xtonousou/gist:1d1311bbe2367343dab6b0035b8ad72e

## gistfile1.txt
#! /usr/bin/env bash
#
# Author: Sotirios Roussis - xtonousou@gmail.com
# Description: Configure Linux machine, add it to domain, configure SSH authentication via Active Directory
#              Enter: sudo -i for root without auth if you add the domain user to domain group "sudoers" in AD/SOME_DIRECTORY or in any other child group of "sudoers"
# Version: 1.1.7
#
# Currently tested on CentOS 7, 8
#
# NOTES:
#	Use Proxy to forward Internet traffic to target machine. yum needs it to download packages. In this example, a squid proxy is binded to 3128 port
#		ssh -p 22 -R 3128:TARGET_IP:3128 -N root@TARGET_IP  # run this locally to forward the traffic to the machine that will join the domain afterwards
# 	Clearing cache
# 		sss_cache -E ; systemctl stop sssd; rm -rf /var/lib/sss/db/* ; systemctl restart sssd
# 	Leaving the domain
# 		realm leave --remove --user domain_admin_user
# 		for i in realmd sssd; do systemctl stop $i; systemctl disable $i; done
#

if [ -z "${NOYUM}" ]; then
	if ! grep -E "^proxy" /etc/yum.conf &> /dev/null; then
		echo "Yum cannot get the packages without proxy... Make sure you have set correctly the entry proxy=http://127.0.0.1:3128 in /etc/yum.conf"
		exit 1
	elif ! http_proxy="$(grep -E "^proxy" /etc/yum.conf | head -n 1 | awk -F'=' '{print $2}' | tr -d ' ')" curl google.gr &> /dev/null; then
		echo "Proxy does not work, sorry. Try again"
		echo "Make sure you have set correctly the entry proxy=http://127.0.0.1:3128 in /etc/yum.conf"
		exit 2
	fi
else
	echo "NOYUM env variable detected, skipping proxy checks..."
fi

echo "Adding nameservers"
cat << EOF >> /etc/resolv.conf
search SOME_DOMAIN.SOME_TLD
nameserver AD01_IP_HERE
nameserver AD02_IP_HERE
EOF
sort -u /etc/resolv.conf > /tmp/.a
yes | mv /tmp/.a /etc/resolv.conf

if grep -Ei "^centos linux release [7-8]" /etc/redhat-release &> /dev/null; then
	if [ -z "${NOYUM}" ]; then
		# install requirements
		yum install -y adcli krb5-workstation oddjob oddjob-mkhomedir openldap-clients policycoreutils-python realmd samba-common samba-common-tools sssd sssd-ad sudo
	else
		echo "NOYUM env variable detected, skipping proxy checks..."
	fi

	# configure sudoers group
    echo -e "%sudoers\\tALL=(ALL)\\tNOPASSWD: ALL" >| /etc/sudoers.d/sudoers
    chmod 440 /etc/sudoers.d/sudoers

	# add computer into domain
    echo -n "Enter Domain Admin's username: "
    read admin_user
    if grep "\\" <<< "${admin_user}" &> /dev/null; then
        admin_user=$(awk -F'\\' '{print $2}' <<< "${admin_user}")
    fi
    realm join --computer-ou="OU=SOME_ORG_UNIT_TO_STORE_COMPUTERS,OU=SOME_DIRECTORY,DC=SOME_DOMAIN,DC=SOME_TLD" SOME_DOMAIN.SOME_TLD --membership-software=adcli --user="${admin_user}"

    # apply SSSD configuration
    cat << EOF > /etc/sssd/sssd.conf
[sssd]
domains = SOME_DOMAIN.SOME_TLD
config_file_version = 2
reconnection_retries = 3
services = nss, pam
sbus_timeout = 30
override_space = _
# debug_level = 10


[nss]
filter_users = root,mysql,zabbix
filter_groups = root,mysql,zabbix


[pam]
reconnection_retries = 3


[domain/SOME_DOMAIN.SOME_TLD]
realmd_tags = manages-system joined-with-adcli

ad_domain = SOME_DOMAIN.SOME_TLD
ad_server = ad1.SOME_DOMAIN.SOME_TLD, ad2.SOME_DOMAIN.SOME_TLD
ad_enabled_domains = SOME_DOMAIN.SOME_TLD
ad_enable_gc = False

krb5_realm = SOME_DOMAIN.SOME_TLD
krb5_store_password_if_offline = False
krb5_validate = False

id_provider = ad
auth_provider = ad
sudo_provider = ad
chpass_provider = ad
access_provider = ad

ldap_search_base = DC=SOME_DOMAIN,DC=SOME_TLD

ldap_schema = ad
ldap_id_mapping = True
ldap_use_tokengroups = True

dyndns_update = True
dyndns_update_ptr = True
dyndns_refresh_interval = 43200
dyndns_ttl = 3600

default_shell = /bin/bash
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d

ldap_purge_cache_timeout = 0
entry_cache_timeout = 600
cache_credentials = True

# debug_level = 10
EOF

	# handle the services
    systemctl enable realmd
    systemctl enable sssd

    systemctl restart realmd
    systemctl restart sssd

    echo "Welcome aboard $(hostname)"
else
	echo "Cannot join the domain because the OS or the OS version is not supported, yet."
fi
	#! /usr/bin/env bash
	#
	# Author: Sotirios Roussis - xtonousou@gmail.com
	# Description: Configure Linux machine, add it to domain, configure SSH authentication via Active Directory
	# Enter: sudo -i for root without auth if you add the domain user to domain group "sudoers" in AD/SOME_DIRECTORY or in any other child group of "sudoers"
	# Version: 1.1.7
	#
	# Currently tested on CentOS 7, 8
	#
	# NOTES:
	# Use Proxy to forward Internet traffic to target machine. yum needs it to download packages. In this example, a squid proxy is binded to 3128 port
	# ssh -p 22 -R 3128:TARGET_IP:3128 -N root@TARGET_IP # run this locally to forward the traffic to the machine that will join the domain afterwards
	# Clearing cache
	# sss_cache -E ; systemctl stop sssd; rm -rf /var/lib/sss/db/* ; systemctl restart sssd
	# Leaving the domain
	# realm leave --remove --user domain_admin_user
	# for i in realmd sssd; do systemctl stop $i; systemctl disable $i; done
	#

	if [ -z "${NOYUM}" ]; then
	if ! grep -E "^proxy" /etc/yum.conf &> /dev/null; then
	echo "Yum cannot get the packages without proxy... Make sure you have set correctly the entry proxy=http://127.0.0.1:3128 in /etc/yum.conf"
	exit 1
	elif ! http_proxy="$(grep -E "^proxy" /etc/yum.conf \| head -n 1 \| awk -F'=' '{print $2}' \| tr -d ' ')" curl google.gr &> /dev/null; then
	echo "Proxy does not work, sorry. Try again"
	echo "Make sure you have set correctly the entry proxy=http://127.0.0.1:3128 in /etc/yum.conf"
	exit 2
	fi
	else
	echo "NOYUM env variable detected, skipping proxy checks..."
	fi

	echo "Adding nameservers"
	cat << EOF >> /etc/resolv.conf
	search SOME_DOMAIN.SOME_TLD
	nameserver AD01_IP_HERE
	nameserver AD02_IP_HERE
	EOF
	sort -u /etc/resolv.conf > /tmp/.a
	yes \| mv /tmp/.a /etc/resolv.conf

	if grep -Ei "^centos linux release [7-8]" /etc/redhat-release &> /dev/null; then
	if [ -z "${NOYUM}" ]; then
	# install requirements
	yum install -y adcli krb5-workstation oddjob oddjob-mkhomedir openldap-clients policycoreutils-python realmd samba-common samba-common-tools sssd sssd-ad sudo
	else
	echo "NOYUM env variable detected, skipping proxy checks..."
	fi

	# configure sudoers group
	echo -e "%sudoers\\tALL=(ALL)\\tNOPASSWD: ALL" >\| /etc/sudoers.d/sudoers
	chmod 440 /etc/sudoers.d/sudoers

	# add computer into domain
	echo -n "Enter Domain Admin's username: "
	read admin_user
	if grep "\\" <<< "${admin_user}" &> /dev/null; then
	admin_user=$(awk -F'\\' '{print $2}' <<< "${admin_user}")
	fi
	realm join --computer-ou="OU=SOME_ORG_UNIT_TO_STORE_COMPUTERS,OU=SOME_DIRECTORY,DC=SOME_DOMAIN,DC=SOME_TLD" SOME_DOMAIN.SOME_TLD --membership-software=adcli --user="${admin_user}"

	# apply SSSD configuration
	cat << EOF > /etc/sssd/sssd.conf
	[sssd]
	domains = SOME_DOMAIN.SOME_TLD
	config_file_version = 2
	reconnection_retries = 3
	services = nss, pam
	sbus_timeout = 30
	override_space = _
	# debug_level = 10


	[nss]
	filter_users = root,mysql,zabbix
	filter_groups = root,mysql,zabbix


	[pam]
	reconnection_retries = 3


	[domain/SOME_DOMAIN.SOME_TLD]
	realmd_tags = manages-system joined-with-adcli

	ad_domain = SOME_DOMAIN.SOME_TLD
	ad_server = ad1.SOME_DOMAIN.SOME_TLD, ad2.SOME_DOMAIN.SOME_TLD
	ad_enabled_domains = SOME_DOMAIN.SOME_TLD
	ad_enable_gc = False

	krb5_realm = SOME_DOMAIN.SOME_TLD
	krb5_store_password_if_offline = False
	krb5_validate = False

	id_provider = ad
	auth_provider = ad
	sudo_provider = ad
	chpass_provider = ad
	access_provider = ad

	ldap_search_base = DC=SOME_DOMAIN,DC=SOME_TLD

	ldap_schema = ad
	ldap_id_mapping = True
	ldap_use_tokengroups = True

	dyndns_update = True
	dyndns_update_ptr = True
	dyndns_refresh_interval = 43200
	dyndns_ttl = 3600

	default_shell = /bin/bash
	use_fully_qualified_names = False
	fallback_homedir = /home/%u@%d

	ldap_purge_cache_timeout = 0
	entry_cache_timeout = 600
	cache_credentials = True

	# debug_level = 10
	EOF

	# handle the services
	systemctl enable realmd
	systemctl enable sssd

	systemctl restart realmd
	systemctl restart sssd

	echo "Welcome aboard $(hostname)"
	else
	echo "Cannot join the domain because the OS or the OS version is not supported, yet."
	fi