Created
September 10, 2020 13:00
-
-
Save cmbaughman/7a8a4e0a0f031a223590e59917f6cdd2 to your computer and use it in GitHub Desktop.
Ubuntu Active Directory
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
sudo apt install sssd heimdal-clients msktutil | |
sudo mv /etc/krb5.conf /etc/krb5.conf.default | |
COMP=$HOSTNAME | |
read -p 'What is the domain name? (example: URLFINANCIAL without the .local) ' DOMAIN | |
LCASEDOMAIN=`echo "$DOMAIN" | tr '[:upper:]' '[:lower:]'` | |
read -p 'What is the name of your Active Directory DC? ' ADDC | |
echo "Editing /etc/krb5.conf" | |
KRB5 <<LIMIT | |
[libdefaults] | |
default_realm = $DOMAIN.LOCAL | |
rdns = no | |
dns_lookup_kdc = true | |
dns_lookup_realm = true | |
[realms] | |
$DOMAIN.LOCAL = { | |
kdc = $ADDC.$LCASEDOMAIN.local | |
admin_server = $ADDC.$LCASEDOMAIN.local | |
} | |
LIMIT | |
echo $KRB5 > /etc/krb5.conf | |
msktutil -N -c -b 'CN=COMPUTERS' -s $HOSTNAME/.$LCASEDOMAIN.local -k my-keytab.keytab ‑‑computer-name $HOSTNAME ‑‑upn $DOMAIN$ ‑‑server $ADDC.$LCASEDOMAIN.local ‑‑user-creds-only | |
msktutil -N -c -b 'CN=COMPUTERS' -s $HOSTNAME/$LCASEDOMAIN -k my-keytab.keytab ‑‑computer-name $HOSTNAME ‑‑upn $DOMAIN$ $ADDC.$LCASEDOMAIN.local ‑‑user-creds-only | |
kdestroy | |
sudo mv my-keytab.keytab /etc/sssd/my-keytab.keytab | |
echo "Writing /etc/sssd/sssd.conf" | |
SSSD <<LIMIT | |
[sssd] | |
services = nss, pam | |
config_file_version = 2 | |
domains = $LCASEDOMAIN.local | |
[nss] | |
entry_negative_timeout = 0 | |
#debug_level = 5 | |
[pam] | |
#debug_level = 5 | |
[domain/system76.local] | |
#debug_level = 10 | |
enumerate = false | |
id_provider = ad | |
auth_provider = ad | |
chpass_provider = ad | |
access_provider = ad | |
dyndns_update = false | |
ad_hostname = pop-os.system76.local | |
ad_server = adserver.system76.local | |
ad_domain = system76.local | |
ldap_schema = ad | |
ldap_id_mapping = true | |
fallback_homedir = /home/%u | |
default_shell = /bin/bash | |
ldap_sasl_mech = gssapi | |
ldap_sasl_authid = POP-OS$ | |
krb5_keytab = /etc/sssd/my-keytab.keytab | |
ldap_krb5_init_creds = true | |
LIMIT | |
sudo chmod 0600 /etc/sssd/sssd.conf | |
# Configure PAM: | |
sudo sed -i '/session required pam_unix.so/a session required pam_mkhomedir.so skel=/etc/skel umask=0077' /etc/pam.d/common-session | |
sudo systemctl restart sssd | |
# Add the domain administrator to the local sudo group: | |
sudo adduser administrator sudo | |
sudo adduser admchrisb sudo | |
# Test a login with the domain administrator: | |
su -l administrator | |
echo "Complete! if the test above was successful, you can choose Y to reboot." | |
echo "At the login screen, you can click the “Not listed?” link," | |
echo " and type the username of any domain user." | |
echo " After logging in with a domain user for the first time, that user will appear" | |
echo " on the login screen’s user list." | |
read -p 'Would you like to reboot now (Y/n)? ' RBOOT | |
if [ ]; then | |
sudo reboot -n | |
fi | |
exit 0; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment