Active Directory
Материал из IT в школе
Версия от 14:43, 26 января 2023; Kekaloav (обсуждение | вклад)
Скрипт запускается от рута, устанавливает недостающие пакеты, вносит изменения в конфиги и подключает ПК c МОС к домену с целью авторизации (без применения политик) . Также для доменных пользователей настраивается автоматическое монтирование доменных дисков при входе
бета версия.
#!/bin/bash
#!/bin/bash
SCHOOL=648
LDOMAIN="xxx.obr.mos.ru"
ADMIN="user"
ADMINPASS="pass"
DOMAIN="`echo ${LDOMAIN} | awk '{print toupper($0)}'`"
LHOSTNAME="`hostname`"
HOSTNAME="`echo ${LHOSTNAME} | awk '{print toupper($0)}'`"
service sssd stop
rm -rf /etc/sssd
apt-get -y reinstall sssd-ad
apt-get -y install samba-common-tools task-auth-ad-sssd samba-client pam_mount cifs-utils systemd-settings-enable-kill-user-processes
cp /etc/krb5.conf /etc/krb5.conf_
cp /etc/samba/smb.conf /etc/samba/smb.conf_
echo -e "[logging]\n\n[libdefaults]\ndefault_realm = ${DOMAIN}\ndns_lookup_kdc = true\ndns_lookup_realm = false\nticket_lifetime = 24h\nrenew_lifetime = 7d\nforwardable = true\nrdns = false\ndefault_ccache_name = KEYRING:persistent:%{uid}" > /etc/krb5.conf
echo -e "[global]\nsecurity = ads\nrealm = ${DOMAIN}\nworkgroup = ${DOMAIN:0:3}\nnetbios name = ${HOSTNAME}\ntemplate shell = /bin/bash\nkerberos method = system keytab\nwins support = no\nwinbind use default domain = yes\ninbind enum users = no\nwinbind enum groups = no\ntemplate homedir = /home/${DOMAIN}/%U\nidmap config * : range = 200000-2000200000\nidmap config * : backend = sss\nmachine password timeout = 0\n[homes]\nbrowseable = no\nwritable = yes\n[printers]\ncomment = All Printers\npath = /var/spool/samba\nbrowseable = no\nguest ok = no\nwritable = no\nprintable = yes\n" > /etc/samba/smb.conf
if [ -z "`cat /etc/pam.d/system-auth | grep 'pam_mount.so disable_interactive'`" ] ; then
echo -e "\n\nsession [success=1 default=ignore] pam_succeed_if.so service = systemd-user quiet\nsession optional pam_mount.so disable_interactive\n" >> /etc/pam.d/system-auth
fi
if [ -z "`cat /etc/security/pam_mount.conf.xml | grep 'obr.mos.ru'`" ] ; then
sed -i '/Volume definitions/a <volume uid="10000-2000200000" fstype="cifs" server="sch-'"${SCHOOL}"'-1-fs.'"${LDOMAIN:0:3}"'.obr.mos.ru" path="Share" mountpoint="~/share" options="sec=krb5,cruid=%(USERUID),nounix,uid=%(USERUID),gid=%(USERGID),file_mode=0664,dir_mode=0775" />' /etc/security/pam_mount.conf.xml
sed -i '/Volume definitions/a <volume uid="10000-2000200000" fstype="cifs" server="sch-'"${SCHOOL}"'-1-fs.'"${LDOMAIN:0:3}"'.obr.mos.ru" path="HOME/%(USER)" mountpoint="~/home" options="sec=krb5,cruid=%(USERUID),nounix,uid=%(USERUID),gid=%(USERGID),file_mode=0664,dir_mode=0775" />' /etc/security/pam_mount.conf.xml
fi
sed -i 's/^passwd:.*/passwd: files sss/g' /etc/nsswitch.conf
sed -i 's/^shadow:.*/shadow: tcb files sss/g' /etc/nsswitch.conf
sed -i 's/^group:.*/group: files [SUCCESS=merge] sss role/g' /etc/nsswitch.conf
service nscd restart
net ads join -U ${ADMIN} --password ${ADMINPASS}
mkdir /etc/sssd
echo -e "[sssd]\nconfig_file_version = 2\nservices = nss, pam\n\ndomains = ${DOMAIN}\ndebug_level = 1\n\nuser = _sssd\n\n[nss]\n\n[pam]\n\n[domain/${DOMAIN}]\nid_provider = ad\nauth_provider = ad\nchpass_provider = ad\n;ldap_id_mapping = False\ndefault_shell = /bin/bash\nfallback_homedir = /home/%d/%u\nad_gpo_ignore_unreadable = true\nad_gpo_access_control = disables\n cache_credentials = false\ndyndnd_update_ptr = true\n dyndns_update=false\n" > /etc/sssd/sssd.conf
chown root:_sssd /etc/sssd
chmod 750 /etc/sssd
chmod 600 /etc/sssd/sssd.conf
service sssd start
