[Linux] Script pour joindre machine Ubuntu 16.04 a un serveur AD

 

Script pour joindre machine Ubuntu 16.04 a un serveur AD

 

 

/!\ Les champs en orange sont a remplacés

 

Héberger le script sur un GIT et le lancer la commande en root

# bash <(curl http://mongit.domaine.tld/script_ubuntu1604)

 

Le contenu de script_ubuntu1604

#!/bin/bash

h=$HOSTNAME;

echo $h

t=`echo $h | grep domaine.tld`
if [ $t ]
then
	h=$(echo $t | sed 's/.domaine.tld//')
fi

echo

# Edit mdp root
read -s -p "Entrer le mdp du compte 'root' " passroot;echo

#Set local accounts
useradd compte_local
usermod -aG sudo compte_local

echo "root:$passroot" | chpasswd
echo "compte_local:$passcompte_local" | chpasswd

# Installer les paquets
apt-get -y install vim ssh krb5-user samba winbind sudo ntp libpam-ccreds nss-updatedb ntpdate libnss-winbind libpam-winbind krb5-config krb5-locales tmux
apt-get -y update
apt install --install-recommends linux-image-generic-hwe-16.04 xserver-xorg-hwe-16.04


#Configuration de NTP
echo ''
echo '****Configuration NTP****'

if [ -e /etc/ntp.conf ]
	then
		i=1
		while [ -e /etc/ntp.conf.old$i ]
		do
			let i++
		done

		$(echo "cp /etc/ntp.conf /etc/ntp.conf.old$i")
fi

for file in /etc/ntp.conf
	do
		echo ''
		echo "**********************Traitement de $file ...******************************"
		sed -i -e "s/0.ubuntu.pool.ntp.org/serveurad1.domaine.tld/g" "$file"
		sed -i -e "s/1.ubuntu.pool.ntp.org/serveurad2.domaine.tld/g" "$file"
		sed -i -e "s/2.ubuntu.pool.ntp.org/serveurad3.domaine.tld/g" "$file"
	done

if [ -e /etc/hosts ]
	then
		i=1
		while [ -e /etc/hosts.old$i ]
		do
			let i++
		done

		$(echo "cp /etc/hosts /etc/hosts.old$i")
fi

for file in /etc/hosts
do
	echo "Traitement de $file ..."
	sed -i -e "s/$h/$h.domaine.tld $h/g" "$file"
done

#Configuration de Kerberos
echo ''
echo '****Configuration de Kerberos****'

if [ -e /etc/krb5.conf ]
	then
		i=1
		while [ -e /etc/krb5.conf.old$i ]
		do
			let i++
		done

		$(echo "cp /etc/krb5.conf /etc/krb5.conf.old$i")
fi

for file in /etc/krb5.conf
	do
		echo ''
		echo "**********************Traitement de $file ...******************************"
		sed -i -e "s/ATHENA.MIT.EDU/DOMAINE.TLD(Majuscule)/g" "$file"
		sed -i -e "/kdc = kerberos-1.mit.edu:88/d" "$file"
		sed -i -e "/kdc = kerberos-2.mit.edu:88/d" "$file"
		sed -i -e "s/kerberos.mit.edu:88/192.168.x.x(/g" "$file"
		sed -i -e "s/kerberos.mit.edu/192.168.x.x/g" "$file"
		sed -i -e "s/= mit.edu/= DOMAINE.TLD(Majuscule)/g" "$file"
		sed -i -e "s/mit.edu/domaine.tld/g" "$file"
	done


#Configuration de Samba
echo ''
echo '****Configuration de Samba****'

echo ''
echo "**********************Traitement de /etc/samba/smb.conf ...******************************"

if [ -e /etc/samba/smb.conf ]
	then
		i=1
		while [ -e /etc/samba/smb.conf.old$i ]
		do
			let i++
		done

		$(echo "cp /etc/samba/smb.conf /etc/samba/smb.conf.old$i")
fi

cat <<EOF > /etc/samba/smb.conf
[global]
workgroup = DOMAINE(Majuscule)
security = ADS
realm = DOMAINE.TLD(Majuscule)
encrypt passwords = yes

idmap config *:backend = tdb
idmap config *:range = 16777216-33554431

winbind allow trusted domains = no
winbind trusted domains only = no
winbind use default domain = yes
winbind enum users  = yes
winbind enum groups = yes
winbind refresh tickets = yes
winbind offline logon = yes

username map = /etc/samba/smbusers
log file = /var/log/samba/%m.log
max log size = 50
dns proxy = No
ldap ssl = no
template homedir = /home/DOMAINE(Majuscule)/%U
template shell = /bin/bash
EOF

cat <<EOF >> /etc/security/pam_winbind.conf
#
# Fichier de configuration pam_winbind
#
# /etc/security/pam_winbind.conf
#
[global]
# (nécessite "winbind offline logon = yes" dans smb.conf)
cached_login = yes
EOF

#Reload pam
pam-auth-update

#update users local
nss_updatedb winbind

#edit crontab
crontab -l > root
echo "0 13  * *  * root nss_updatedb winbind" >> root
crontab root

#Ajout de la machine a l'AD avec un compte de service
net join ads -U compte_de_service_AD%"$passAD"

#Configuration NSS
echo ''
echo "**********************Traitement de /etc/nsswitch.conf ...******************************"

if [ -e /etc/nsswitch.conf ]
	then
		i=1
		while [ -e /etc/nsswitch.conf.old$i ]
		do
			let i++
		done

		$(echo "cp /etc/nsswitch.conf /etc/nsswitch.conf.old$i")
fi

sed -i -r -e "s/^((passwd|shadow|group):.*)/\1 winbind db/" /etc/nsswitch.conf


#Configuration PAM
echo ''
echo "**********************Traitement de Pam ...******************************"
sed -i '17iauth sufficient	pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass' /etc/pam.d/common-auth
sed -i '17iauth sufficient	pam_unix.so nullok_secure' /etc/pam.d/common-auth

sed -i '17iaccount sufficient	pam_winbind.so' /etc/pam.d/common-account
sed -i '17iaccount sufficient	pam_unix.so' /etc/pam.d/common-account

sed -i '25isession required	pam_mkhomedir.so skel=/etc/skel umask=0022' /etc/pam.d/common-session


#Restart winbind et samba
echo ''
echo "**********************Restart winbind et samba ...******************************"


service smbd restart
service nmbd restart
service winbind restart


#Configuration Sudo
echo ''
echo "**********************Edit visudo ...******************************"
sed -i '21i%groupe-ldap ALL=(ALL) ALL' /etc/sudoers


#Configuration lightdm
echo ''
echo "**********************Edit lightdm ...******************************"
mkdir -p /etc/lightdm/lightdm.conf.d
cat <<EOF >> /etc/lightdm/lightdm.conf.d/50-disable-guest.conf
#
[SeatDefaults]
allow-guest=false
EOF

cat <<EOF >> /etc/lightdm/lightdm.conf.d/50-show-manual-login.conf
#
[SeatDefaults]
greeter-show-manual-login=true
EOF

echo 'Configuration Complete!'

 

 

No votes yet.
Please wait...

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Ce site utilise Akismet pour réduire les indésirables. Apprenez comment vos données de commentaires sont traitées.