#!/usr/bin/env bash
#
#   Script name: ubdomain-server
#   Description: Script for configure domain server
#   GitLab: https://gitea.ublinux.ru/
#   Author: Dmitry Razumov asmeron@ublinux.ru
#   Contributors: asmeron@ublinux.ru
#
#   Copyright (c) 2021-2023 UBLinux Development Team <support@ublinux.ru>
#
#   This program is free software; you can redistribute it and/or modify
#   it under the terms of the GNU General Public License as published by
#   the Free Software Foundation; either version 2 of the License, or
#   (at your option) any later version.
#
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program.  If not, see <http://www.gnu.org/licenses/>.

VERSION_SCRIPT="1.1"

# Exit Immediately if a command fails
#set -o errexit

#################################
###   :::   C O L O R S   :::   #
#################################
set_color(){
#http://abload.de/img/bash-color-chartmxjbp.png
    export BBC=$'\e[1;34m'
    export RBC=$'\e[1;31m'
    export WBC=$'\e[1m'
    export EC=$'\e[0m'

    export txtblk='\033[0;30m' # Black - Regular
    export txtred='\033[0;31m' # Red			# prompt: error color
    export txtgrn='\033[0;32m' # Green			# prompt: success color
    export txtylw='\033[0;33m' # Yellow			# prompt: waring color
    export txtblu='\033[0;34m' # Blue			
    export txtpur='\033[0;35m' # Purple
    export txtcyn='\033[0;36m' # Cyan			# prompt: info color
    export txtwht='\033[0;37m' # White
    export bldblk='\033[1;30m' # Black - Bold
    export bldred='\033[1;31m' # Red			# prompt: bold error color
    export bldgrn='\033[1;32m' # Green			# prompt: bold success color
    export bldylw="\033[1;33m" # Yellow                 # prompt: bold warning color
    export bldblu='\033[1;34m' # Blue				
    export bldpur='\033[1;35m' # Purple
    export bldcyn="\033[1;36m" # Cyan                   # prompt: bold info color
    export bldwht="\033[1;37m" # White			# prompt: bold default color

    export undblk='\033[4;30m' # Black - Underline
    export undred='\033[4;31m' # Red

    export bakblk='\033[40m'   # Black - Background
    export bakred='\033[41m'   # Red
    export badgrn='\033[42m'   # Green

    export txtrst='\033[0m'    # Text Reset		# prompt: default color
}


#######################################
###   :::   F U N C T I O N S   :::   #
#######################################

check_root(){
    if [[ ${EUID:-$(id -u)} > 0 ]]; then
	case ${1} in
	    -w  | --warning)	  prompt -w "Please run as root! ${@/#-w/}" && return 1 ;;
	    -wq | --warning-quit) prompt -wq "Please run as root!" ;;
    	    *) 			  prompt -wq "Please run as root!" ;;
        esac
    fi
}

# Check command availability
has_command(){ command -v $1 &> /dev/null; }

# echo like ... with flag type and display message colors
prompt(){
    [[ -n ${QUIET} ]] && return
    case ${1} in
	-s  | --success)	echo -e "${bldgrn}${@/#-s/}${txtrst}" ;;    			# print success message
	-sq | --success-quit)	echo -e "${bldgrn}${@/#-sq/}${txtrst}" && exit 1 ;;    		# print success message
	-e  | --error)   	echo -e "${bldred}ERROR:${@/#-e/}${txtrst}" ;;   		# print error message
	-eq | --error-quit)   	echo -e "${bldred}ERROR:${@/#-eq/}${txtrst}" && exit 1 ;;	# print error message
	-w  | --warning) 	echo -e "${bldylw}WARNING:${bldwht}${@/#-w/}${txtrst}" ;; 	# print warning message
	-wq | --warning-quit) 	echo -e "${bldylw}WARNING:${bldwht}${@/#-wq/}${txtrst}" && exit 1 ;; # print warning message
	-i  | --info)    	echo -e "${bldcyn}INFO:${txtcyn}${@/#-i/}${txtrst}" ;;    	# print info message
	-iq | --info-quit)    	echo -e "${bldcyn}INFO:${txtcyn}${@/#-iq/}${txtrst}" && exit 1 ;;  # print info message
	*)    			echo -e "$@" ;;							# print all message
    esac
}


usage(){
    printf "%s  %s\n" "${0##*/}" "version: ${VERSION_SCRIPT}"
    cat <<EOF
Domain Creation Assistant

Usage:  ${0##*/} {COMMAND} [OPTIONS...] ...
	${0##*/} list
	${0##*/} discover [--domain DOMAIN]
	${0##*/} create   [--type=<TYPE>] [--realm=<REALM>] [--domain=<DOMAIN>] [--dns-backend=<TYPE>] [--adminpass=<PASSWORD>]
	${0##*/} destroy  [--type=<TYPE>]

Commands:
  list			Показать настроенный контроллер домена
  discover              Обнаружить домен
  create 		Развернуть и настроить домен
  destroy 		Восстановить конфигурацию по умолчанию
Meta Commands:
  help          	Show this help

Options:
  -t, --type=<TYPE>	Тип разворачиваемого контроллера домена
  * samba		Контроллер домена Samba DC
    freeipa		Контроллер домена FreeIPA
  -q, --quiet		Quiet mode
  -h, --help		Show this help
  -V, --version		Show package version
  
Options for 'discover':
  -d, --domain=<DOMAIN>	Доменное имя NetBIOS (рабочая группа). 
  
Options for 'create --type=samba':
  -r, --realm=<REALM>	Область Kerberos и зона AD DNS. Например: mydomain.dc.com
			Если не задано, то вычисляем от имени хоста.
  -d, --domain=<DOMAIN>	Доменное имя NetBIOS (рабочая группа). Это может быть что угодно, 
			но это должно быть одно слово длиной не более 15 символов и не содержащее точки. 
			Рекомендуется использовать первую часть домена AD DNS. Например: mydomain
			Если не задано, то вычисляем от --realm=<REALM>
  -b, --dns-backend=<TYPE>
			Серверная часть DNS, первичный контроллер домена должен быть настроен на DNS	
    internal		Встроенный DNS 
    bind		Внешний DNS BIND
  -f, --dns-forwarder=<IP_ADDRESS>
			Адрес внешнего DNS для перенаправления запросов, если не найдена во встроенном хранилище
  -p, --adminpass=<PASSWORD>	
			Пароль администратора контроллера домена

Options for 'create --type=freeipa':

Examples:
${0##*/} list
${0##*/} discover
${0##*/} create 
${0##*/} create --type=samba --realm=mydomain.dc.com --domain=mydomain
${0##*/} destroy --type=samba 
EOF
    exit 0
}
arguments(){
# Pre-process options to:
# - expand -xyz into -x -y -z
# - expand --longopt=arg into --longopt arg
    local ARGV=()
    local END_OF_OPT=
    while [[ $# -gt 0 ]]; do
	arg="$1"; shift
	case "${END_OF_OPT}${arg}" in
	    --) ARGV+=("$arg"); END_OF_OPT=1 ;;
	    --*=*)ARGV+=("${arg%%=*}" "${arg#*=}") ;;
	    --*) ARGV+=("$arg") ;;
	    -*) for i in $(seq 2 ${#arg}); do ARGV+=("-${arg:i-1:1}"); done ;;
	    *) ARGV+=("$arg") ;;
	esac
    done
# Apply pre-processed options
    set -- "${ARGV[@]}"
# Parse options
    local END_OF_OPT=
    local POSITIONAL_ARGS=()
    [[ -z $@ ]] && usage && exit 0
    while [[ $# -gt 0 ]]; do
	case "${END_OF_OPT}${1}" in
	    list)		  COMMAND=list ;;
	    discover)		  COMMAND=discover ;;
	    create)		  COMMAND=create ;;
	    destroy)		  COMMAND=destroy ;;
	    -t | --type)	  shift; SERVER_DOMAIN[type]=$1 ;;
#Options for --type=samba:
	    -r | --realm)	  shift; SERVER_DOMAIN=$1 ;;
	    -d | --domain)	  shift; SERVER_DOMAIN[domain]=$1 ;;
	    -b | --dns-backend)	  shift; SERVER_DOMAIN[dns_backend]=$1 ;;
	    -f | --dns-forwarder) shift; SERVER_DOMAIN[dns_forwarder]=$1 ;;
	    -p | --adminpass)	  shift; SERVER_DOMAIN[adadmin]="administrator:$(base64 <<< $1)" ;;
#Options global:
	    -h | --help | help)	  usage ;;
	    -q | --quiet)     	  QUIET=1; QUIET_ARG="-q" ;;
	    -V | --version)	  echo "Version: ${VERSION_SCRIPT}"; exit 0 ;;
	    --stdin)        	  READ_STDIN=1 ;;
	    --)             	  END_OF_OPT=1 ;;
	    -*|--*)         	  prompt -w "Unrecognized argument, skiped: $1" >&2  ;;
	    *)              	  POSITIONAL_ARGS+=("$1") ;;
	esac
	shift
    done
# Restore positional parameters
    set -- "${POSITIONAL_ARGS[@]}"
    [[ -z ${COMMAND} ]] && prompt -eq "отсутствует команда"
    [[ -z ${SERVER_DOMAIN[type]} ]] && prompt -w "аргумент --type=${SERVER_DOMAIN[type]} не занан, установлено значение по умолчанию --type=samba"
    [[ -z ${SERVER_DOMAIN[type]} ]] && SERVER_DOMAIN[type]="samba"
    [[ -z ${SERVER_DOMAIN[type]} ]] || SERVER_DOMAIN[type]=${SERVER_DOMAIN[type],,}
    [[ ${SERVER_DOMAIN[type],,} == @(samba|freeipa) ]] || prompt -eq "параметр --type=${SERVER_DOMAIN[type]} не определён"

    # SERVER_DOMAIN - Имя REALM
    [[ -z ${SERVER_DOMAIN} ]] && SERVER_DOMAIN=${HOSTNAME#*.}
    [[ ${SERVER_DOMAIN} != ${HOSTNAME} ]] || prompt -eq "аргумент --realm=${SERVER_DOMAIN} не занан или область Kerberos и зона AD DNS не определена"
    SERVER_DOMAIN=${SERVER_DOMAIN^^}

    # SERVER_DOMAIN[domain] - Имя NetBios, имя хоста до первой точки
    [[ -z ${SERVER_DOMAIN[domain]} ]] && SERVER_DOMAIN[domain]=${SERVER_DOMAIN%%.*}
    [[ ${SERVER_DOMAIN[domain]} != ${SERVER_DOMAIN} ]] || prompt -eq "аргумент --domain=${SERVER_DOMAIN[domain]} не занан или доменное имя NetBIOS (рабочая группа) не определено"
    SERVER_DOMAIN[domain]=${SERVER_DOMAIN[domain]^^}

    [[ -z ${SERVER_DOMAIN[adadmin]} ]] && prompt -w "аргумент --adminpass=${SERVER_DOMAIN[adadmin]} не занан, установлено значение по умолчанию --adminpass=ublinux"
    [[ -z ${SERVER_DOMAIN[adadmin]} ]] && SERVER_DOMAIN[adadmin]="administrator:$(base64 <<< 'ublinux')"
    [[ -n ${SERVER_DOMAIN[dns_backend]} ]] || SERVER_DOMAIN[dns_backend]="internal"
}
set_authpam(){
    select_authpam(){
	[[ -n $1 && -n $2 ]] || return 1
	local AUTHPAM_PROFILE=$1
	local AUTHPAM_OPT=$2
	AUTHPAM_CURRENT_PROFILE=$(authselect current --raw)
	[[ $? == 0 ]] && AUTHPAM_CURRENT_PROFILE=${AUTHPAM_CURRENT_PROFILE%% *} || unset AUTHPAM_CURRENT_PROFILE
	PROFILE_FEATURE=$(tr ',;' " " <<< ${AUTHPAM_OPT})
	if [[ ${AUTHPAM_CURRENT_PROFILE} == "" ]]; then
	    authselect select ${AUTHPAM_PROFILE} ${PROFILE_FEATURE} --force --nobackup --quiet 2>/dev/null \
    	        || prompt -w "Failed authselect select ${AUTHPAM_PROFILE} ${PROFILE_FEATURE}"
	else
	    if [[ ${AUTHPAM_PROFILE} == ${AUTHPAM_CURRENT_PROFILE} ]]; then
		for PROFILE_FEATURE_ITEM in ${PROFILE_FEATURE}; do
		    authselect enable-feature ${PROFILE_FEATURE_ITEM} --quiet 2>/dev/null \
			|| prompt -w "Failed authselect enable-feature ${PROFILE_FEATURE_ITEM}"
		done
	    else
		authselect select ${AUTHPAM_PROFILE} ${PROFILE_FEATURE} --force --nobackup --quiet 2>/dev/null \
		    || prompt -w "Failed authselect select ${AUTHPAM_PROFILE} ${PROFILE_FEATURE}"
	    fi
	fi
    }
    [[ -z $1 ]] || SERVER_DOMAIN[type]="$1"
    if [[ ${SERVER_DOMAIN[type]} == "samba" ]]; then
	[[ -n ${AUTHPAM_OPT} ]] && select_authpam winbind ${AUTHPAM_OPT} \
	|| select_authpam winbind ${DEFAULT_AUTHPAM_WINBIND}
	ubconfig -q set system "AUTHPAM[winbind]=${DEFAULT_AUTHPAM_WINBIND}"
    elif [[ ${SERVER_DOMAIN[type]} == "freeipa" ]]; then
	[[ -n ${AUTHPAM_OPT} ]] && select_authpam sssd ${AUTHPAM_OPT} \
	|| select_authpam sssd ${DEFAULT_AUTHPAM_SSSD}
	ubconfig -q set system "AUTHPAM[sssd]=${DEFAULT_AUTHPAM_SSSD}"
    fi
}
set_dns(){
    [[ -z $1 ]] || DOMAIN[dns]="$1"
    [[ -n ${DOMAIN[dns]} ]] || return 1
    if ! nmcli --get-values ip4.dns device show | grep -q "${DOMAIN[dns]}" 2>/dev/null; then
    	for CONNECTION_UUID in $(nmcli --get-values uuid connection show); do
    	    nmcli connection modify uuid ${CONNECTION_UUID} +ipv4.dns "${DOMAIN[dns]}" \
    	        || prompt -w "Failed assign DNS ${DOMAIN[dns]} to connection uuid ${CONNECTION_UUID}"
    	    nmcli connection up uuid ${CONNECTION_UUID} \
    	        || prompt -w "Failed restart connection uuid ${CONNECTION_UUID}"
    	    ubconfig -q set network DOMAIN[dns]="${DOMAIN[dns]}"
    	done
    fi
}
prepare_config(){
    [[ -z $1 ]] || SERVER_DOMAIN[type]="$1"
    if [[ ${SERVER_DOMAIN[type]} == "samba" ]]; then

	# Настройка /etc/krb5.conf
	local KRB5_REALM=$(cat <<EOF
  ${SERVER_DOMAIN} = {
    default_domain = ${SERVER_DOMAIN,,}
  }
EOF
)
	local KRB5_DOMAIN_REALMS=$(cat <<EOF
  ${OS_ONLY_HOSTNAME,,} = ${SERVER_DOMAIN}
EOF
)
	cp -f "${FILE_TEMPLATE_SAMBA_KRB5}" "${FILE_SAMBA_KRB5}"
	sed "s/\(default_realm =\).*/\1 ${SERVER_DOMAIN}/" -i "${FILE_SAMBA_KRB5}"
	sed '/\[realms\]/r'<(echo "${KRB5_REALM}") -i "${FILE_SAMBA_KRB5}"
	sed '/\[domain_realm\]/r'<(echo "${KRB5_DOMAIN_REALMS}") -i "${FILE_SAMBA_KRB5}"
	[[ -d ${PATH_SAMBA_KRB5_SNIPPET} ]] || install -dm0755 ${PATH_SAMBA_KRB5_SNIPPET}
	[[ -d ${PATH_SAMBA_KRB5_SNIPPET} ]] && cp -f "${FILE_TEMPLATE_SAMBA_KRB5_SNIPPET_01}" "${FILE_SAMBA_KRB5_SNIPPET_01}"

	# Настройка /etc/samba/samba.conf
	cp -f "${FILE_TEMPLATE_SAMBA_SMB}" "${FILE_SAMBA_SMB}"
	if [[ -n ${SERVER_DOMAIN[dns_forwarder]} && ${SERVER_DOMAIN[dns_type]} == "internal" ]]; then
	    sed "s/\(dns forwarder =\).*/\1 ${SERVER_DOMAIN[dns_forwarder]}/" -i "${FILE_SAMBA_SMB}"
	else
	    sed "/dns forwarder =/d" -i "${FILE_SAMBA_SMB}"
	fi
	sed "s/\(realm =\).*/\1 ${SERVER_DOMAIN}/" -i "${FILE_SAMBA_SMB}"
	sed "s/\(netbios name =\).*/\1 ${OS_ONLY_HOSTNAME^^}/" -i "${FILE_SAMBA_SMB}"
	sed "s/\(workgroup =\).*/\1 ${SERVER_DOMAIN[domain]}/" -i "${FILE_SAMBA_SMB}"
	sed "s:sysvol//scripts:sysvol/${SERVER_DOMAIN,,}/scripts:" -i "${FILE_SAMBA_SMB}"

	# Настройка /etc/samba/smbusers
	cp -f "${FILE_TEMPLATE_SAMBA_SMBUSERS}" "${FILE_SAMBA_SMBUSERS}"
	
    elif [[ ${SERVER_DOMAIN[type]} == "freeipa" ]]; then
	true
    fi
}
discover_domain(){
    if [[ -n ${DOMAIN[server]} ]]; then 
	prompt -i "request information by domain server name: ${DOMAIN[server]}"
        adcli info --domain-controller ${DOMAIN[server]} 2>/dev/null
        [[ $? == 0 ]] || prompt -w "not found information by domain server name: ${DOMAIN[server]}"
    fi
    if [[ -n ${DOMAIN[server_ip]} ]];then 
	prompt -i "request information by domain server ip: ${DOMAIN[server_ip]}"
        adcli info --domain-controller ${DOMAIN[server_ip]} 2>/dev/null
        [[ $? == 0 ]] || prompt -w "not found information by domain server ip: ${DOMAIN[server_ip]}"
    fi
    if [[ -n ${DOMAIN} ]]; then 
	prompt -i "request information by domain realm: ${DOMAIN[server]}"
        adcli info --domain ${DOMAIN} 2>/dev/null
        [[ $? == 0 ]] || prompt -w "not found information by domain realm: ${DOMAIN[server]}"
    fi
    prompt -i "request global search for a domain in the network: ${DOMAIN}"
    realm discover ${DOMAIN}  2>/dev/null 
    [[ $? == 0 ]] || prompt -w "global domain not detected, timeout 30 seconds"
}

###############################
###   :::   M A I N   :::   ###
###############################

    PKGNAME=${0##*/}
    PATH_WORK=${PWD}
    set_color

    SOURCE=/usr/lib/ublinux/default; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
    SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
    SOURCE=${SYSCONF}/system; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
    SOURCE=${SYSCONF}/server; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
    SOURCE=${SYSCONF}/network; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null

    declare -p | grep -q "declare -A SERVER_DOMAIN" || declare -A SERVER_DOMAIN
    declare -p | grep -q "declare -A DOMAIN" || declare -A DOMAIN

    PATH_TEMPLATE="/usr/share/ubdomain-server"
    PATH_CONF="/etc"
#PATH_TEMPLATE="."
#PATH_CONF="./etc/"
    FILE_TEMPLATE_SAMBA_KRB5="${PATH_TEMPLATE}/samba-krb5.conf"
    FILE_TEMPLATE_SAMBA_KRB5_SNIPPET_01="${PATH_TEMPLATE}/samba-krb5-01-crypto-policies.conf"
    FILE_TEMPLATE_SAMBA_SMB="${PATH_TEMPLATE}/samba-smb.conf"
    FILE_TEMPLATE_SAMBA_SMBUSERS="${PATH_TEMPLATE}/samba-smbusers"
    FILE_SAMBA_KRB5="${PATH_CONF}/krb5.conf"
    PATH_SAMBA_KRB5_SNIPPET="${PATH_CONF}/krb5.conf.d"
    FILE_SAMBA_KRB5_SNIPPET_01="${PATH_SAMBA_KRB5_SNIPPET}/01-crypto-policies.conf"
    FILE_SAMBA_SMB="${PATH_CONF}/samba/smb.conf"
    FILE_SAMBA_SMBUSERS="${PATH_CONF}/samba/smbusers"

    DEFAULT_AUTHPAM_MINIMAL=with-faillock,with-time,with-systemd-homed,with-mkhomedir-simple
    DEFAULT_AUTHPAM_NIS=with-faillock,with-time,with-systemd-homed,with-mkhomedir-simple
    DEFAULT_AUTHPAM_SSSD=with-faillock,with-time,with-systemd-homed,with-mkhomedir-simple
    DEFAULT_AUTHPAM_WINBIND=with-faillock,with-time,with-systemd-homed,with-mkhomedir-simple

    arguments $@

    [[ -n ${SERVER_DOMAIN[adadmin]} ]] && ADADMIN=${SERVER_DOMAIN[adadmin]%%:*} || ADADMIN="administrator"
    [[ -z ${SERVER_DOMAIN[adadmin]} ]] || { ADADMINPASS=${SERVER_DOMAIN[adadmin]##*:}; ADADMINPASS=$(base64 -d <<< ${ADADMINPASS}); }

#echo "${SERVER_DOMAIN[adadmin]}"
#exit 1

    OS_NAME=$(cat /usr/lib/os-release | grep "PRETTY_NAME=" | cut -d= -f2 | sed 's/"//g ; s/ [0-9]* / /')
    OS_VERSION=$(cat /usr/lib/os-release | grep "VERSION_ID=" | cut -d= -f2 | sed 's/"//g')
    OS_ONLY_HOSTNAME=${HOSTNAME%%.*}
    MYIP=$(ifconfig | sed -En 's/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p') #'

    if [[ ${MYIP} != "" && ${COMMAND} != unconfigure ]]; then
	true
#	[[ -n ${DOMAIN[dns]} ]] && set_dns
#	[[ -n ${DOMAIN} ]] || find_domain
#	[[ -n ${DOMAIN} ]] && get_domain_server
    fi

    if [[ ${COMMAND} == list ]]; then	
	nmcli --get-values ip4.dns device show
	samba-tool domain info 127.0.0.1
	wbinfo --ping-dc
	wbinfo -t
	wbinfo -g
	wbinfo -u
	net ads info
	#smbclient -L localhost -Uadministrator
    elif [[ ${COMMAND} == discover ]]; then
	discover_domain
    elif [[ ${COMMAND} == create ]]; then
	check_root -qw "domain is not created. Root rights are required."
	if [[ ${SERVER_DOMAIN[type]} == "samba" ]]; then
	    ubconfig -q remove config SERVICESSTART-=",smb"
	    ubconfig -q remove config SERVICESSTART-=",nmb"
	    ubconfig -q remove config SERVICESSTART-=",winbind"
	    ubconfig -q remove config SERVICESSTART-=",krb5kdc"
	    ubconfig -q remove config SERVICESSTART-=",slapd"
	    ubconfig -q remove config SERVICESSTART-=",bind"
	    
	    ubconfig -q remove system SERVICES_ENABLE--="smb"
	    ubconfig -q remove system SERVICES_ENABLE--="nmb"
	    ubconfig -q remove system SERVICES_ENABLE--="winbind"
	    ubconfig -q remove system SERVICES_ENABLE--="krb5kdc"
	    ubconfig -q remove system SERVICES_ENABLE--="slapd"
	    ubconfig -q remove system SERVICES_ENABLE--="bind"
	    set_dns "127.0.0.1"
	    set_authpam
	    [[ ${SERVER_DOMAIN[dns_backend],,} == "internal" ]] && SERVER_DOMAIN[dns_backend]="SAMBA_INTERNAL"
	    [[ ${SERVER_DOMAIN[dns_backend],,} == "bind" ]] && SERVER_DOMAIN[dns_backend]="BIND9_DLZ"
	    prepare_config
#	    samba-tool domain provision --host-ip=${MYIP} --server-role=dc --function-level=2008_R2 --use-rfc2307 --dns-backend=${SERVER_DOMAIN[dns_backend]} --realm=${SERVER_DOMAIN} --domain=${SERVER_DOMAIN[domain]} --adminpass="${ADADMINPASS}"
#echo "	    samba-tool domain provision --server-role=dc --function-level=2008_R2 --use-rfc2307 --dns-backend=${SERVER_DOMAIN[dns_backend]} --realm=${SERVER_DOMAIN} --domain=${SERVER_DOMAIN[domain]} --adminpass=${ADADMINPASS}"
	    samba-tool domain provision --server-role=dc --function-level=2008_R2 --use-rfc2307 --dns-backend=${SERVER_DOMAIN[dns_backend]} --realm=${SERVER_DOMAIN} --domain=${SERVER_DOMAIN[domain]} --adminpass="${ADADMINPASS}"
	    #Create a reverse zone
	    # samba-tool dns zonecreate ${MYIP} 0.99.10.in-addr.arpa -U Administrator
	    # samba-tool dns add ${MYIP} 0.99.10.in-addr.arpa 1 PTR dc1.samdom.example.com -U Administrator
	    #ubconfig -q set config SERVICESSTART++="samba"
	    ubconfig -q set system SERVICES_ENABLE++="samba"
	    #ubconfig -q set system SERVICESSTART+=",samba"
	    ubconfig -q set server SERVER_DOMAIN="${SERVER_DOMAIN}"
	    ubconfig -q set server SERVER_DOMAIN[type]="${SERVER_DOMAIN[type]}"
	    ubconfig -q set server SERVER_DOMAIN[adadmin]=${SERVER_DOMAIN[adadmin]}""

	    [[ -z ${SERVER_DOMAIN[dns_backend]} ]] || ubconfig -q set server SERVER_DOMAIN[dns_backend]="${SERVER_DOMAIN[dns_backend]}"
	    [[ -z ${SERVER_DOMAIN[dns_forwarder]} ]] || ubconfig -q set server SERVER_DOMAIN[dns_forwarder]="${SERVER_DOMAIN[dns_forwarder]}"

#	if [[ $? -eq 0 ]]; then
#	    ubconfig -q set server SERVER_DOMAIN=${SERVER_DOMAIN} SERVER_DOMAIN[type]=${SERVER_DOMAIN[type]} SERVER_DOMAIN[adadmin]=${SERVER_DOMAIN[adadmin]}
#	fi
	elif [[ ${SERVER_DOMAIN[type]} == "freeipa" ]]; then
	    true
	fi
    elif [[ ${COMMAND} == destroy ]]; then
	check_root -qw "domain is not destroyed. Root rights are required."
	if [[ ${SERVER_DOMAIN[type]} == "samba" ]]; then
	    #ubconfig -q set config SERVICESSTART-=",samba"
	    ubconfig -q set system SERVICES_ENABLE--="samba"
    	    ubconfig -q remove server SERVER_DOMAIN
	    ubconfig -q remove server SERVER_DOMAIN[type]
	    ubconfig -q remove server SERVER_DOMAIN[adadmin]
	    ubconfig -q remove server SERVER_DOMAIN[dns_backend]
	    ubconfig -q remove server SERVER_DOMAIN[dns_forwarder]
	    rm -f "${FILE_SAMBA_SMB}"
	    rm -f "${FILE_SAMBA_KRB5}"
	    rm -f "${FILE_SAMBA_KRB5_SNIPPET_01}"
	    rm -f "${FILE_SAMBA_SMBUSERS}"
	    rm -rf "/var/lib/samba"
	    rm -rf "/var/cache/samba"
	    mkdir -p "/var/lib/samba/sysvol"
	elif [[ ${SERVER_DOMAIN[type]} == "freeipa" ]]; then
	    true
	fi
	
#	leave_domain
#        ubconfig -q remove network DOMAIN DOMAIN[server]
#    elif [[ ${COMMAND} == configure && -z ${NOCONFIGURE} ]]; then
#	check_root -wq " the PAM, KRB5, NSS, SSSD is not configured. Root rights are required."
#	[[ ${DOMAIN} != ${IS_CONFIG_DOMAIN} ]] && ubconfig -q set network DOMAIN=${DOMAIN}
#	[[ ${DOMAIN[server]} != ${IS_CONFIG_DOMAIN_SERVER} ]] && ubconfig -q set network DOMAIN[server]=${DOMAIN[server]}
##	ubconfig -q set system AUTHPAM[sssd]=${DEFAULT_AUTHPAM_SSSD}
#	set_authpam
#	prepare_config
#    elif [[ ${COMMAND} == unconfigure && -z ${NOCONFIGURE} ]]; then
#	check_root -wq " the PAM, KRB5, NSS, SSSD is not configured. Root rights are required."
##	ubconfig -q set system AUTHPAM[minimal]=${DEFAULT_AUTHPAM_MINIMAL}
#	[[ -n ${DOMAIN} && ${PARENT} != "ubconfig" ]] && ubconfig -q remove network DOMAIN
#	[[ -n ${DOMAIN[server]} ]] && ubconfig -q remove network DOMAIN[server]
#	unset DOMAIN; unset DOMAIN DOMAIN[server]
#	find /etc/ -maxdepth 1 -type f -name krb5.keytab -delete 2>/dev/null
#	find /etc/sssd/ -type f -name "sssd.conf" -delete 2>/dev/null
#	find /etc/sssd/ -type f -name "*-ubdomain-*.conf" -delete 2>/dev/null
#	PATH_ROOTCOPY=$(find /memory/layer-base/*/ -maxdepth 1 -type d -name "rootcopy" | head -1)
#	[[ -n ${PATH_ROOTCOPY} ]] || PATH_ROOTCOPY="$(find /memory/layer-base/*/ -maxdepth 1 -type f -name "ublinux-data*.sgn" | head -1 | xargs dirname)/rootcopy"
#	if [[ -w ${PATH_ROOTCOPY} ]]; then
#	    find ${PATH_ROOTCOPY}/etc/ -maxdepth 1 -type f -name krb5.conf -delete 2>/dev/null
#	    find ${PATH_ROOTCOPY}/etc/ -maxdepth 1 -type f -name krb5.keytab -delete 2>/dev/null
#	    find ${PATH_ROOTCOPY}/etc/ -maxdepth 1 -type f -name realmd.conf -delete 2>/dev/null
#	    find ${PATH_ROOTCOPY}/etc/sssd/ -type f -name "*.conf" -delete 2>/dev/null
    fi
