Ubuntu-Docker Failover Pair 2 Configure AD

ubuntu-docker_failover_pair_2_configure_ad.sh

#!/usr/bin/env bash
###########################################################
#
# This script will install and configure samba and
# windbind and join the system to the hcpss.org AD
# domain. The configuration has been tested on Ubuntu
# 14.04 and is designed to work exclusively with SSH.
#
# nvissari@hcpss.org
###########################################################

# This is samba's configuration file it is being read to the
# $smbconf variable and will be written to a file later. The
# configuration is for the hcpss.org domain and will map ad
# unique id's to local uid/gid's between 10000 and 999999
# User local home directorys will be stored in the /home/
# directory. Passwords are also cached locally in the event
# AD is unavailable.
#/etc/samba/smb.conf
read -r -d '' smbconf <<HEREDOC
[global]
    workgroup = HCPSS
    security = ads
    realm = HCPSS.ORG
    domain master = no
    local master = no
    preferred master = no
    load printers = no
    idmap backend = tdb
    idmap uid = 10000-999999
    idmap gid = 10000-999999
    idmap config HCPSS:backend = rid
    idmap config HCPSS:range = 10000-999999
    winbind enum users = yes
    winbind enum groups = yes
    winbind use default domain = yes
    winbind nested groups = yes
    winbind refresh tickets = yes
    winbind offline logon = true
    template homedir = /home/%U
    template shell = /bin/bash
    client use spnego = yes
    client ntlmv2 auth = yes
    encrypt passwords = yes
    restrict anonymous = 2
    log file = /var/log/samba/samba.log
    log level = 2
HEREDOC

# This is the kerberos config file. It is being stored in
# the $krb5conf variable and will be written to disk later.
# This defines the domains and servers available to the
# system to authenticate and generate kerberos tickets. This
# config is using the entire "hcpss.org" set of hosts to
# authenticate against.
#/etc/krb5.conf
read -r -d '' krb5conf <<HEREDOC
[libdefaults]
  ticket_lifetime = 24h
  default_realm = HCPSS.ORG
  forwardable = true

[realms]
  HCPSS.ORG = {
    kdc = hcpss.org
    default_domain = HCPSS.ORG
  }

[domain_realm]
  .hcpss.org = HCPSS.ORG
  hcpss.org = HCPSS.ORG

[kdc]
  profile = /etc/krb5kdc/kdc.conf

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
  }

[logging]
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmin.log
  default = FILE:/var/log/krb5lib.log
HEREDOC

# This is the config file for nsswitch. It is stored in
# the $nsswitchconf variable and will be written to disk
# later. This adds winbind to the default passwd, group,
# and shadow sources.
#/etc/nsswitch.conf
read -r -d '' nsswitchconf <<HEREDOC
passwd:         compat winbind
group:          compat winbind
shadow:         compat winbind
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis
HEREDOC

# This is the config file for sshd. It is stored in the
# $pamdsshd variable and will be written to disk later.
# this adds the requirement for pam_mkhomedir.so. This
# ensures that the home directory will be created for
# users in the directory that have not logged into the
# system.
#/etc/pam.d/sshd
read -r -d '' pamdsshd <<HEREDOC
@include common-auth
account    required     pam_nologin.so
@include common-account
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so close
session    optional     pam_mkhomedir.so        skel=/etc/skel/ umask=0022
session    required     pam_loginuid.so
session    optional     pam_keyinit.so force revoke
@include common-session
session    optional     pam_motd.so  motd=/run/motd.dynamic noupdate
session    required     pam_limits.so
session    required     pam_env.so user_readenv=1 envfile=/etc/default/locale
session [success=ok ignore=ignore module_unknown=ignore default=bad]        pam_selinux.so open
@include common-password
HEREDOC

# If there is a config file for kerberos on the
# system rename it so it's no longer used by the
# kerberos/winbind service. Write the config file
# mentioned above to /etc/krb5.conf
if [ -f /etc/krb5.conf ]
then
  mv /etc/krb5.conf /etc/krb5.conf"$(date +%s)"
fi
echo "$krb5conf" > /etc/krb5.conf

# If there is a config file for nsswitch on the
# system rename it so it's no longer used by the
# system's auth service. Write the config file
# mentioned above to /etc/nsswitch.conf
if [ -f /etc/nsswitch.conf ]
then
  mv /etc/nsswitch.conf /etc/nsswitch.conf"$(date +%s)"
fi
echo "$nsswitchconf" > /etc/nsswitch.conf

# If there is a config file for samba on the
# system rename it so it's no longer used by the
# samba service. Write the config file
# mentioned above to /etc/samba/smb.conf
if [ -f /etc/samba/smb.conf ]
then
  mv /etc/samba/smb.conf /etc/samba/smb.conf"$(date +%s)"
fi
echo "$smbconf" > /etc/samba/smb.conf

# If there is a pam config file for sshd on the
# system rename it so it's no longer used by the
# pam service. Write the config file
# mentioned above to /etc/pam.d/sshd
if [ -f /etc/pam.d/sshd ]
then
  mv /etc/pam.d/sshd /etc/pamdsshd"$(date +%s)"
fi
echo "$pamdsshd" > /etc/pam.d/sshd

# Add domain admins to sudoers so anyone who
# is a member of the "domain admins" group in
# AD will sudo capabilities on the system
echo '%domain\ admins ALL=(ALL) ALL' >> /etc/sudoers

# Restrict ssh logins to admins so all hcpss
# users cannot login to the system. Only domain
# admins or members of the local adm or root groups
# will be able to login
echo 'AllowGroups ssh adm root "domain admins"' >> /etc/ssh/sshd_config

# restart all services so the new configs
# that were written above are applied
service ssh restart
service winbind restart
service nmbd restart
service smbd restart