SSSD Shell Script
12-09-2018
Language or Platform: Other
Code:
#!/bin/bash
###################################################################
# Author: Vepr #
# Script that adds Linux Computer to Active Directory using SSSD. #
# #
# Filename: sssd-script.sh #
# #
# Usage: #
# $ chmod 755 sssd-script.sh #
# $ sudo ./sssd-script.sh #
# #
###################################################################
echo ''
echo 'Before starting, make sure you have the IP address of your domain controllers.'
echo 'When first running this script, a blue menu will appear. You can skip through this menu.'
echo ''
read -n 1 -s -r -p "Press any key to continue."
# Download needed packages
# In Ubuntu Server 18.04.1, you may need to add the multiverse repo with:
apt-add-repository multiverse && sudo apt-get update
apt-get -y install samba krb5-user sssd chrony
echo 'Type in your domain name: (example.local)'
read DOMAIN
echo ' '
echo 'Type the fully qualified domain name for the domain controller: '
read DC
echo 'Type the domain controller IP address: '
read DCIP
# Remove extension from domain name
REMOVE_EXTENSION=${DOMAIN%.*}
# Change domain name to all caps with extension removed
REMOVE_EXTENSION_CAPS=${REMOVE_EXTENSION^^}
# Change complete domain to all caps
COMPLETE_DOMAIN_CAPS=${DOMAIN^^}
# Remove extension from domain controller 1 name
REMOVE_EXTENSION_DC1=${DC%.*}
SHORT_DC1=${REMOVE_EXTENSION_DC1%.*}
read -p 'Do you have a second domain controller? ' -n 1 -r
echo # (optional) move to a new line
if [[ $REPLY =~ ^[Yy]$ ]]
then
echo 'Type the fully qualified domain name for the second domain controller: '
read DC2
echo 'Type the second domain controller IP address: '
read DC2IP
fi
# Remove extension from domain controller 1 name
REMOVE_EXTENSION_DC2=${DC2%.*}
SHORT_DC2=${REMOVE_EXTENSION_DC2%.*}
echo ' '
echo 'If not done already, you will need to update /etc/hosts and possibly /etc/resolv.conf before running the rest of this script. '
echo ' '
read -p 'Do you want this script to automatically update /etc/hosts and /etc/resolv.conf?' -n 1 -r
# if user types 'y'
if [[ $REPLY =~ ^[Yy]$ ]]
then
##########################################
######### Update /etc/resolv.conf ####
# comment out /etc/resolv.conf and add new lines
cp /etc/resolv.conf /etc/resolv.conf.tmp
sed 's/^/#/' /etc/resolv.conf.tmp > /etc/resolv.conf
rm /etc/resolv.conf.tmp
resolv=""
resolv+="nameserver $DCIP \n"
resolv+="search $DOMAIN \n"
echo -e "\n$resolv" >> /etc/resolv.conf # -e allows the new line
# Check if domain controller 2 variable is empty
if [ -z "$DC2" ]
then
#echo "\$DC2 is empty."
echo ' '
else
# If available, add domain controller 2 below primary domain controller in /etc/resolv.conf
sed -i 'nameserver '$DCIP'/a \
nameserver '$DC2IP /etc/resolv.conf
fi
##########################################
### Update /etc/hosts ################
hosts="\n$DCIP $SHORT_DC1 $DC"
echo -e "$hosts" >> /etc/hosts # -e allows the new line
# Check if domain controller 2 variable is empty
if [ -z "$DC2" ]
then
#echo "\$DC2 is empty."
echo ' '
else
# If available, add domain controller 2 below primary domain controller in /etc/hosts
hosts2="$DC2IP $SHORT_DC2 $DC2"
echo -e "$hosts2" >> /etc/hosts
fi
fi
echo ' '
echo 'Files updated.'
##########################################
######### Update /etc/krb5.conf ######
cp /etc/krb5.conf /etc/krb5.original
truncate -s0 /etc/krb5.conf
krb=""
krb+="[libdefaults] \n"
krb+="ticket_lifetime = 24000 \n"
krb+="default_realm = $COMPLETE_DOMAIN_CAPS \n"
krb+="default_tgs_enctypes = rc4-hmac des-cbc-md5 \n"
krb+="default_tkt_enctypes = rc4-hmac des-cbc-md5 \n"
krb+="permitted_enctypes = rc4-hmac des-cbc-md5 \n"
krb+="dns_lookup_realm = true \n"
krb+="dns_lookup_kdc = true \n"
krb+="dns_fallback = yes \n"
krb+=" \n"
krb+="[realms] \n"
krb+="$COMPLETE_DOMAIN_CAPS = { \n"
krb+=" kdc = $DC \n"
krb+=" default_domain = $DOMAIN \n"
krb+="} \n"
krb+=" \n"
krb+="[domain_realm] \n"
krb+=".$DOMAIN = $COMPLETE_DOMAIN_CAPS \n"
krb+="$DOMAIN = $COMPLETE_DOMAIN_CAPS \n"
krb+=" \n"
krb+="[appdefaults] \n"
krb+="pam = { \n"
krb+=" debug = false \n"
krb+=" ticket_lifetime = 36000 \n"
krb+=" renew_lifetime = 36000 \n"
krb+=" forwardable = true \n"
krb+=" krb4_convert = false \n"
krb+="} \n"
krb+=" \n"
krb+="[logging] \n"
krb+="default = FILE:/var/log/krb5libs.log \n"
krb+="kdc = FILE:/var/log/krb5kdc.log \n"
krb+="admin_server = FILE:/var/log/kadmind.log \n"
echo -en $krb >> /etc/krb5.conf
# Check if domain controller 2 variable is empty
if [ -z "$DC2" ]
then
#echo "\$DC2 is empty."
echo ' '
else
# If available, add domain controller 2 below primary domain controller in /etc/krb5.conf
sed -i '/kdc = '$DC'/a \
kdc = '$DC2 /etc/krb5.conf
fi
##########################################
### Update /etc/chrony/chrony.conf ###
# Add line 'pool DC' above other pool lines in /etc/chrony/chrony.conf
sed -i '/pool ntp/i \
pool '$DC /etc/chrony/chrony.conf
# Check if domain controller 2 variable is empty
if [ -z "$DC2" ]
then
#echo "\$DC2 is empty."
echo ' '
else
# If available, add domain controller 2 below primary domain controller in /etc/chrony/chrony.conf
sed -i 'pool '$DC2'/a \
pool '$DC2 /etc/chrony/chrony.conf
fi
echo 'We will now try to create a token for a user in Active Directory.'
echo 'Type in your domain user name: '
read USERNAME
##########################################
######### Join User to Domain ########
kinit $USERNAME
##########################################
######### Update /etc/sssd/sssd.conf #
truncate -s0 /etc/sssd/sssd.conf
sss=""
sss+="[sssd] \n"
sss+="services = nss, pam \n"
sss+="config_file_version = 2 \n"
sss+="domains = $COMPLETE_DOMAIN_CAPS \n"
sss+=" \n"
sss+="[domain/$COMPLETE_DOMAIN_CAPS] \n"
sss+="id_provider = ad \n"
sss+="access_provider = ad \n"
sss+=" \n"
sss+="# Use this if users are being logged in at /. \n"
sss+="# This example specifies /home/DOMAIN-FQDN/user as $HOME. Use with pam_mkhomedir.so \n"
sss+="override_homedir = /home/%d/%u \n"
sss+=" \n"
sss+="# Uncomment if the client machine hostname doesn't match the computer object on the DC. \n"
sss+="# ad_hostname = mymachine.myubuntu.example.com \n"
sss+=" \n"
sss+="# Uncomment if DNS SRV resolution is not working \n"
sss+="# ad_server = dc.mydomain.example.com \n"
sss+=" \n"
sss+="# Uncomment if the AD domain is named differently than the Samba domain \n"
sss+="# ad_domain = MYUBUNTU.EXAMPLE.COM \n"
sss+=" \n"
sss+="# Enumeration is discouraged for performance reasons. \n"
sss+="# enumerate = true \n"
echo -en $sss >> /etc/sssd/sssd.conf
##########################################
######### Update /etc/samba/smb.conf #
smb=""
smb+="workgroup = $REMOVE_EXTENSION_CAPS \n"
smb+=" client signing = yes \n"
smb+=" client use spnego = yes \n"
smb+=" kerberos method = secrets and keytab \n"
smb+=" realm = $COMPLETE_DOMAIN_CAPS \n"
smb+=" security = ads \n"
smb+=" idmap config *:range = 5000-100000 \n"
smb+=" template shell = \\/bin\\/bash"
# search for workgroup line in smb.conf and replace with below:
sed -i "s/workgroup = WORKGROUP/$smb/g" /etc/samba/smb.conf
#########################################
######### Update /etc/nsswitch.conf #
# comment out /etc/nsswitch.conf and add new lines
cp /etc/nsswitch.conf /etc/nsswitch.conf.tmp
sed 's/^/#/' /etc/nsswitch.conf.tmp > /etc/nsswitch.conf
rm /etc/nsswitch.conf.tmp
ns=""
ns+="passwd: compat sss \n"
ns+="group: compat sss \n"
ns+="shadow: compat \n"
ns+="gshadow: files \n"
ns+=" \n"
ns+="hosts: files dns \n"
ns+="networks: files \n"
ns+=" \n"
ns+="protocols: db files \n"
ns+="services: db files \n"
ns+="ethers: db files \n"
ns+="rpc: db files \n"
ns+=" \n"
ns+="netgroup: nis sss \n"
ns+="sudoers: files sss"
echo -e "\n$ns" >> /etc/nsswitch.conf # -e allows the new line
sudo systemctl restart chrony.service
sudo systemctl restart smbd.service nmbd.service
sudo systemctl start sssd.service
echo ' '
echo 'You can now join computer to domain. First exit out of current terminal.'
echo 'Log in to new terminal and type this command: '
echo ' '
echo 'sudo net ads join –k'
echo ' '
echo '(Type it. Do not copy and past it.)
#or you could do something like:
#sudo net ads join -U user@DOMAIN.LOCAL
# Troubleshooting - If you get this error, you may already be addeded to the domain:
#Failed to join domain: Failed to set machine spn: Constraint violation
#Do you have sufficient permissions to create machine accounts?
echo ' '
read -p 'Press Enter to exit.' -n 1 -r