Created
April 12, 2020 02:55
-
-
Save xtonousou/1d1311bbe2367343dab6b0035b8ad72e to your computer and use it in GitHub Desktop.
Add Centos 7, 8 Machine into AD Domain. Integrate SSH authentication with Active Directory, manage sudoers via Active Directory, automatic group id mapping and sanitization. Automatic PTR record and DNS computer name. NETBIOS 15 characters max!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#! /usr/bin/env bash | |
# | |
# Author: Sotirios Roussis - xtonousou@gmail.com | |
# Description: Configure Linux machine, add it to domain, configure SSH authentication via Active Directory | |
# Enter: sudo -i for root without auth if you add the domain user to domain group "sudoers" in AD/SOME_DIRECTORY or in any other child group of "sudoers" | |
# Version: 1.1.7 | |
# | |
# Currently tested on CentOS 7, 8 | |
# | |
# NOTES: | |
# Use Proxy to forward Internet traffic to target machine. yum needs it to download packages. In this example, a squid proxy is binded to 3128 port | |
# ssh -p 22 -R 3128:TARGET_IP:3128 -N root@TARGET_IP # run this locally to forward the traffic to the machine that will join the domain afterwards | |
# Clearing cache | |
# sss_cache -E ; systemctl stop sssd; rm -rf /var/lib/sss/db/* ; systemctl restart sssd | |
# Leaving the domain | |
# realm leave --remove --user domain_admin_user | |
# for i in realmd sssd; do systemctl stop $i; systemctl disable $i; done | |
# | |
if [ -z "${NOYUM}" ]; then | |
if ! grep -E "^proxy" /etc/yum.conf &> /dev/null; then | |
echo "Yum cannot get the packages without proxy... Make sure you have set correctly the entry proxy=http://127.0.0.1:3128 in /etc/yum.conf" | |
exit 1 | |
elif ! http_proxy="$(grep -E "^proxy" /etc/yum.conf | head -n 1 | awk -F'=' '{print $2}' | tr -d ' ')" curl google.gr &> /dev/null; then | |
echo "Proxy does not work, sorry. Try again" | |
echo "Make sure you have set correctly the entry proxy=http://127.0.0.1:3128 in /etc/yum.conf" | |
exit 2 | |
fi | |
else | |
echo "NOYUM env variable detected, skipping proxy checks..." | |
fi | |
echo "Adding nameservers" | |
cat << EOF >> /etc/resolv.conf | |
search SOME_DOMAIN.SOME_TLD | |
nameserver AD01_IP_HERE | |
nameserver AD02_IP_HERE | |
EOF | |
sort -u /etc/resolv.conf > /tmp/.a | |
yes | mv /tmp/.a /etc/resolv.conf | |
if grep -Ei "^centos linux release [7-8]" /etc/redhat-release &> /dev/null; then | |
if [ -z "${NOYUM}" ]; then | |
# install requirements | |
yum install -y adcli krb5-workstation oddjob oddjob-mkhomedir openldap-clients policycoreutils-python realmd samba-common samba-common-tools sssd sssd-ad sudo | |
else | |
echo "NOYUM env variable detected, skipping proxy checks..." | |
fi | |
# configure sudoers group | |
echo -e "%sudoers\\tALL=(ALL)\\tNOPASSWD: ALL" >| /etc/sudoers.d/sudoers | |
chmod 440 /etc/sudoers.d/sudoers | |
# add computer into domain | |
echo -n "Enter Domain Admin's username: " | |
read admin_user | |
if grep "\\" <<< "${admin_user}" &> /dev/null; then | |
admin_user=$(awk -F'\\' '{print $2}' <<< "${admin_user}") | |
fi | |
realm join --computer-ou="OU=SOME_ORG_UNIT_TO_STORE_COMPUTERS,OU=SOME_DIRECTORY,DC=SOME_DOMAIN,DC=SOME_TLD" SOME_DOMAIN.SOME_TLD --membership-software=adcli --user="${admin_user}" | |
# apply SSSD configuration | |
cat << EOF > /etc/sssd/sssd.conf | |
[sssd] | |
domains = SOME_DOMAIN.SOME_TLD | |
config_file_version = 2 | |
reconnection_retries = 3 | |
services = nss, pam | |
sbus_timeout = 30 | |
override_space = _ | |
# debug_level = 10 | |
[nss] | |
filter_users = root,mysql,zabbix | |
filter_groups = root,mysql,zabbix | |
[pam] | |
reconnection_retries = 3 | |
[domain/SOME_DOMAIN.SOME_TLD] | |
realmd_tags = manages-system joined-with-adcli | |
ad_domain = SOME_DOMAIN.SOME_TLD | |
ad_server = ad1.SOME_DOMAIN.SOME_TLD, ad2.SOME_DOMAIN.SOME_TLD | |
ad_enabled_domains = SOME_DOMAIN.SOME_TLD | |
ad_enable_gc = False | |
krb5_realm = SOME_DOMAIN.SOME_TLD | |
krb5_store_password_if_offline = False | |
krb5_validate = False | |
id_provider = ad | |
auth_provider = ad | |
sudo_provider = ad | |
chpass_provider = ad | |
access_provider = ad | |
ldap_search_base = DC=SOME_DOMAIN,DC=SOME_TLD | |
ldap_schema = ad | |
ldap_id_mapping = True | |
ldap_use_tokengroups = True | |
dyndns_update = True | |
dyndns_update_ptr = True | |
dyndns_refresh_interval = 43200 | |
dyndns_ttl = 3600 | |
default_shell = /bin/bash | |
use_fully_qualified_names = False | |
fallback_homedir = /home/%u@%d | |
ldap_purge_cache_timeout = 0 | |
entry_cache_timeout = 600 | |
cache_credentials = True | |
# debug_level = 10 | |
EOF | |
# handle the services | |
systemctl enable realmd | |
systemctl enable sssd | |
systemctl restart realmd | |
systemctl restart sssd | |
echo "Welcome aboard $(hostname)" | |
else | |
echo "Cannot join the domain because the OS or the OS version is not supported, yet." | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment