Created
January 27, 2016 15:21
-
-
Save nickadam/b9bdaedaa0e6260cf44a to your computer and use it in GitHub Desktop.
Ubuntu-Docker Failover Pair 2 Configure AD
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
########################################################### | |
# | |
# This script will install and configure samba and | |
# windbind and join the system to the hcpss.org AD | |
# domain. The configuration has been tested on Ubuntu | |
# 14.04 and is designed to work exclusively with SSH. | |
# | |
# nvissari@hcpss.org | |
########################################################### | |
# This is samba's configuration file it is being read to the | |
# $smbconf variable and will be written to a file later. The | |
# configuration is for the hcpss.org domain and will map ad | |
# unique id's to local uid/gid's between 10000 and 999999 | |
# User local home directorys will be stored in the /home/ | |
# directory. Passwords are also cached locally in the event | |
# AD is unavailable. | |
#/etc/samba/smb.conf | |
read -r -d '' smbconf <<HEREDOC | |
[global] | |
workgroup = HCPSS | |
security = ads | |
realm = HCPSS.ORG | |
domain master = no | |
local master = no | |
preferred master = no | |
load printers = no | |
idmap backend = tdb | |
idmap uid = 10000-999999 | |
idmap gid = 10000-999999 | |
idmap config HCPSS:backend = rid | |
idmap config HCPSS:range = 10000-999999 | |
winbind enum users = yes | |
winbind enum groups = yes | |
winbind use default domain = yes | |
winbind nested groups = yes | |
winbind refresh tickets = yes | |
winbind offline logon = true | |
template homedir = /home/%U | |
template shell = /bin/bash | |
client use spnego = yes | |
client ntlmv2 auth = yes | |
encrypt passwords = yes | |
restrict anonymous = 2 | |
log file = /var/log/samba/samba.log | |
log level = 2 | |
HEREDOC | |
# This is the kerberos config file. It is being stored in | |
# the $krb5conf variable and will be written to disk later. | |
# This defines the domains and servers available to the | |
# system to authenticate and generate kerberos tickets. This | |
# config is using the entire "hcpss.org" set of hosts to | |
# authenticate against. | |
#/etc/krb5.conf | |
read -r -d '' krb5conf <<HEREDOC | |
[libdefaults] | |
ticket_lifetime = 24h | |
default_realm = HCPSS.ORG | |
forwardable = true | |
[realms] | |
HCPSS.ORG = { | |
kdc = hcpss.org | |
default_domain = HCPSS.ORG | |
} | |
[domain_realm] | |
.hcpss.org = HCPSS.ORG | |
hcpss.org = HCPSS.ORG | |
[kdc] | |
profile = /etc/krb5kdc/kdc.conf | |
[appdefaults] | |
pam = { | |
debug = false | |
ticket_lifetime = 36000 | |
renew_lifetime = 36000 | |
forwardable = true | |
krb4_convert = false | |
} | |
[logging] | |
kdc = FILE:/var/log/krb5kdc.log | |
admin_server = FILE:/var/log/kadmin.log | |
default = FILE:/var/log/krb5lib.log | |
HEREDOC | |
# This is the config file for nsswitch. It is stored in | |
# the $nsswitchconf variable and will be written to disk | |
# later. This adds winbind to the default passwd, group, | |
# and shadow sources. | |
#/etc/nsswitch.conf | |
read -r -d '' nsswitchconf <<HEREDOC | |
passwd: compat winbind | |
group: compat winbind | |
shadow: compat winbind | |
hosts: files dns | |
networks: files | |
protocols: db files | |
services: db files | |
ethers: db files | |
rpc: db files | |
netgroup: nis | |
HEREDOC | |
# This is the config file for sshd. It is stored in the | |
# $pamdsshd variable and will be written to disk later. | |
# this adds the requirement for pam_mkhomedir.so. This | |
# ensures that the home directory will be created for | |
# users in the directory that have not logged into the | |
# system. | |
#/etc/pam.d/sshd | |
read -r -d '' pamdsshd <<HEREDOC | |
@include common-auth | |
account required pam_nologin.so | |
@include common-account | |
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close | |
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022 | |
session required pam_loginuid.so | |
session optional pam_keyinit.so force revoke | |
@include common-session | |
session optional pam_motd.so motd=/run/motd.dynamic noupdate | |
session required pam_limits.so | |
session required pam_env.so user_readenv=1 envfile=/etc/default/locale | |
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open | |
@include common-password | |
HEREDOC | |
# If there is a config file for kerberos on the | |
# system rename it so it's no longer used by the | |
# kerberos/winbind service. Write the config file | |
# mentioned above to /etc/krb5.conf | |
if [ -f /etc/krb5.conf ] | |
then | |
mv /etc/krb5.conf /etc/krb5.conf"$(date +%s)" | |
fi | |
echo "$krb5conf" > /etc/krb5.conf | |
# If there is a config file for nsswitch on the | |
# system rename it so it's no longer used by the | |
# system's auth service. Write the config file | |
# mentioned above to /etc/nsswitch.conf | |
if [ -f /etc/nsswitch.conf ] | |
then | |
mv /etc/nsswitch.conf /etc/nsswitch.conf"$(date +%s)" | |
fi | |
echo "$nsswitchconf" > /etc/nsswitch.conf | |
# If there is a config file for samba on the | |
# system rename it so it's no longer used by the | |
# samba service. Write the config file | |
# mentioned above to /etc/samba/smb.conf | |
if [ -f /etc/samba/smb.conf ] | |
then | |
mv /etc/samba/smb.conf /etc/samba/smb.conf"$(date +%s)" | |
fi | |
echo "$smbconf" > /etc/samba/smb.conf | |
# If there is a pam config file for sshd on the | |
# system rename it so it's no longer used by the | |
# pam service. Write the config file | |
# mentioned above to /etc/pam.d/sshd | |
if [ -f /etc/pam.d/sshd ] | |
then | |
mv /etc/pam.d/sshd /etc/pamdsshd"$(date +%s)" | |
fi | |
echo "$pamdsshd" > /etc/pam.d/sshd | |
# Add domain admins to sudoers so anyone who | |
# is a member of the "domain admins" group in | |
# AD will sudo capabilities on the system | |
echo '%domain\ admins ALL=(ALL) ALL' >> /etc/sudoers | |
# Restrict ssh logins to admins so all hcpss | |
# users cannot login to the system. Only domain | |
# admins or members of the local adm or root groups | |
# will be able to login | |
echo 'AllowGroups ssh adm root "domain admins"' >> /etc/ssh/sshd_config | |
# restart all services so the new configs | |
# that were written above are applied | |
service ssh restart | |
service winbind restart | |
service nmbd restart | |
service smbd restart |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment