Active Directory: различия между версиями

Материал из IT в школе
Перейти к навигацииПерейти к поиску
нет описания правки
 
Строка 1: Строка 1:




Строка 8: Строка 9:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
#!/bin/bash
#!/bin/bash
SCHOOL=648
SCHOOL=648
LDOMAIN="sao.obr.mos.ru"
LDOMAIN="sao.obr.mos.ru"
ADMIN="kekaloav"
ADMIN="kekaloav"
ADMINPASS="pass"
ADMINPASS='pass'
DOMAIN="`echo ${LDOMAIN} | awk '{print toupper($0)}'`"
DOMAIN="`echo ${LDOMAIN} | awk '{print toupper($0)}'`"
LHOSTNAME="`hostname`"
LHOSTNAME="`hostname`"
Строка 17: Строка 19:


service sssd stop
service sssd stop
rm -rf /etc/sssd
apt-get -y install samba-common-tools sssd-ad task-auth-ad-sssd samba-client cifs-utils systemd-settings-enable-kill-user-processes
apt-get -y reinstall sssd-ad
cp /etc/nsswitch.conf /etc/sssd/nsswitch.conf_
apt-get -y install samba-common-tools task-auth-ad-sssd samba-client pam_mount cifs-utils systemd-settings-enable-kill-user-processes
cp /etc/sssd/sssd.conf /etc/sssd/sssd.conf_
cp /etc/krb5.conf /etc/krb5.conf_
cp /etc/krb5.conf /etc/krb5.conf_
cp /etc/samba/smb.conf /etc/samba/smb.conf_
cp /etc/samba/smb.conf /etc/samba/smb.conf_
cp /etc/sssd/sssd.conf /etc/sssd/sssd.conf_
cp /etc/nsswitch.conf /etc/nsswitch.conf_
echo -e "[logging]\n\n[libdefaults]\ndefault_realm = ${DOMAIN}\ndns_lookup_kdc = true\ndns_lookup_realm = false\nticket_lifetime = 24h\nrenew_lifetime = 7d\nforwardable = true\nrdns = false\ndefault_ccache_name = KEYRING:persistent:%{uid}" > /etc/krb5.conf
echo -e "[logging]\n\n[libdefaults]\ndefault_realm = ${DOMAIN}\ndns_lookup_kdc = true\ndns_lookup_realm = false\nticket_lifetime = 24h\nrenew_lifetime = 7d\nforwardable = true\nrdns = false\ndefault_ccache_name = KEYRING:persistent:%{uid}" > /etc/krb5.conf
echo -e "[global]\nsecurity = ads\nrealm = ${DOMAIN}\nworkgroup = ${DOMAIN:0:3}\nnetbios name = ${HOSTNAME}\ntemplate shell = /bin/bash\nkerberos method = system keytab\nwins support = no\nwinbind use default domain = yes\ninbind enum users = no\nwinbind enum groups = no\ntemplate homedir = /home/${DOMAIN}/%U\nidmap config * : range = 200000-2000200000\nidmap config * : backend = sss\nmachine password timeout = 0\n[homes]\nbrowseable = no\nwritable = yes\n[printers]\ncomment = All Printers\npath = /var/spool/samba\nbrowseable = no\nguest ok = no\nwritable = no\nprintable = yes\n" > /etc/samba/smb.conf
echo -n "[global]\nsecurity = ads\nrealm = ${DOMAIN}\nworkgroup = ${DOMAIN:0:3}\nnetbios name = ${HOSTNAME}\ntemplate shell = /bin/bash\nkerberos method = system keytab\nwins support = no\nwinbind use default domain = yes\ninbind enum users = no\nwinbind enum groups = no\ntemplate homedir = /home/${DOMAIN}/%U\nidmap config * : range = 200000-2000200000\nidmap config * : backend = sss\nmachine password timeout = 0\n[homes]\nbrowseable = no\nwritable = yes\n[printers]\ncomment = All Printers\npath = /var/spool/samba\nbrowseable = no\nguest ok = no\nwritable = no\nprintable = yes\n" > /etc/samba/smb.conf


if [ -z "`cat /etc/pam.d/system-auth | grep 'pam_mount.so disable_interactive'`" ] ; then
if [ -z "`cat /etc/pam.d/system-auth | grep 'pam_mount.so disable_interactive'`" ] ; then
Строка 37: Строка 36:
fi
fi


sed -i 's/^passwd:.*/passwd: files sss/g' /etc/nsswitch.conf
system-auth write ad ${DOMAIN} ${LHOSTNAME} ${DOMAIN:0:3} ${ADMIN} ${ADMINPASS}
sed -i 's/^shadow:.*/shadow: tcb files sss/g' /etc/nsswitch.conf
sed -i 's/^group:.*/group: files [SUCCESS=merge] sss role/g' /etc/nsswitch.conf
service nscd restart


net ads join -U ${ADMIN} --password ${ADMINPASS}
service sssd stop
 
sed -i 's/ad_gpo_access_control = permissive/ad_gpo_access_control = disabled/g' /etc/sssd/sssd.conf
mkdir /etc/sssd
echo -e "[sssd]\nconfig_file_version = 2\nservices = nss, pam\n\ndomains = ${DOMAIN}\ndebug_level = 1\n\nuser = _sssd\n\n[nss]\n\n[pam]\n\n[domain/${DOMAIN}]\nid_provider = ad\nauth_provider = ad\nchpass_provider = ad\n;ldap_id_mapping = False\ndefault_shell = /bin/bash\nfallback_homedir = /home/%d/%u\nad_gpo_ignore_unreadable = true\nad_gpo_access_control = disables\n cache_credentials = false\ndyndnd_update_ptr = true\n dyndns_update=false\n" > /etc/sssd/sssd.conf
chown root:_sssd /etc/sssd
chmod 750 /etc/sssd
chmod 600 /etc/sssd/sssd.conf
service sssd start
service sssd start
</syntaxhighlight>Отключение<syntaxhighlight lang="bash">
</syntaxhighlight>Отключение<syntaxhighlight lang="bash">

Навигация