Active Directory: различия между версиями

Материал из IT в школе
Перейти к навигацииПерейти к поиску
 
(не показана 1 промежуточная версия этого же участника)
Строка 1: Строка 1:




Строка 7: Строка 9:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
#!/bin/bash
#!/bin/bash
SCHOOL=648
SCHOOL=648
LDOMAIN="sao.obr.mos.ru"
LDOMAIN="sao.obr.mos.ru"
ADMIN="kekaloav"
ADMIN="kekaloav"
ADMINPASS="pass"
ADMINPASS='pass'
DOMAIN="`echo ${LDOMAIN} | awk '{print toupper($0)}'`"
DOMAIN="`echo ${LDOMAIN} | awk '{print toupper($0)}'`"
LHOSTNAME="`hostname`"
LHOSTNAME="`hostname`"
Строка 16: Строка 19:


service sssd stop
service sssd stop
rm -rf /etc/sssd
apt-get -y install samba-common-tools sssd-ad task-auth-ad-sssd samba-client cifs-utils systemd-settings-enable-kill-user-processes
apt-get -y reinstall sssd-ad
cp /etc/nsswitch.conf /etc/sssd/nsswitch.conf_
apt-get -y install samba-common-tools task-auth-ad-sssd samba-client pam_mount cifs-utils systemd-settings-enable-kill-user-processes
cp /etc/sssd/sssd.conf /etc/sssd/sssd.conf_
cp /etc/krb5.conf /etc/krb5.conf_
cp /etc/krb5.conf /etc/krb5.conf_
cp /etc/samba/smb.conf /etc/samba/smb.conf_
cp /etc/samba/smb.conf /etc/samba/smb.conf_
cp /etc/sssd/sssd.conf /etc/sssd/sssd.conf_
cp /etc/nsswitch.conf /etc/nsswitch.conf_
echo -e "[logging]\n\n[libdefaults]\ndefault_realm = ${DOMAIN}\ndns_lookup_kdc = true\ndns_lookup_realm = false\nticket_lifetime = 24h\nrenew_lifetime = 7d\nforwardable = true\nrdns = false\ndefault_ccache_name = KEYRING:persistent:%{uid}" > /etc/krb5.conf
echo -e "[logging]\n\n[libdefaults]\ndefault_realm = ${DOMAIN}\ndns_lookup_kdc = true\ndns_lookup_realm = false\nticket_lifetime = 24h\nrenew_lifetime = 7d\nforwardable = true\nrdns = false\ndefault_ccache_name = KEYRING:persistent:%{uid}" > /etc/krb5.conf
echo -e "[global]\nsecurity = ads\nrealm = ${DOMAIN}\nworkgroup = ${DOMAIN:0:3}\nnetbios name = ${HOSTNAME}\ntemplate shell = /bin/bash\nkerberos method = system keytab\nwins support = no\nwinbind use default domain = yes\ninbind enum users = no\nwinbind enum groups = no\ntemplate homedir = /home/${DOMAIN}/%U\nidmap config * : range = 200000-2000200000\nidmap config * : backend = sss\nmachine password timeout = 0\n[homes]\nbrowseable = no\nwritable = yes\n[printers]\ncomment = All Printers\npath = /var/spool/samba\nbrowseable = no\nguest ok = no\nwritable = no\nprintable = yes\n" > /etc/samba/smb.conf
echo -n "[global]\nsecurity = ads\nrealm = ${DOMAIN}\nworkgroup = ${DOMAIN:0:3}\nnetbios name = ${HOSTNAME}\ntemplate shell = /bin/bash\nkerberos method = system keytab\nwins support = no\nwinbind use default domain = yes\ninbind enum users = no\nwinbind enum groups = no\ntemplate homedir = /home/${DOMAIN}/%U\nidmap config * : range = 200000-2000200000\nidmap config * : backend = sss\nmachine password timeout = 0\n[homes]\nbrowseable = no\nwritable = yes\n[printers]\ncomment = All Printers\npath = /var/spool/samba\nbrowseable = no\nguest ok = no\nwritable = no\nprintable = yes\n" > /etc/samba/smb.conf


if [ -z "`cat /etc/pam.d/system-auth | grep 'pam_mount.so disable_interactive'`" ] ; then
if [ -z "`cat /etc/pam.d/system-auth | grep 'pam_mount.so disable_interactive'`" ] ; then
Строка 36: Строка 36:
fi
fi


sed -i 's/^passwd:.*/passwd: files sss/g' /etc/nsswitch.conf
system-auth write ad ${DOMAIN} ${LHOSTNAME} ${DOMAIN:0:3} ${ADMIN} ${ADMINPASS}
sed -i 's/^shadow:.*/shadow: tcb files sss/g' /etc/nsswitch.conf
sed -i 's/^group:.*/group: files [SUCCESS=merge] sss role/g' /etc/nsswitch.conf
service nscd restart


net ads join -U ${ADMIN} --password ${ADMINPASS}
service sssd stop
 
sed -i 's/ad_gpo_access_control = permissive/ad_gpo_access_control = disabled/g' /etc/sssd/sssd.conf
mkdir /etc/sssd
echo -e "[sssd]\nconfig_file_version = 2\nservices = nss, pam\n\ndomains = ${DOMAIN}\ndebug_level = 1\n\nuser = _sssd\n\n[nss]\n\n[pam]\n\n[domain/${DOMAIN}]\nid_provider = ad\nauth_provider = ad\nchpass_provider = ad\n;ldap_id_mapping = False\ndefault_shell = /bin/bash\nfallback_homedir = /home/%d/%u\nad_gpo_ignore_unreadable = true\nad_gpo_access_control = disables\n cache_credentials = false\ndyndnd_update_ptr = true\n dyndns_update=false\n" > /etc/sssd/sssd.conf
chown root:_sssd /etc/sssd
chmod 750 /etc/sssd
chmod 600 /etc/sssd/sssd.conf
service sssd start
service sssd start
</syntaxhighlight>Отключение<syntaxhighlight lang="bash">
#!/bin/bash
service sssd stop
cp /etc/nsswitch.conf_ /etc/nsswitch.conf
service nscd restart
cp /etc/krb5.conf_ /etc/krb5.conf
cp /etc/samba/smb.conf_ /etc/samba/smb.conf
cp /etc/sssd/sssd.conf_ /etc/sssd/sssd.conf
service smb restart
service nmb restart
</syntaxhighlight>
</syntaxhighlight>
[[Категория:МОС]]
[[Категория:МОС]]

Текущая версия на 21:31, 26 января 2023



Скрипт запускается от рута, устанавливает недостающие пакеты, вносит изменения в конфиги и подключает ПК c МОС к домену с целью авторизации (без применения политик) . Также для доменных пользователей настраивается автоматическое монтирование доменных дисков при входе

бета версия. 

#!/bin/bash

SCHOOL=648
LDOMAIN="sao.obr.mos.ru"
ADMIN="kekaloav"
ADMINPASS='pass'
DOMAIN="`echo ${LDOMAIN} | awk '{print toupper($0)}'`"
LHOSTNAME="`hostname`"
HOSTNAME="`echo ${LHOSTNAME} | awk '{print toupper($0)}'`"

service sssd stop
apt-get -y install samba-common-tools sssd-ad task-auth-ad-sssd samba-client cifs-utils systemd-settings-enable-kill-user-processes
cp /etc/nsswitch.conf /etc/sssd/nsswitch.conf_
cp /etc/sssd/sssd.conf /etc/sssd/sssd.conf_
cp /etc/krb5.conf /etc/krb5.conf_
cp /etc/samba/smb.conf /etc/samba/smb.conf_
echo -e "[logging]\n\n[libdefaults]\ndefault_realm = ${DOMAIN}\ndns_lookup_kdc = true\ndns_lookup_realm = false\nticket_lifetime = 24h\nrenew_lifetime = 7d\nforwardable = true\nrdns = false\ndefault_ccache_name = KEYRING:persistent:%{uid}" > /etc/krb5.conf
echo -n "[global]\nsecurity = ads\nrealm = ${DOMAIN}\nworkgroup = ${DOMAIN:0:3}\nnetbios name = ${HOSTNAME}\ntemplate shell = /bin/bash\nkerberos method = system keytab\nwins support = no\nwinbind use default domain = yes\ninbind enum users = no\nwinbind enum groups = no\ntemplate homedir = /home/${DOMAIN}/%U\nidmap config * : range = 200000-2000200000\nidmap config * : backend = sss\nmachine password timeout = 0\n[homes]\nbrowseable = no\nwritable = yes\n[printers]\ncomment = All Printers\npath = /var/spool/samba\nbrowseable = no\nguest ok = no\nwritable = no\nprintable = yes\n" > /etc/samba/smb.conf

if [ -z "`cat /etc/pam.d/system-auth | grep 'pam_mount.so disable_interactive'`" ] ; then
echo -e "\n\nsession    [success=1 default=ignore] pam_succeed_if.so  service = systemd-user quiet\nsession     optional pam_mount.so disable_interactive\n" >>  /etc/pam.d/system-auth
fi

if [ -z "`cat /etc/security/pam_mount.conf.xml | grep 'obr.mos.ru'`" ] ; then
sed -i '/Volume definitions/a <volume uid="10000-2000200000" fstype="cifs" server="sch-'"${SCHOOL}"'-1-fs.'"${LDOMAIN:0:3}"'.obr.mos.ru" path="Share" mountpoint="~/share" options="sec=krb5,cruid=%(USERUID),nounix,uid=%(USERUID),gid=%(USERGID),file_mode=0664,dir_mode=0775" />' /etc/security/pam_mount.conf.xml 
sed -i '/Volume definitions/a <volume uid="10000-2000200000" fstype="cifs" server="sch-'"${SCHOOL}"'-1-fs.'"${LDOMAIN:0:3}"'.obr.mos.ru" path="HOME/%(USER)" mountpoint="~/home" options="sec=krb5,cruid=%(USERUID),nounix,uid=%(USERUID),gid=%(USERGID),file_mode=0664,dir_mode=0775" />' /etc/security/pam_mount.conf.xml 
fi

system-auth write ad ${DOMAIN} ${LHOSTNAME} ${DOMAIN:0:3} ${ADMIN} ${ADMINPASS}

service sssd stop
sed -i 's/ad_gpo_access_control = permissive/ad_gpo_access_control = disabled/g' /etc/sssd/sssd.conf
service sssd start

Отключение

#!/bin/bash
service sssd stop
cp /etc/nsswitch.conf_ /etc/nsswitch.conf
service nscd restart
cp /etc/krb5.conf_ /etc/krb5.conf
cp /etc/samba/smb.conf_ /etc/samba/smb.conf
cp /etc/sssd/sssd.conf_ /etc/sssd/sssd.conf
service smb restart
service nmb restart
Источник — https://it-help-school.ru/index.php?title=Active_Directory&oldid=602