null
sleep 0.5
SET_TR="$(which tr)"
fi
## get DC info
DCS="$(host -t SRV _kerberos._udp."${SETDNSDOMAIN}" | awk '{print $NF}'| sed 's/.$//')"
if [ -z "${DCS}" ]; then
error "No Samba DCS found, host -t SRV _kerberos.udp.${SETDNSDOMAIN} returned nothing"
error "exitting now..."
exit 0
fi
#SAMBA_DC_FSMO=(${SET_SAMBATOOL} fsmo show | cut -d',' -f2 | head -n1 | cut -c4-100 | ${SET_TR} '[:upper:]' '[:lower:]')
SAMBA_DC_FSMO=$(echo $(${SET_SAMBATOOL} fsmo show | cut -d"," -f2 | head -n1 | cut -c4-100) | ${SET_TR} '[:upper:]' '[:lower:]')
SAMBA_DC1="${SAMBA_DC_FSMO}.${SETDNSDOMAIN}"
if [ -z "${SAMBA_DC1}" ]; then
error "No Samba DC Found with FSMO Roles, you might have dns problems"
error "exitting now..."
exit 0
fi
#SAMBA_DCS="$(echo ${DCS} | grep -v ${SAMBA_DC_FSMO})"
SAMBA_DCS=$(echo "$DCS" | grep -v "${SAMBA_DC_FSMO}")
if [ -z "${SAMBA_DCS}" ]; then
error "No Samba DC's Found with, you might have dns problems"
error "exitting now..."
echo $SAMBA_DCS
exit 0
fi
SAMBA_NT_DOMAINNAME="$($SET_SAMBATOOL domain info "${SAMBA_DC1}" | grep Netbios | cut -d":" -f2 | cut -c2-100)"
if [ -z "${SAMBA_NT_DOMAINNAME}" ]; then
error "No Samba NT DOMAIN Name found"
error "exitting now..."
exit 0
fi
if [ -z "${SAMBA_NT_ADMIN_PASS}" ]; then
while [ "${SAMBA_NT_ADMIN_PASS}" = "" ]; do
message "No password for user ${SAMBA_NT_DOMAINNAME}\\${SAMBA_NT_ADMIN_USER} was set in this script!"
warning_underline "Please enter the password for ${SAMBA_NT_DOMAINNAME}\\${SAMBA_NT_ADMIN_USER} : "
read -r -s -e "SAMBA_NT_ADMIN_PASS"
done
fi
echo "${SAMBA_NT_ADMIN_PASS}" | kinit "${SAMBA_NT_ADMIN_USER}" > /dev/null
SET_DEBCONF_SETSELECT="$(which debconf-set-selections)"
if [ -z "${SET_DEBCONF_SETSELECT}" ]; then
warning "No debconf-set-selections tool found, running apt-get update and install debconf , please wait.."
apt-get update > /dev/null
apt-get install -y --no-install-recommends debconf > /dev/null
sleep 0.5
SET_DEBCONF_SETSELECT="$(which debconf-set-selections)"
fi
if [ ! -z "${EMAIL_REPORT_ADDRESS}" ]; then
SET_SENDMAIL="$(which sendmail)"
if [ -z "${SET_SENDMAIL}" ]; then
warning "No mailserver found, running apt-get update and installing postfix as smarthost, please wait.."
## these are the debian defaults for a "smarthost setup"
echo "postfix postfix/main_mailer_type select Satellite system" | ${SET_DEBCONF_SETSELECT}
echo "postfix postfix/mailname string ${SETFQDN}" | ${SET_DEBCONF_SETSELECT}
echo "postfix postfix/relayhost string ${POSTFIX_RELAY_HOST}" | ${SET_DEBCONF_SETSELECT}
apt-get update > /dev/null
apt-get install -y --no-install-recommends postfix > /dev/null
sleep 0.5
SET_SENDMAIL="$(which sendmail)"
postconf -e "mydestination = ${SETFQDN}, localhost, localhost.localdomain"
postconf -e "inet_interfaces = 127.0.0.1"
postconf -e "inet_protocols = ipv4"
sleep 0.2
service postfix restart
fi
SET_MAILTOOL="$(which mail)"
if [ -z "$SET_MAILTOOL" ]; then
warning "No mail tool found, running apt-get update and install heirloom-mailx, please wait.."
apt-get update > /dev/null
apt-get install -y --no-install-recommends heirloom-mailx > /dev/null
sleep 0.5
SET_MAILTOOL="$(which mail)"
${SET_MAILTOOL} -s "Test mail from script : check db" "${EMAIL_REPORT_ADDRESS}" < /etc/hosts
fi
fi
## always remove the log before running the script again.
if [ "${SETREMOVELOG}" = "yes" ] || [ "${SETREMOVELOG}" = "no" ] ; then
if [ -f /tmp/samba_ldapcmp_checkdb ]; then
rm /tmp/samba_ldapcmp_checkdb
fi
if [ -f /tmp/samba_drs_showrepl ]; then
rm /tmp/samba_drs_showrepl
fi
fi
## used for samba-tool drs showrepl
## expected success is depending on total of DC's.
expected_success=0
## expected failure is always 0
expected_failure=0
for x in ${SAMBA_DCS}; do
expected_success=$(( expected_success +=10 ))
done
if [ ! -z "${EMAIL_REPORT_ADDRESS}" ]; then
if [ "${SAMBA_CHECKDB_WITH_LDAPCMD}" = "yes" ]; then
for x in ${SAMBA_DCS}; do
$SET_SAMBATOOL ldapcmp --filter="$(LDAPCMD_FILTER)" ldap://"${SAMBA_DC1}" ldap://"${x}" -d0 > /tmp/samba_ldapcmp_checkdb 2>&1
if grep -q FAILURE /tmp/samba_ldapcmp_checkdb; then
${SET_MAILTOOL} -s "FAILURE ldapcmp between $SETDCFSMO and $x" "${EMAIL_REPORT_ADDRESS}" < /tmp/samba_ldapcmp_checkdb
fi
done
fi
if [ "${SAMBA_CHECKDB_WITH_DRS}" = "yes" ]; then
${SET_SAMBATOOL} drs showrepl -d0 > /tmp/samba_drs_showrepl 2>&1
failure=$(grep -c "failed" /tmp/samba_drs_showrepl)
success=$(grep -c "successful" /tmp/samba_drs_showrepl)
for x in ${SAMBA_DCS} ; do
if [ "${failure}" -ne "${expected_failure}" ]; then
${SET_MAILTOOL} -s "FAILURE: unexpected showrepl result between $SETDCFSMO and $x" $EMAIL_REPORT_ADDRESS < /tmp/samba_drs_showrepl
fi
if [ "${success}" -ne "${expected_success}" ]; then
${SET_MAILTOOL} -s "FAILURE: unexpected showrepl result between $SETDCFSMO and $x" $EMAIL_REPORT_ADDRESS < /tmp/samba_drs_showrepl
fi
done
fi
else
message "Running with with console output"
if [ "${SAMBA_CHECKDB_WITH_LDAPCMD}" = "yes" ]; then
echo "Checking the DC_With_FSMO (${SAMBA_DC_FSMO}) with SAMBA DC: ${SAMBA_DCS}"
for x in ${SAMBA_DCS}; do
message "Running : ${SET_SAMBATOOL} ldapcmp --filter=\"${SAMBA_LDAPCMD_FILTER}\" ldap://$SAMBA_DC1 ldap://$x "
message "Please wait.. this can take a while.."
#${SET_SAMBATOOL} ldapcmp --filter="${SAMBA_LDAPCMD_FILTER}" ldap://"${SAMBA_DC1}" ldap://"${x}" -d0 > /tmp/samba_ldapcmp_checkdb
${SET_SAMBATOOL} ldapcmp --filter="${SAMBA_LDAPCMD_FILTER}" ldap://"$SAMBA_DC1" ldap://"${x}" -d0 > /tmp/samba_ldapcmp_checkdb 2>&1
if grep -q FAILURE /tmp/samba_ldapcmp_checkdb; then
warning "$(cat /tmp/samba_ldapcmp_checkdb)"
else
good "$(cat /tmp/samba_ldapcmp_checkdb)"
fi
done
fi
echo ".. Next check.. "
if [ "${SAMBA_CHECKDB_WITH_DRS}" = "yes" ]; then
message "Running : samba-tool drs showrepl"
# ${SET_SAMBATOOL} drs showrepl -d0 2>&1 > /tmp/samba_drs_showrepl
${SET_SAMBATOOL} drs showrepl -d0 > /tmp/samba_drs_showrepl 2>&1
failure="$(grep -c "failed" /tmp/samba_drs_showrepl)"
success="$(grep -c "successful" /tmp/samba_drs_showrepl)"
for x in ${SAMBA_DCS} ; do
if [ "${failure}" -ne "${expected_failure}" ]; then
error "failures don't match"
fi
if [ "${success}" -ne "${expected_success}" ]; then
error "successes don't match"
fi
if [ "${failure}" -eq "${expected_failure}" ] && [ "${success}" -eq "${expected_success}" ]; then
good "No errors found"
fi
done
fi
fi
if [ "${EMAIL_REPORT_ALWAYS}" = "yes" ] && [ -n "${EMAIL_REPORT_ADDRESS}" ]; then
#cat /tmp/samba_drs_showrepl | ${SET_MAILTOOL} -s "SAMBA CHECK DB : showrepl results" $EMAIL_REPORT_ADDRESS
${SET_MAILTOOL} -s "SAMBA CHECK DB : showrepl results" $EMAIL_REPORT_ADDRESS < /tmp/samba_drs_showrepl
#cat /tmp/samba_ldapcmp_checkdb | ${SET_MAILTOOL} -s "SAMBA CHECK DB : ldapcmp results" $EMAIL_REPORT_ADDRESS
${SET_MAILTOOL} -s "SAMBA CHECK DB : ldapcmp results" $EMAIL_REPORT_ADDRESS < /tmp/samba_ldapcmp_checkdb
fi
if [ "${SETREMOVELOG}" = "yes" ]; then
if [ -f /tmp/samba_ldapcmp_checkdb ]; then
rm /tmp/samba_ldapcmp_checkdb
fi
if [ -f /tmp/samba_drs_showrepl ]; then
rm /tmp/samba_drs_showrepl
fi
fi