diff --git a/ADconnection.sh b/ADconnection.sh index 7764010..e0cd80c 100755 --- a/ADconnection.sh +++ b/ADconnection.sh @@ -10,12 +10,13 @@ ################################################################################################################################## #known bugs: Sometimes the script bugs after AD administrator tries to authenticate, temporary solution is running the script again # a couple of times. if it still is not working see lines 30-39 -#known bugs: see line 31-32 +#known bugs: see line 32-33 #known bugs:sometimes domain discovery fails, it can help canceling the script and re-running it, if not verify dns setting on client, #and on DC, also check that searchname has your domain -# see lines 370-388 for more advanced or specific setups of SSSD -#more Distros will be added during 2019 -#support added for ubutnu 19.04 2019-11-11 +# /etc/sssd/sssd.alternatives for more advanced or specific setups of SSSD +#more Distros will be added during 2020 +#Added support for elementary 01/2020 +#Added support for Ubuntu 20 02/2020 # ~~~~~~~~~~ Environment Setup ~~~~~~~~~~ # NORMAL=$(printf "\033[m") @@ -28,17 +29,14 @@ ################################ fix errors # funktion not called ################ fixerrors(){ -#this funktion is not called in the script : to activate, uncomment line line 31 #fixerrors +#this funktion is not called in the script : to activate, uncomment line line 38 #fixerrors #This funktion installs additional packages due to known issues with Joining and the join hangs after the admin auth sudo add-apt-repository ppa:xtrusia/packagekit-fix sudo apt-get update sudo apt-get install packagekit -MENU_FN -} +PRECHECK_FN #fixerrors -#Realmdupdate11 -#Added support for elementary 01/2020 -#Added support for Ubuntu 20 02/2020 +} ####################### final auth ################################################################## #this section will do the last part, configure sssd, ssh, login session sam files and sudoers# fi_auth(){ @@ -55,50 +53,108 @@ grouPs="null" therealm="null" cauth="null" clear -read -r -p "${RED_TEXT}Do you wish to enable SSH login.group.allowed${END}${NUMBER}(y/n)?${END}" yn - case $yn in - [Yy]* ) sudo echo "Checking if there is any previous configuration" - if [ -f /etc/ssh/login.group.allowed ] < /dev/null > /dev/null 2>&1 -then -echo "Files seems already to be modified, skipping..." -else -echo "NOTICE! /etc/ssh/login.group.allowed will be created. make sure yor local user is in it you you could be banned from login" -echo "auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh/login.group.allowed" | sudo tee -a /etc/pam.d/common-auth -sudo touch /etc/ssh/login.group.allowed admins=$( grep home /etc/passwd | grep bash | cut -d ':' -f1 ) -echo "" -echo "" -read -r -p "Is your current administrator = '$admins' ? (y/n)?" yn - case $yn in - [Yy]* ) sudo echo "$admins" | sudo tee -a /etc/ssh/login.group.allowed;; - [Nn]* ) echo "please type name of current administrator" -read -r -p MYADMIN -sudo echo "$MYADMIN" | sudo tee -a /etc/ssh/login.group.allowed;; - * ) echo "Please answer yes or no.";; - esac -sudo echo "$NetBios\\$myhost""sudoers""" | sudo tee -a /etc/ssh/login.group.allowed -sudo echo "$NetBios\\domain^admins" | sudo tee -a /etc/ssh/login.group.allowed -sudo echo "root" | sudo tee -a /etc/ssh/login.group.allowed -echo "enabled SSH-allow" -fi;; - [Nn]* ) echo "Disabled SSH login.group.allowed" - states1="12";; - * ) echo "Please answer yes or no.";; - esac +sshsec=$( sudo grep SSHSECURE readfile | awk '{print $3}' ) +if [ "$sshsec" = "yes" ] +then + if [ -f /etc/ssh/login.group.allowed ] < /dev/null > /dev/null 2>&1 + then + echo "SSHsecurity Files seems already to be modified, skipping..." + else + echo "auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh/login.group.allowed" | sudo tee -a /etc/pam.d/common-auth + sudo touch /etc/ssh/login.group.allowed + localadmin=$( sudo grep LOCALADMIN readfile | awk '{print $3}' ) + if [ "$localadmin" = "null" ] + then + localadmin=$( grep home /etc/passwd | grep bash | cut -d ':' -f1 ) + else + sudo echo "$NetBios\\$myhost""sudoers""" | sudo tee -a /etc/ssh/login.group.allowed + sudo echo "$NetBios\\domain^admins" | sudo tee -a /etc/ssh/login.group.allowed + sudo echo "root" | sudo tee -a /etc/ssh/login.group.allowed + sudo echo "$localadmin" | sudo tee -a /etc/ssh/login.group.allowed + echo "enabled SSH-allow" + fi + fi +else +if [ "$sshsec" = "no" ] +then +echo "Skipping SSHSecurity config" +else + read -r -p "${RED_TEXT}Do you wish to enable SSH login.group.allowed${END}${NUMBER}(y/n)?${END}" yn + case $yn in + [Yy]* ) sudo echo "Checking if there is any previous configuration" + if [ -f /etc/ssh/login.group.allowed ] < /dev/null > /dev/null 2>&1 + then + echo " SSHsecurityFiles seems already to be modified, skipping..." + else + echo "NOTICE! /etc/ssh/login.group.allowed will be created. make sure yor local user is in it you you could be banned from login" + echo "auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh/login.group.allowed" | sudo tee -a /etc/pam.d/common-auth + sudo touch /etc/ssh/login.group.allowed + sudo echo "$NetBios\\$myhost""sudoers""" | sudo tee -a /etc/ssh/login.group.allowed + sudo echo "$NetBios\\domain^admins" | sudo tee -a /etc/ssh/login.group.allowed + sudo echo "root" | sudo tee -a /etc/ssh/login.group.allowed + sudo echo "$localadmin" | sudo tee -a /etc/ssh/login.group.allowed + echo "enabled SSH-allow" + echo "" + echo "" + fi +;; + [Nn]* ) echo "Skipped ssh config" + states1="12";; + esac +fi +fi echo "" echo "-------------------------------------------------------------------------------------------" echo "" -read -r -p "${RED_TEXT}Do you wish to give users on this machine sudo rights?${END}${NUMBER}(y/n)?${END}" yn +givesudo=$( sudo grep SUDOERS readfile | awk '{print $3}' ) +if [ "$givesudo" = "yes" ] +then + if [ -f /etc/sudoers.d/sudoers ] < /dev/null > /dev/null 2>&1 + then + echo "" + echo "sudoers.d/sudoers file seems already to be modified, skipping..." + echo "" + else + disssu=$( sudo grep DISSPROMT readfile | awk '{print $3}' ) + if [ "$disssu" = "yes" ] + then + sudo echo "administrator ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers + sudo echo "%$myhost""sudoers ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers + sudo echo "%DOMAIN\ admins ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/domain_admins + #sudo realm permit --groups "$myhost""sudoers" + else + if [ "$disssu" = "no" ] + then + sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers + sudo echo "%$myhost""sudoers ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers + sudo echo "%DOMAIN\ admins ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/domain_admins + #sudo realm permit --groups "$myhost""sudoers" + else + echo "error in readfile config" + sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers + fi + fi + fi +else + if [ "$givesudo" = "no" ] + then + echo "Not giving a sudo" + sudo echo "$localadmin" | sudo tee -a /etc/ssh/login.group.allowed + echo "Skipping" + states="12" + else + read -r -p "${RED_TEXT}Do you wish to give users on this machine sudo rights?${END}${NUMBER}(y/n)?${END}" yn case $yn in [Yy]* ) sudo echo "Checking if there is any previous configuration" if [ -f /etc/sudoers.d/sudoers ] < /dev/null > /dev/null 2>&1 -then -echo "" -echo "The Sudoers file seems already to be modified, skipping..." -echo "" -else -read -r -p "${RED_TEXT}Do you wish to DISABLE password prompt for users in terminal?${END}${NUMBER}(y/n)?${END}" yn - case $yn in + then + echo "" + echo "The Sudoers file seems already to be modified, skipping..." + echo "" + else + read -r -p "${RED_TEXT}Do you wish to DISABLE password prompt for users in terminal?${END}${NUMBER}(y/n)?${END}" yn + case $yn in [Yy]* ) sudo echo "administrator ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers sudo echo "%$myhost""sudoers ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers @@ -125,7 +181,9 @@ fi * ) echo "Please answer yes or no." ;; esac -homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 ) +fi +fi +homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 | head -1 ) if [ "$homedir" = "0022" ] then echo "pam_mkhomedir.so configured" @@ -181,15 +239,39 @@ sudo echo "#entry_cache_user_timeout = 5400 #ad_enable_gc = False entry_cache_timeout = 600 entry_cache_nowait_percentage = 75 " | sudo tee -a /etc/sssd/sssd.alternatives - sudo service sssd restart sleep 1 clear +usesasl=$( sudo grep USESASL readfile | awk '{print $3}' ) +if [ "$usesasl" = "no" ] +then +echo "Skipping SASL" +else +if [ "$usesasl" = "yes" ] +then +sasl=$( sudo grep LDAPS readfile | awk '{print $3}' ) + if [ "$sasl" = "null" ] + then + echo "You need to specify domaincontroller in readfile" + exit + else + echo "$sasl" + cacer=$( sudo grep CACERT readfile | awk '{print $3}' ) + if ! ls "$cacer" + then echo "No root CA found, check your path to file" + else + echo "Applied config from readfile" + #sed -i "/krb5_realm = /a ldap_uri = $LdapsDC" /etc/sssd/sssd.conf + #sed -i "/krb5_realm = /a ldap_tls_cacert = $cacert" /etc/sssd/sssd.conf + echo "Applied config from readfile" + fi + fi +else echo "For SASL put you company root-ca.cer in /usr/share/ca-certificates/root/ folder" read -r -p "Do you wish to use SASL (LDAPS) (y/n)?" yn case $yn in [Yy]* ) -if [ -f /usr/share/ca-certificates/root/*.cer ] +if [ -f "/usr/share/ca-certificates/root/*.cer" ] then cacert=$( ls /usr/share/ca-certificates/root/ | grep .cer | head -1 ) echo "Type in address of your Domaincontroller: ex: dc01.com" @@ -201,7 +283,7 @@ echo "Found certificate $cacert" read -r -p "Is this information correct (y/n)?" yn case $yn in [Yy]* ) -tlsca=$( cat /etc/sssd/sssd.conf | grep ldap_tls_cacert | awk '{print $1}' ) +tlsca=$( sudo grep ldap_tls_cacert /etc/sssd/sssd.conf | awk '{print $1}' ) if [ "$tlsca" = "ldap_tls_cacert" ] then echo "ldap_tls_cacert already in file" @@ -221,6 +303,8 @@ fi;; [Nn]* )echo "";; * ) echo "Please answer yes or no.";; esac +fi +fi ################################# Check ####################################### if ! sudo service sssd restart then @@ -257,7 +341,7 @@ echo "Checking sudoers groups.. ${INTRO_TEXT}OK${END}" else echo "Checking sudoers groups.. ${RED_TEXT}FAIL${END}" fi -homedir=$(grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3) +homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 | head -1 ) if [ "$homedir" = "0022" ] < /dev/null > /dev/null 2>&1 then echo "Checking PAM session configuration.. ${INTRO_TEXT}OK${END}" @@ -268,8 +352,8 @@ if [ $states1 = 12 ] then echo "Disabled SSH login.group.allowed" else -cauth=$(grep required /etc/pam.d/common-auth | grep onerr | grep allow | cut -d '=' -f4 | awk '{print $1}') -if [ "$cauth" = "allow" ] < /dev/null > /dev/null 2>&1 +cauth=$( grep required /etc/pam.d/common-auth | grep onerr | grep allow | cut -d '=' -f4 | awk '{print $1}' | head -1 ) +if [ $cauth = "allow" ] < /dev/null > /dev/null 2>&1 then echo "Checking PAM auth configuration.. ${INTRO_TEXT}OK${END}" else @@ -316,50 +400,107 @@ grouPs="null" therealm="null" cauth="null" clear -read -r -p 'Do you wish to enable SSH login.group.allowed (y/n)?' yn - case $yn in - [Yy]* ) sudo echo "Checking if there is any previous configuration" - if [ -f /etc/ssh/login.group.allowed ] < /dev/null > /dev/null 2>&1 -then -echo "Files seems already to be modified, skipping..." -else -echo "NOTICE! /etc/ssh/login.group.allowed will be created. make sure yor local user is in it you you could be banned from login" -echo "auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh/login.group.allowed" | sudo tee -a /etc/pam.d/sshd -sudo touch /etc/ssh/login.group.allowed admins=$( grep home /etc/passwd | grep bash | cut -d ':' -f1 ) -echo "" -echo "" -read -r -p "Is your current administrator = $admins ? (y/n)?" yn - case $yn in - [Yy]* ) sudo echo "$admins" | sudo tee -a /etc/ssh/login.group.allowed;; - [Nn]* ) echo "please type name of current administrator" -read -r -p MYADMIN -sudo echo "$MYADMIN" | sudo tee -a /etc/ssh/login.group.allowed;; - * ) echo "Please answer yes or no.";; - esac -sudo echo "$myhost""sudoers" | sudo tee -a /etc/ssh/login.group.allowed -sudo echo "domain^admins" | sudo tee -a /etc/ssh/login.group.allowed -sudo echo "root" | sudo tee -a /etc/ssh/login.group.allowed -echo "enabled SSH-allow" -fi;; - [Nn]* ) echo "Disabled SSH login.group.allowed" - states1="12";; - * ) echo "Please answer yes or no.";; - esac +sshsec=$( sudo grep SSHSECURE readfile | awk '{print $3}' ) +if [ "$sshsec" = "yes" ] +then + if [ -f /etc/ssh/login.group.allowed ] < /dev/null > /dev/null 2>&1 + then + echo "SSHsecurity Files seems already to be modified, skipping..." + else + echo "auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh/login.group.allowed" | sudo tee -a /etc/pam.d/common-auth + sudo touch /etc/ssh/login.group.allowed + localadmin=$( sudo grep LOCALADMIN readfile | awk '{print $3}' ) + if [ "$localadmin" = "null" ] + then + localadmin=$( grep home /etc/passwd | grep bash | cut -d ':' -f1 ) + else + sudo echo "$NetBios\\$myhost""sudoers""" | sudo tee -a /etc/ssh/login.group.allowed + sudo echo "$NetBios\\domain^admins" | sudo tee -a /etc/ssh/login.group.allowed + sudo echo "root" | sudo tee -a /etc/ssh/login.group.allowed + sudo echo "$localadmin" | sudo tee -a /etc/ssh/login.group.allowed + echo "enabled SSH-allow" + fi + fi +else +if [ "$sshsec" = "no" ] +then +echo "Skipping SSHSecurity config" +else + read -r -p "Do you wish to enable SSH login.group.allowed(y/n)?" yn + case $yn in + [Yy]* ) sudo echo "Checking if there is any previous configuration" + if [ -f /etc/ssh/login.group.allowed ] < /dev/null > /dev/null 2>&1 + then + echo " SSHsecurityFiles seems already to be modified, skipping..." + else + echo "NOTICE! /etc/ssh/login.group.allowed will be created. make sure yor local user is in it you you could be banned from login" + echo "auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh/login.group.allowed" | sudo tee -a /etc/pam.d/common-auth + sudo touch /etc/ssh/login.group.allowed + sudo echo "$NetBios\\$myhost""sudoers""" | sudo tee -a /etc/ssh/login.group.allowed + sudo echo "$NetBios\\domain^admins" | sudo tee -a /etc/ssh/login.group.allowed + sudo echo "root" | sudo tee -a /etc/ssh/login.group.allowed + sudo echo "$localadmin" | sudo tee -a /etc/ssh/login.group.allowed + echo "enabled SSH-allow" + echo "" + echo "" + fi +;; + [Nn]* ) echo "Skipped ssh config" + states1="12";; + esac +fi +fi echo "" echo "-------------------------------------------------------------------------------------------" echo "" -read -r -p 'Do you wish to give users on this machine sudo rights?(y/n)?' yn +givesudo=$( sudo grep SUDOERS readfile | awk '{print $3}' ) +if [ "$givesudo" = "yes" ] +then + if [ -f /etc/sudoers.d/sudoers ] < /dev/null > /dev/null 2>&1 + then + echo "" + echo "sudoers.d/sudoers file seems already to be modified, skipping..." + echo "" + else + disssu=$( sudo grep DISSPROMT readfile | awk '{print $3}' ) + if [ "$disssu" = "yes" ] + then + sudo echo "administrator ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers + sudo echo "%$myhost""sudoers ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers + sudo echo "%DOMAIN\ admins ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/domain_admins + #sudo realm permit --groups "$myhost""sudoers" + else + if [ "$disssu" = "no" ] + then + sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers + sudo echo "%$myhost""sudoers ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers + sudo echo "%DOMAIN\ admins ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/domain_admins + #sudo realm permit --groups "$myhost""sudoers" + else + sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers + fi + fi + fi +else + if [ "$givesudo" = "no" ] + then + echo "Not giving a sudo" + sudo echo "$localadmin" | sudo tee -a /etc/ssh/login.group.allowed + echo "Skipping" + states="12" + else + read -r -p "Do you wish to give users on this machine sudo rights?(y/n)?" yn case $yn in [Yy]* ) sudo echo "Checking if there is any previous configuration" if [ -f /etc/sudoers.d/sudoers ] < /dev/null > /dev/null 2>&1 -then -echo "" -echo "The Sudoers file seems already to be modified, skipping..." -echo "" -else -read -r -p 'Do you wish to DISABLE password promt for users in terminal? (y/n)?' yn - case $yn in + then + echo "" + echo "The Sudoers file seems already to be modified, skipping..." + echo "" + else + read -r -p "Do you wish to DISABLE password prompt for users in terminal?(y/n)?" yn + case $yn in [Yy]* ) sudo echo "administrator ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers sudo echo "%$myhost""sudoers ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers @@ -367,21 +508,28 @@ sudo echo "%DOMAIN\ admins ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/ #sudo realm permit --groups "$myhost""sudoers" ;; - [Nn]* ) sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers + [Nn]* ) +sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers sudo echo "%$myhost""sudoers ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers sudo echo "%DOMAIN\ admins ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/domain_admins #sudo realm permit --groups "$myhost""sudoers" ;; * ) echo "Please answer yes or no.";; esac -fi;; - [Nn]* ) echo "Disabled sudo rights for users on this machine" +fi +;; + [Nn]* ) + sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers + echo "Disabled sudo rights for users on this machine" echo "" echo "" states="12";; - * ) echo 'Please answer yes or no.';; - esac -homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 ) + * ) echo "Please answer yes or no." + ;; + esac +fi +fi +homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 | head -1 ) if [ "$homedir" = "0022" ] then echo "pam_mkhomedir.so configured" @@ -409,13 +557,15 @@ sed -i -e 's/use_fully_qualified_names = True/use_fully_qualified_names = False/ sed -i -e 's/access_provider = ad/access_provider = simple/g' /etc/sssd/sssd.conf sed -i -e 's/sudoers: files sss/sudoers: files/g' /etc/nsswitch.conf echo "override_homedir = /home/%d/%u" | sudo tee -a /etc/sssd/sssd.conf -sudo grep -i override /etc/sssd/sssd.conf +sudo sudo grep -i override /etc/sssd/sssd.conf sudo echo "[nss] filter_groups = root filter_users = root reconnection_retries = 3 -entry_cache_timeout = 600 -#entry_cache_user_timeout = 5400 +entry_cache_nowait_percentage = 75" | sudo tee -a /etc/sssd/sssd.conf +sudo sed -i '/krb5_realm =/a entry_cache_group_timeout = 5400' /etc/sssd/sssd.conf +sudo sed -i '/krb5_realm =/a entry_cache_user_timeout = 5400' /etc/sssd/sssd.conf +sudo echo "#entry_cache_user_timeout = 5400 #entry_cache_group_timeout = 5400 #cache_credentials = TRUE ### Added to help with group mapping @@ -427,13 +577,40 @@ entry_cache_timeout = 600 #ldap_search_base = DC=$NetBios,DC=$coms #ldap_group_member = uniquemember #ad_enable_gc = False -entry_cache_nowait_percentage = 75" | sudo tee -a /etc/sssd/sssd.conf +entry_cache_timeout = 600 +entry_cache_nowait_percentage = 75 " | sudo tee -a /etc/sssd/sssd.alternatives +sudo service sssd restart clear +usesasl=$( sudo grep USESASL readfile | awk '{print $3}' ) +if [ "$usesasl" = "no" ] +then +echo "Skipping SASL" +else +if [ "$usesasl" = "yes" ] +then +sasl=$( sudo grep LDAPS readfile | awk '{print $3}' ) + if [ "$sasl" = "null" ] + then + echo "You need to specify domaincontroller in readfile" + exit + else + echo "$sasl" + cacer=$( sudo grep CACERT readfile | awk '{print $3}' ) + if ! ls "$cacer" + then echo "No root CA found, check your path to file" + else + echo "Applied config from readfile" + #sed -i "/krb5_realm = /a ldap_uri = $LdapsDC" /etc/sssd/sssd.conf + #sed -i "/krb5_realm = /a ldap_tls_cacert = $cacert" /etc/sssd/sssd.conf + echo "Applied config from readfile" + fi + fi +else echo "For SASL put you company root-ca.cer in /usr/share/ca-certificates/root/ folder" read -r -p "Do you wish to use SASL (LDAPS) (y/n)?" yn case $yn in [Yy]* ) -if [ -f /usr/share/ca-certificates/root/*.cer ] +if [ -f "/usr/share/ca-certificates/root/*.cer" ] then cacert=$( ls /usr/share/ca-certificates/root/ | grep .cer | head -1 ) echo "Type in address of your Domaincontroller: ex: dc01.com" @@ -445,7 +622,7 @@ echo "Found certificate $cacert" read -r -p "Is this information correct (y/n)?" yn case $yn in [Yy]* ) -tlsca=$( cat /etc/sssd/sssd.conf | grep ldap_tls_cacert | awk '{print $1}' ) +tlsca=$( sudo grep ldap_tls_cacert /etc/sssd/sssd.conf | awk '{print $1}' ) if [ "$tlsca" = "ldap_tls_cacert" ] then echo "ldap_tls_cacert already in file" @@ -453,6 +630,7 @@ tlsca=$( cat /etc/sssd/sssd.conf | grep ldap_tls_cacert | awk '{print $1}' ) else sed -i "/krb5_realm = /a ldap_uri = $LdapsDC" /etc/sssd/sssd.conf sed -i "/krb5_realm = /a ldap_tls_cacert = $cacert" /etc/sssd/sssd.conf + #sed -i -e 's/id_provider = ad/id_provider = ldap/g' /etc/sssd/sssd.conf # failing line: giving no on configured: and user is unable to update password. sudo service sssd restart fi;; [Nn]* )echo "";; @@ -464,6 +642,8 @@ fi;; [Nn]* )echo "";; * ) echo "Please answer yes or no.";; esac +fi +fi ####################### Check ######################### if ! sudo service sssd restart then @@ -498,7 +678,7 @@ echo "Checking sudoers user groups.. OK" else echo "Checking sudoers user groups.. FAIL" fi -homedir=$(grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3) +homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 | head -1 ) if [ "$homedir" = "0022" ] < /dev/null > /dev/null 2>&1 then echo "Checking PAM configuration.. OK" @@ -509,8 +689,8 @@ if [ "$states1" = "12" ] then echo "Disabled SSH login.group.allowed" else -cauth=$(grep required /etc/pam.d/sshd | grep onerr | grep allow | cut -d '=' -f4 | awk '{print $1}') -if [ "$cauth" = "allow" ] < /dev/null > /dev/null 2>&1 +cauth=$( grep required /etc/pam.d/sshd | grep onerr | grep allow | cut -d '=' -f4 | awk '{print $1}' | head -1 ) +if [ $cauth = "allow" ] < /dev/null > /dev/null 2>&1 then echo "Checking PAM auth configuration.. OK" else @@ -644,6 +824,9 @@ sudo echo "${INTRO_TEXT}packages installed${END}" fi echo "hostname is $myhost" echo "Looking for Realms.. please wait" +REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' ) +if [ "$REALM" = "null" ] +then DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}') if ! ping -c 2 "$DOMAIN" < /dev/null > /dev/null 2>&1 then @@ -659,10 +842,14 @@ read -r -p "Do you wish to use it (y/n)?" yn [Yy]* ) echo "";; [Nn]* ) echo "Please enter the domain you wish to join:" - read -r DOMAIN;; + read -r DOMAIN;; * ) echo 'Please answer yes or no.';; esac fi +else +echo "Using Domain: $REALM" +DOMAIN=$(echo "$REALM") +fi NetBios=$(echo "$DOMAIN" | cut -d '.' -f1) clear var=$(lsb_release -a | grep -i release | awk '{print $2}' | cut -d '.' -f1) @@ -767,8 +954,11 @@ clear sudo echo "${INTRO_TEXT}packages installed${END}" fi sleep 1 -DOMAIN=$( realm discover | grep -i realm-name | awk '{print $2}') -if ! ping -c 1 "$DOMAIN" +REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' ) +if [ "$REALM" = "null" ] +then +DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}') +if ! ping -c 2 "$DOMAIN" < /dev/null > /dev/null 2>&1 then clear echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}" @@ -779,13 +969,17 @@ clear echo "${NUMBER}I searched for an available domain and found ${MENU}>>> $DOMAIN <<<${END}${END}" read -r -p "Do you wish to use it (y/n)?" yn case $yn in - [Yy]* ) echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}";; + [Yy]* ) echo "";; [Nn]* ) echo "Please enter the domain you wish to join:" - read -r DOMAIN;; + read -r DOMAIN;; * ) echo 'Please answer yes or no.';; esac fi +else +echo "Using Domain: $REALM" +DOMAIN=$(echo "$REALM") +fi sudo echo "${INTRO_TEXT}Realm= $DOMAIN${END}" sudo echo "${NORMAL}${NORMAL}" echo "${INTRO_TEXT}Please type DomainAdmin user:${END}" @@ -892,15 +1086,15 @@ echo "Checking sudoers users.. ${INTRO_TEXT}OK${END}" else echo "Checking sudoers users.. ${RED_TEXT}FAIL${END}" fi -homedir=$(grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3) +homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 | head -1 ) if [ "$homedir" = "0022" ] < /dev/null > /dev/null 2>&1 then echo "Checking PAM configuration.. ${INTRO_TEXT}OK${END}" else echo "Checking PAM configuration.. ${RED_TEXT}FAIL${END}" fi -cauth=$(grep required /etc/pam.d/common-auth | grep onerr | grep allow | cut -d '=' -f4 | cut -d 'f' -f1) -if [ "$cauth" = "allow" ] < /dev/null > /dev/null 2>&1 +cauth=$( grep required /etc/pam.d/common-auth | grep onerr | grep allow | cut -d '=' -f4 | cut -d 'f' -f1 | head -1 ) +if [ $cauth = "allow" ] < /dev/null > /dev/null 2>&1 then echo "Checking PAM auth configuration..${INTRO_TEXT}OK${END}" else @@ -956,25 +1150,32 @@ clear sudo echo "${INTRO_TEXT}packages installed${END}" fi echo "hostname is $myhost" +REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' ) +if [ "$REALM" = "null" ] +then DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}') -if ! ping -c 2 "$DOMAIN" >/dev/null +if ! ping -c 2 "$DOMAIN" < /dev/null > /dev/null 2>&1 then clear -echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below...${END}" +echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}" echo "Please enter the domain you wish to join:" read -r DOMAIN else clear -echo "${NUMBER}I searched for an available domain and found $DOMAIN ${END}" +echo "${NUMBER}I searched for an available domain and found ${MENU}>>> $DOMAIN <<<${END}${END}" read -r -p "Do you wish to use it (y/n)?" yn case $yn in - [Yy]* ) echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}";; + [Yy]* ) echo "";; [Nn]* ) echo "Please enter the domain you wish to join:" - read -r DOMAIN;; + read -r DOMAIN;; * ) echo 'Please answer yes or no.';; esac fi +else +echo "Using Domain: $REALM" +DOMAIN=$(echo "$REALM") +fi NetBios=$(echo "$DOMAIN" | cut -d '.' -f1) echo "" echo "${INTRO_TEXT}Please type Admin user:${END}" @@ -1028,25 +1229,32 @@ sudo echo "${INTRO_TEXT}packages installed${END}" fi echo "hostname is $myhost" sleep 1 +REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' ) +if [ "$REALM" = "null" ] +then DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}') -if ! ping -c 2 "$DOMAIN" >/dev/null +if ! ping -c 2 "$DOMAIN" < /dev/null > /dev/null 2>&1 then clear -echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below...${END}" +echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}" echo "Please enter the domain you wish to join:" read -r DOMAIN else clear -echo "${NUMBER}I searched for an available domain and found $DOMAIN ${END}" +echo "${NUMBER}I searched for an available domain and found ${MENU}>>> $DOMAIN <<<${END}${END}" read -r -p "Do you wish to use it (y/n)?" yn case $yn in - [Yy]* ) echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}";; + [Yy]* ) echo "";; [Nn]* ) echo "Please enter the domain you wish to join:" - read -r DOMAIN;; + read -r DOMAIN;; * ) echo 'Please answer yes or no.';; esac fi +else +echo "Using Domain: $REALM" +DOMAIN=$(echo "$REALM") +fi NetBios=$(echo "$DOMAIN" | cut -d '.' -f1) echo "" echo "${INTRO_TEXT}Please type Admin user:${END}" @@ -1206,25 +1414,32 @@ sudo apt-get -qq install -y realmd sssd sssd-tools samba-common krb5-user sudo apt-get -qq install -f -y echo "hostname is $myhost" echo "Looking for Realms.. please wait" +REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' ) +if [ "$REALM" = "null" ] +then DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}') -if ! ping -c 2 "$DOMAIN" >/dev/null +if ! ping -c 2 "$DOMAIN" < /dev/null > /dev/null 2>&1 then clear -echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}" +echo "I searched for an available domain and found nothing, please type your domain manually below..." echo "Please enter the domain you wish to join:" read -r DOMAIN else clear -echo "${NUMBER}I searched for an available domain and found ${MENU}>>> $DOMAIN <<<${END}${END}" +echo "I searched for an available domain and found>>> $DOMAIN <<<" read -r -p "Do you wish to use it (y/n)?" yn case $yn in [Yy]* ) echo "";; [Nn]* ) echo "Please enter the domain you wish to join:" - read -r DOMAIN;; + read -r DOMAIN;; * ) echo 'Please answer yes or no.';; esac fi +else +echo "Using Domain: $REALM" +DOMAIN=$(echo "$REALM") +fi clear echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}" echo "${INTRO_TEXT}Please type Admin user:${END}" @@ -1255,25 +1470,32 @@ sudo apt-get -qq install -y realmd sssd sssd-tools samba-common krb5-user sudo apt-get -qq install -f -y echo "hostname is $myhost" echo "Looking for Realms.. please wait" +REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' ) +if [ "$REALM" = "null" ] +then DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}') -if ! ping -c 2 "$DOMAIN" >/dev/null +if ! ping -c 2 "$DOMAIN" < /dev/null > /dev/null 2>&1 then clear -echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}" +echo "I searched for an available domain and found nothing, please type your domain manually below..." echo "Please enter the domain you wish to join:" read -r DOMAIN else clear -echo "${NUMBER}I searched for an available domain and found ${MENU}>>> $DOMAIN <<<${END}${END}" +echo "I searched for an available domain and found>>> $DOMAIN <<<" read -r -p "Do you wish to use it (y/n)?" yn case $yn in [Yy]* ) echo "";; [Nn]* ) echo "Please enter the domain you wish to join:" - read -r DOMAIN;; + read -r DOMAIN;; * ) echo 'Please answer yes or no.';; esac fi +else +echo "Using Domain: $REALM" +DOMAIN=$(echo "$REALM") +fi clear echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}" echo "${INTRO_TEXT}Please type Admin user:${END}" @@ -1345,15 +1567,15 @@ grouPs=$(grep -i "$myhost" /etc/sudoers.d/sudoers | cut -d '%' -f2 | awk '{print else echo Checking sudoers file.. "${RED_TEXT}FAIL${END}" fi -homedir=$(grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3) +homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 | head -1 ) if [ "$homedir" -eq "0022" ] < /dev/null > /dev/null 2>&1 then echo Checking PAM configuration.. "${INTRO_TEXT}OK${END}" else echo Checking PAM configuration.. "${RED_TEXT}FAIL${END}" fi -cauth=$(grep required /etc/pam.d/common-auth | grep onerr | grep allow | cut -d '=' -f4 | cut -d 'f' -f1) -if [ "$cauth" = "allow" ] < /dev/null > /dev/null 2>&1 +cauth=$( grep required /etc/pam.d/common-auth | grep onerr | grep allow | cut -d '=' -f4 | cut -d 'f' -f1 | head -1 ) +if [ $cauth = "allow" ] < /dev/null > /dev/null 2>&1 then echo Checking PAM auth configuration.. "${INTRO_TEXT}OK${END}" else @@ -1381,7 +1603,7 @@ echo "" fi echo "-------------------------------------------------------------------------------------" echo "" -if ! realm discover $therealm +if ! realm discover "$therealm" then echo "realm not found" else @@ -1418,7 +1640,7 @@ else echo "Checking sudoers file.. FAIL not configured" fi fi -homedir=$(grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3) +homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 | head -1 ) if [ "$homedir" = "0022" ] < /dev/null > /dev/null 2>&1 then echo "Checking PAM configuration.. OK" @@ -1950,11 +2172,14 @@ sudo echo "${INTRO_TEXT}packages installed${END}" fi echo "hostname is $myhost" echo "Looking for Realms.. please wait" +REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' ) +if [ "$REALM" = "null" ] +then DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}') -if ! ping -c 2 "$DOMAIN" >/dev/null +if ! ping -c 2 "$DOMAIN" < /dev/null > /dev/null 2>&1 then clear -echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below...${END}" +echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}" echo "Please enter the domain you wish to join:" read -r DOMAIN else @@ -1965,10 +2190,14 @@ read -r -p "Do you wish to use it (y/n)?" yn [Yy]* ) echo "";; [Nn]* ) echo "Please enter the domain you wish to join:" - read -r DOMAIN;; + read -r DOMAIN;; * ) echo 'Please answer yes or no.';; esac fi +else +echo "Using Domain: $REALM" +DOMAIN=$(echo "$REALM") +fi NetBios=$(echo "$DOMAIN" | cut -d '.' -f1) clear var=$(lsb_release -a | grep -i release | awk '{print $2}' | cut -d '.' -f1) diff --git a/readfile b/readfile index 8b2b288..419a390 100644 --- a/readfile +++ b/readfile @@ -1,6 +1,12 @@ -2020-03-24 # Work in progress -SASL = null # Address of domaincontroller +# "null" is for manual setup and will result in promts. misconfuguration will result in skipping that config and giving promts. +################ Config #################### +DOMAIN = null # insert domain name ex:domain.com leave null for autodiscover ( promt ) +################ ldaps config #################### +USESASL = null # yes or no to use SASL +LDAPS = null # Address of domaincontroller CACERT = null # full path and file to CAroot like: /usr/share/ca-certificates/root/myCA.cer -SUDOERS = null # yes or no for adding group in sudoers -SSHSECURE = null # yes or no for for Blocking anyone but aprooved users -SUDOPROMT = null # yes or no for disable sudo promt in terminal +################ auth config #################### +LOCALADMIN = null # name of the user for the local account # like :administrator #null sets administrator as default user +SUDOERS = null # yes or no for adding group in sudoers #null for manual setup +SSHSECURE = null # yes or no for for Blocking anyone but aprooved users #null for manual setup +DISSPROMT = null # yes or no for disable sudo promt in terminal