Winbind Shell Script
12-09-2018
Language or Platform: Other
Code:
#!/bin/bash
######################################################################
# Author: Josh M #
# Script that adds Linux Computer to Active Directory using Winbind. #
######################################################################
echo ''
echo 'Before starting, make sure you have the IP address of your domain controllers.'
read -n 1 -s -r -p "Press any key to continue."
# Download needed packages
# In Ubuntu Server 18.04.1, you may need to add the multiverse repo with:
apt-add-repository multiverse && sudo apt-get update
apt-get -y install ntpdate winbind libnss-winbind libpam-winbind krb5-config krb5-locales krb5-user ntp vim samba
echo 'Adding line to /etc/ntp.conf'
echo ' '
echo 'Type in your domain name: (example.local)'
read DOMAIN
echo ' '
echo 'Type the domain controller fully qualified domain name: '
read DC
echo 'Type the domain controller IP address: '
read DCIP
# Remove extension from domain name
RMEXT=${DOMAIN%.*}
# Change domain name to all caps with extension removed
RMEXTCAPS=${RMEXT^^}
# Change complete domain to all caps
DOMAINCAPS=${DOMAIN^^}
# Remove extension from domain controller 1 name
RMEXTDC1=${DC%.*}
SHORTDC1=${RMEXTDC1%.*}
read -p 'Do you have a second domain controller? ' -n 1 -r
echo # (optional) move to a new line
if [[ $REPLY =~ ^[Yy]$ ]]
then
echo 'Type the FQDN for the second domain controller: '
read DC2
echo 'Type the second domain controller IP address: '
read DC2IP
fi
# Remove extension from domain controller 1 name
RMEXTDC2=${DC2%.*}
SHORTDC2=${RMEXTDC2%.*}
echo ' '
echo 'Do you want to automatically update /etc/resolv.conf and /etc/hosts?'
read -p 'If not done already, you will need to update these files before running the rest of this script. ' -n 1 -r
echo # (optional) move to a new line
if [[ $REPLY =~ ^[Yy]$ ]]
then
##########################################
######### Update /etc/resolv.conf ####
# comment out /etc/resolv.conf and add new lines
cp /etc/resolv.conf /etc/resolv.conf.tmp
sed 's/^/#/' /etc/resolv.conf.tmp > /etc/resolv.conf
rm /etc/resolv.conf.tmp
resolv=""
resolv+="nameserver $DCIP \n"
resolv+="search $DOMAIN \n"
echo -e "\n$resolv" >> /etc/resolv.conf # -e allows the new line
# Check if domain controller 2 variable is empty
if [ -z "$DC2" ]
then
#echo "\$DC2 is empty."
echo ' '
else
# If available, add domain controller 2 below primary domain controller in /etc/resolv.conf
sed -i 'nameserver '$DCIP'/a \
nameserver '$DC2IP /etc/resolv.conf
fi
##########################################
### Update /etc/hosts ################
hosts="\n$DCIP $SHORTDC1 $DC"
echo -e "$hosts" >> /etc/hosts # -e allows the new line
# Check if domain controller 2 variable is empty
if [ -z "$DC2" ]
then
#echo "\$DC2 is empty."
echo ' '
else
# If available, add domain controller 2 below primary domain controller in /etc/hosts
hosts2="$DC2IP $SHORTDC2 $DC2"
echo -e "$hosts2" >> /etc/hosts
fi
fi
echo ' '
echo 'Files updated.'
##########################################
######### Update /etc/krb5.conf ######
cp /etc/krb5.conf /etc/krb5.original
truncate -s0 /etc/krb5.conf
text=""
text+="[libdefaults] \n"
text+="ticket_lifetime = 24000 \n"
text+="default_realm = $DOMAINCAPS \n"
text+="default_tgs_enctypes = rc4-hmac des-cbc-md5 \n"
text+="default_tkt_enctypes = rc4-hmac des-cbc-md5 \n"
text+="permitted_enctypes = rc4-hmac des-cbc-md5 \n"
text+="dns_lookup_realm = true \n"
text+="dns_lookup_kdc = true \n"
text+="dns_fallback = yes \n"
text+=" \n"
text+="[realms] \n"
text+="$DOMAINCAPS = { \n"
text+=" kdc = $DC \n"
text+=" default_domain = $DOMAIN \n"
text+="} \n"
text+=" \n"
text+="[domain_realm] \n"
text+=".$DOMAIN = $DOMAINCAPS \n"
text+="$DOMAIN = $DOMAINCAPS \n"
text+=" \n"
text+="[appdefaults] \n"
text+="pam = { \n"
text+=" debug = false \n"
text+=" ticket_lifetime = 36000 \n"
text+=" renew_lifetime = 36000 \n"
text+=" forwardable = true \n"
text+=" krb4_convert = false \n"
text+="} \n"
text+=" \n"
text+="[logging] \n"
text+="default = FILE:/var/log/krb5libs.log \n"
text+="kdc = FILE:/var/log/krb5kdc.log \n"
text+="admin_server = FILE:/var/log/kadmind.log \n"
echo -en $text >> /etc/krb5.conf
# Check if domain controller 2 variable is empty
if [ -z "$DC2" ]
then
echo "\$DC2 is empty."
else
# If available, add domain controller 2 below primary domain controller in /etc/krb5.conf
sed -i '/kdc = '$DC'/a \
kdc = '$DC2 /etc/krb5.conf
fi
##########################################
######### Update /etc/ntp.conf #######
# Add line 'pool DC' above other pool lines in /etc/ntp.conf
sed -i '/pool 0/i \
pool '$DC /etc/ntp.conf
# Check if domain controller 2 variable is empty
if [ -z "$DC2" ]
then
echo "\$DC2 is empty."
else
# If available, add domain controller 2 below primary domain controller in /etc/ntp.conf
sed -i 'pool '$DC2'/a \
pool '$DC2 /etc/ntp.conf
fi
service ntp restart
echo ' '
echo 'NTP service restarted.'
echo 'We will now try to create a token for a user in Active Directory.'
echo 'Type in your domain user name: '
read USERNAME
##########################################
######### Join User to Domain ########
kinit $USERNAME
##########################################
######### Update /etc/samba/smb.conf #
smb=""
smb+="workgroup = $RMEXTCAPS \n"
smb+=" client signing = yes \n"
smb+=" client use spnego = yes \n"
smb+=" kerberos method = secrets and keytab \n"
smb+=" realm = $DOMAINCAPS \n"
smb+=" security = ads \n"
smb+=" # Added for Windows A.D. access using Windbind \n"
smb+=" \n"
smb+=" idmap config *:range = 5000-100000 \n"
smb+=" \n"
smb+=" winbind allow trusted domains = no \n"
smb+=" winbind trusted domains only = no \n"
smb+=" winbind use default domain = yes \n"
smb+=" winbind enum users = yes \n"
smb+=" winbind enum groups = yes \n"
smb+=" winbind refresh tickets = yes \n"
smb+=" \n"
smb+=" template shell = \\/bin\\/bash"
# search for workgroup line in smb.conf and replace with below:
sed -i "s/workgroup = WORKGROUP/$smb/g" /etc/samba/smb.conf
#########################################
######### Update /etc/nsswitch.conf #
# comment out /etc/nsswitch.conf and add new lines
cp /etc/nsswitch.conf /etc/nsswitch.conf.tmp
sed 's/^/#/' /etc/nsswitch.conf.tmp > /etc/nsswitch.conf
rm /etc/nsswitch.conf.tmp
krbtext=""
krbtext+="passwd: compat winbind \n"
krbtext+="group: compat winbind \n"
krbtext+="shadow: compat \n"
krbtext+="gshadow: files \n"
echo -e "\n$krbtext" >> /etc/nsswitch.conf # -e allows the new line
sudo service smbd restart
sudo service nmbd restart
sudo service winbind restart
echo ' '
echo 'You can now join computer to domain. First exit out of current terminal.'
echo 'Log in to new terminal and type this command: '
echo ' '
echo 'sudo net ads join –k'
#or you could do something like:
#sudo net ads join -U user@DOMAIN.LOCAL
# Troubleshooting - If you get this error, you may already be addeded to the domain:
#Failed to join domain: Failed to set machine spn: Constraint violation
#Do you have sufficient permissions to create machine accounts?
echo ' '
read -p 'Press Enter to exit.' -n 1 -r