#!/bin/sh

. /etc/sysconfig/system
. /bin/shell-ini-config
. /bin/shell-var

[ "$SERVER_ROLE" = "master" ] || exit 0

# Set workgroup
workgroup="$(system-auth status | cut -f2 -d' ' | sed -e 's/dc=//g;s/,/./g;s/\(.*\)/\U\1/'|cut -c -15)"

# TODO Set configuration of smb.conf to support NT domain
echo "** Adapt smb.conf for NT domain support"

ini="/etc/samba/smb.conf"
if [ ! -w "$ini" ]; then
    echo "File \"$ini\" is not available for write"
    exit 1
fi

ini_config_set $ini global 'workgroup' "$workgroup"
ini_config_set $ini global 'local master' 'yes'
ini_config_set $ini global 'preferred master' 'yes'
ini_config_set $ini global 'domain master' 'yes'
ini_config_set $ini global 'domain logons' 'yes'
ini_config_set $ini global 'add user script' '/usr/sbin/ldap-useradd "%u"'
ini_config_set $ini global 'delete user script' '/usr/sbin/ldap-userdel "%u"'
ini_config_set $ini global 'add group script' '/usr/sbin/ldap-groupadd "%g"'
ini_config_set $ini global 'delete group script' '/usr/sbin/ldap-groupdel "%g"'
ini_config_set $ini global 'add user to group script' '/usr/sbin/ldap-groupmod -m "%u" "%g"'
ini_config_set $ini global 'delete user from group script' '/usr/sbin/ldap-groupmod -x "%u" "%g"'
ini_config_set $ini global 'set primary group script' '/usr/sbin/ldap-usermod -g "%g" "%u"'
ini_config_set $ini global 'add machine script' '/usr/sbin/ldap-useradd -w -i "%u"'
ini_config_set $ini global 'ldap machine suffix' 'ou=Computers'
ini_config_set $ini global 'encrypt passwords' 'yes'
ini_config_set $ini global 'ldap delete dn' 'no'
ini_config_set $ini global 'logon script' 'netlogon.bat'

# Add netlogon share
grep '^\[netlogon\]' $ini >/dev/null || echo -e "[netlogon]\ncomment=" >> $ini

ini_config_set $ini netlogon 'comment' 'Network Logon Service'
ini_config_set $ini netlogon 'path' '/etc/samba/netlogon'
ini_config_set $ini netlogon 'guest ok' 'yes'
ini_config_set $ini netlogon 'writable' 'no'
ini_config_set $ini netlogon 'browseable' 'no'

mkdir -p /etc/samba/netlogon
echo "net use s: \\\\$(hostname -s)\share" | sed 's/$/\r/' > /etc/samba/netlogon/netlogon.bat

echo "Samba workgroup: $workgroup"

# Restart Samba services
# and enable them if needed
if shell_var_is_no "${AUTO_ENABLE_SAMBA-}"; then
	echo "** Restart Samba services"
	service smb condrestart >/dev/null
	service nmb condrestart >/dev/null
else
	echo "** Enable Samba services and restart them"
	service smb restart >/dev/null
	service nmb restart >/dev/null
	chkconfig smb on
	chkconfig nmb on
fi

# Create administrator account with uidNumber 0
admin_name="nt_domain_administrator"
admin_password="$(pwqgen)"

echo "** Create domain administrator account \"$admin_name\""
admin_uid="$(ldap-getent passwd "$admin_name" uidNumber)"
[ -z "$admin_uid" ] && ldap-useradd "$admin_name"
ldap-passwd "$admin_name" "$admin_password"
echo "uidNumber:0" | ldap-usermod replace "$admin_name"

# Create system groups
echo "** Create domain groups:"
ldap-groupadd "admins"
ldap-groupadd "users" 100

# Set privileges
echo "** Set privileges"
net groupmap add rid=512 ntgroup="Domain Admins" unixgroup=admins
net groupmap add rid=513 ntgroup="Domain Users" unixgroup=users

net rpc rights grant "Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege \
SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege -U$admin_name%$admin_password

# Delete administrator account
echo "** Delete domain administrator account \"$admin_name\". Put administrators to group \"admins\""
ldap-userdel -r "$admin_name"

echo "** Done."

