Active Directory: различия между версиями
Материал из IT в школе
Перейти к навигацииПерейти к поиску
Kekaloav (обсуждение | вклад) |
Kekaloav (обсуждение | вклад) |
||
(не показана 1 промежуточная версия этого же участника) | |||
Строка 1: | Строка 1: | ||
Строка 7: | Строка 9: | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
#!/bin/bash | #!/bin/bash | ||
SCHOOL=648 | SCHOOL=648 | ||
LDOMAIN="sao.obr.mos.ru" | LDOMAIN="sao.obr.mos.ru" | ||
ADMIN="kekaloav" | ADMIN="kekaloav" | ||
ADMINPASS= | ADMINPASS='pass' | ||
DOMAIN="`echo ${LDOMAIN} | awk '{print toupper($0)}'`" | DOMAIN="`echo ${LDOMAIN} | awk '{print toupper($0)}'`" | ||
LHOSTNAME="`hostname`" | LHOSTNAME="`hostname`" | ||
Строка 16: | Строка 19: | ||
service sssd stop | service sssd stop | ||
apt-get -y install samba-common-tools sssd-ad task-auth-ad-sssd samba-client cifs-utils systemd-settings-enable-kill-user-processes | |||
cp /etc/nsswitch.conf /etc/sssd/nsswitch.conf_ | |||
apt-get -y install samba-common-tools task-auth-ad-sssd | cp /etc/sssd/sssd.conf /etc/sssd/sssd.conf_ | ||
cp /etc/krb5.conf /etc/krb5.conf_ | cp /etc/krb5.conf /etc/krb5.conf_ | ||
cp /etc/samba/smb.conf /etc/samba/smb.conf_ | cp /etc/samba/smb.conf /etc/samba/smb.conf_ | ||
echo -e "[logging]\n\n[libdefaults]\ndefault_realm = ${DOMAIN}\ndns_lookup_kdc = true\ndns_lookup_realm = false\nticket_lifetime = 24h\nrenew_lifetime = 7d\nforwardable = true\nrdns = false\ndefault_ccache_name = KEYRING:persistent:%{uid}" > /etc/krb5.conf | echo -e "[logging]\n\n[libdefaults]\ndefault_realm = ${DOMAIN}\ndns_lookup_kdc = true\ndns_lookup_realm = false\nticket_lifetime = 24h\nrenew_lifetime = 7d\nforwardable = true\nrdns = false\ndefault_ccache_name = KEYRING:persistent:%{uid}" > /etc/krb5.conf | ||
echo - | echo -n "[global]\nsecurity = ads\nrealm = ${DOMAIN}\nworkgroup = ${DOMAIN:0:3}\nnetbios name = ${HOSTNAME}\ntemplate shell = /bin/bash\nkerberos method = system keytab\nwins support = no\nwinbind use default domain = yes\ninbind enum users = no\nwinbind enum groups = no\ntemplate homedir = /home/${DOMAIN}/%U\nidmap config * : range = 200000-2000200000\nidmap config * : backend = sss\nmachine password timeout = 0\n[homes]\nbrowseable = no\nwritable = yes\n[printers]\ncomment = All Printers\npath = /var/spool/samba\nbrowseable = no\nguest ok = no\nwritable = no\nprintable = yes\n" > /etc/samba/smb.conf | ||
if [ -z "`cat /etc/pam.d/system-auth | grep 'pam_mount.so disable_interactive'`" ] ; then | if [ -z "`cat /etc/pam.d/system-auth | grep 'pam_mount.so disable_interactive'`" ] ; then | ||
Строка 36: | Строка 36: | ||
fi | fi | ||
system-auth write ad ${DOMAIN} ${LHOSTNAME} ${DOMAIN:0:3} ${ADMIN} ${ADMINPASS} | |||
service sssd stop | |||
sed -i 's/ad_gpo_access_control = permissive/ad_gpo_access_control = disabled/g' /etc/sssd/sssd.conf | |||
service sssd start | service sssd start | ||
</syntaxhighlight>Отключение<syntaxhighlight lang="bash"> | |||
#!/bin/bash | |||
service sssd stop | |||
cp /etc/nsswitch.conf_ /etc/nsswitch.conf | |||
service nscd restart | |||
cp /etc/krb5.conf_ /etc/krb5.conf | |||
cp /etc/samba/smb.conf_ /etc/samba/smb.conf | |||
cp /etc/sssd/sssd.conf_ /etc/sssd/sssd.conf | |||
service smb restart | |||
service nmb restart | |||
</syntaxhighlight> | </syntaxhighlight> | ||
[[Категория:МОС]] | [[Категория:МОС]] |
Текущая версия на 21:31, 26 января 2023
Скрипт запускается от рута, устанавливает недостающие пакеты, вносит изменения в конфиги и подключает ПК c МОС к домену с целью авторизации (без применения политик) . Также для доменных пользователей настраивается автоматическое монтирование доменных дисков при входе
бета версия.
#!/bin/bash
SCHOOL=648
LDOMAIN="sao.obr.mos.ru"
ADMIN="kekaloav"
ADMINPASS='pass'
DOMAIN="`echo ${LDOMAIN} | awk '{print toupper($0)}'`"
LHOSTNAME="`hostname`"
HOSTNAME="`echo ${LHOSTNAME} | awk '{print toupper($0)}'`"
service sssd stop
apt-get -y install samba-common-tools sssd-ad task-auth-ad-sssd samba-client cifs-utils systemd-settings-enable-kill-user-processes
cp /etc/nsswitch.conf /etc/sssd/nsswitch.conf_
cp /etc/sssd/sssd.conf /etc/sssd/sssd.conf_
cp /etc/krb5.conf /etc/krb5.conf_
cp /etc/samba/smb.conf /etc/samba/smb.conf_
echo -e "[logging]\n\n[libdefaults]\ndefault_realm = ${DOMAIN}\ndns_lookup_kdc = true\ndns_lookup_realm = false\nticket_lifetime = 24h\nrenew_lifetime = 7d\nforwardable = true\nrdns = false\ndefault_ccache_name = KEYRING:persistent:%{uid}" > /etc/krb5.conf
echo -n "[global]\nsecurity = ads\nrealm = ${DOMAIN}\nworkgroup = ${DOMAIN:0:3}\nnetbios name = ${HOSTNAME}\ntemplate shell = /bin/bash\nkerberos method = system keytab\nwins support = no\nwinbind use default domain = yes\ninbind enum users = no\nwinbind enum groups = no\ntemplate homedir = /home/${DOMAIN}/%U\nidmap config * : range = 200000-2000200000\nidmap config * : backend = sss\nmachine password timeout = 0\n[homes]\nbrowseable = no\nwritable = yes\n[printers]\ncomment = All Printers\npath = /var/spool/samba\nbrowseable = no\nguest ok = no\nwritable = no\nprintable = yes\n" > /etc/samba/smb.conf
if [ -z "`cat /etc/pam.d/system-auth | grep 'pam_mount.so disable_interactive'`" ] ; then
echo -e "\n\nsession [success=1 default=ignore] pam_succeed_if.so service = systemd-user quiet\nsession optional pam_mount.so disable_interactive\n" >> /etc/pam.d/system-auth
fi
if [ -z "`cat /etc/security/pam_mount.conf.xml | grep 'obr.mos.ru'`" ] ; then
sed -i '/Volume definitions/a <volume uid="10000-2000200000" fstype="cifs" server="sch-'"${SCHOOL}"'-1-fs.'"${LDOMAIN:0:3}"'.obr.mos.ru" path="Share" mountpoint="~/share" options="sec=krb5,cruid=%(USERUID),nounix,uid=%(USERUID),gid=%(USERGID),file_mode=0664,dir_mode=0775" />' /etc/security/pam_mount.conf.xml
sed -i '/Volume definitions/a <volume uid="10000-2000200000" fstype="cifs" server="sch-'"${SCHOOL}"'-1-fs.'"${LDOMAIN:0:3}"'.obr.mos.ru" path="HOME/%(USER)" mountpoint="~/home" options="sec=krb5,cruid=%(USERUID),nounix,uid=%(USERUID),gid=%(USERGID),file_mode=0664,dir_mode=0775" />' /etc/security/pam_mount.conf.xml
fi
system-auth write ad ${DOMAIN} ${LHOSTNAME} ${DOMAIN:0:3} ${ADMIN} ${ADMINPASS}
service sssd stop
sed -i 's/ad_gpo_access_control = permissive/ad_gpo_access_control = disabled/g' /etc/sssd/sssd.conf
service sssd start
Отключение
#!/bin/bash
service sssd stop
cp /etc/nsswitch.conf_ /etc/nsswitch.conf
service nscd restart
cp /etc/krb5.conf_ /etc/krb5.conf
cp /etc/samba/smb.conf_ /etc/samba/smb.conf
cp /etc/sssd/sssd.conf_ /etc/sssd/sssd.conf
service smb restart
service nmb restart