Merge pull request #18 from PierreGode/readfile

Readfile

ADconnection.sh

@@ -10,12 +10,13 @@
 ##################################################################################################################################
 #known bugs: Sometimes the script bugs after AD administrator tries to authenticate, temporary solution is running the script again
 # a couple of times. if it still is not working see lines 30-39
-#known bugs: see line 31-32
+#known bugs: see line 32-33
 #known bugs:sometimes domain discovery fails, it can help canceling the script and re-running it, if not verify dns setting on client,
 #and on DC, also check that searchname has your domain
-# see lines 370-388 for more advanced or specific setups of SSSD
+# /etc/sssd/sssd.alternatives for more advanced or specific setups of SSSD
-#more Distros will be added during 2019
+#more Distros will be added during 2020
-#support added for ubutnu 19.04 2019-11-11
+#Added support for elementary 01/2020
+#Added support for Ubuntu 20 02/2020
 
 # ~~~~~~~~~~  Environment Setup ~~~~~~~~~~ #
     NORMAL=$(printf "\033[m")
@@ -28,17 +29,14 @@
 
 ################################ fix errors # funktion not called ################
 fixerrors(){
-#this funktion is not called in the script : to activate, uncomment line line 31 #fixerrors
+#this funktion is not called in the script : to activate, uncomment line line 38 #fixerrors
 #This funktion installs additional packages due to known issues with Joining and the join hangs after the admin auth
 sudo add-apt-repository ppa:xtrusia/packagekit-fix
 sudo apt-get update
 sudo apt-get install packagekit
-MENU_FN
+PRECHECK_FN
-}
 #fixerrors
-#Realmdupdate11
+}
-#Added support for elementary 01/2020
-#Added support for Ubuntu 20 02/2020
 ####################### final auth ##################################################################
 #this section will do the last part, configure sssd, ssh, login session sam files and sudoers#
 fi_auth(){
@@ -55,50 +53,108 @@ grouPs="null"
 therealm="null"
 cauth="null"
 clear
-read -r -p "${RED_TEXT}Do you wish to enable SSH login.group.allowed${END}${NUMBER}(y/n)?${END}" yn
-   case $yn in
-    [Yy]* ) sudo echo "Checking if there is any previous configuration"
-	if [ -f /etc/ssh/login.group.allowed ] < /dev/null > /dev/null 2>&1
-then
-echo "Files seems already to be modified, skipping..."
-else
-echo "NOTICE! /etc/ssh/login.group.allowed will be created. make sure yor local user is in it you you could be banned from login"
-echo "auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh/login.group.allowed" | sudo tee -a /etc/pam.d/common-auth
-sudo touch /etc/ssh/login.group.allowed
 admins=$( grep home /etc/passwd | grep bash | cut -d ':' -f1 )
-echo ""
+sshsec=$( sudo grep SSHSECURE readfile | awk '{print $3}' )
-echo ""
+if [ "$sshsec" = "yes" ]
-read -r -p "Is your current administrator = '$admins' ? (y/n)?" yn
+then
-   case $yn in
+  if [ -f /etc/ssh/login.group.allowed ] < /dev/null > /dev/null 2>&1
-    [Yy]* ) sudo echo "$admins"  | sudo tee -a /etc/ssh/login.group.allowed;;
+  then
-    [Nn]* ) echo "please type name of current administrator"
+  echo "SSHsecurity Files seems already to be modified, skipping..."
-read -r -p MYADMIN
+  else
-sudo echo "$MYADMIN" | sudo tee -a /etc/ssh/login.group.allowed;;
+  echo "auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh/login.group.allowed" | sudo tee -a /etc/pam.d/common-auth
-    * ) echo "Please answer yes or no.";;
+  sudo touch /etc/ssh/login.group.allowed
-   esac
+  localadmin=$( sudo grep LOCALADMIN readfile | awk '{print $3}' )
-sudo echo "$NetBios\\$myhost""sudoers""" | sudo tee -a /etc/ssh/login.group.allowed
+    if [ "$localadmin" = "null" ]
-sudo echo "$NetBios\\domain^admins" | sudo tee -a /etc/ssh/login.group.allowed
+    then
-sudo echo "root" | sudo tee -a /etc/ssh/login.group.allowed
+    localadmin=$( grep home /etc/passwd | grep bash | cut -d ':' -f1 )
-echo "enabled SSH-allow"
+    else
-fi;;
+    sudo echo "$NetBios\\$myhost""sudoers""" | sudo tee -a /etc/ssh/login.group.allowed
-    [Nn]* ) echo "Disabled SSH login.group.allowed"
+    sudo echo "$NetBios\\domain^admins" | sudo tee -a /etc/ssh/login.group.allowed
-    states1="12";;
+    sudo echo "root" | sudo tee -a /etc/ssh/login.group.allowed
-    * ) echo "Please answer yes or no.";;
+    sudo echo "$localadmin"  | sudo tee -a /etc/ssh/login.group.allowed
-   esac
+    echo "enabled SSH-allow"
+    fi
+  fi
+else
+if [ "$sshsec" = "no" ]
+then
+echo "Skipping SSHSecurity config"
+else
+      read -r -p "${RED_TEXT}Do you wish to enable SSH login.group.allowed${END}${NUMBER}(y/n)?${END}" yn
+    case $yn in
+        [Yy]* ) sudo echo "Checking if there is any previous configuration"
+        if [ -f /etc/ssh/login.group.allowed ] < /dev/null > /dev/null 2>&1
+        then
+        echo " SSHsecurityFiles seems already to be modified, skipping..."
+        else
+        echo "NOTICE! /etc/ssh/login.group.allowed will be created. make sure yor local user is in it you you could be banned from login"
+        echo "auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh/login.group.allowed" | sudo tee -a /etc/pam.d/common-auth
+        sudo touch /etc/ssh/login.group.allowed
+        sudo echo "$NetBios\\$myhost""sudoers""" | sudo tee -a /etc/ssh/login.group.allowed
+        sudo echo "$NetBios\\domain^admins" | sudo tee -a /etc/ssh/login.group.allowed
+        sudo echo "root" | sudo tee -a /etc/ssh/login.group.allowed
+        sudo echo "$localadmin"  | sudo tee -a /etc/ssh/login.group.allowed
+        echo "enabled SSH-allow"
+        echo ""
+        echo ""
+        fi
+;;
+        [Nn]* ) echo "Skipped ssh config"
+        states1="12";;
+    esac
+fi
+fi
 echo ""
 echo "-------------------------------------------------------------------------------------------"
 echo ""
-read -r -p "${RED_TEXT}Do you wish to give users on this machine sudo rights?${END}${NUMBER}(y/n)?${END}" yn
+givesudo=$( sudo grep SUDOERS readfile | awk '{print $3}' )
+if [ "$givesudo" = "yes" ]
+then
+	if [ -f /etc/sudoers.d/sudoers ] < /dev/null > /dev/null 2>&1
+    then
+    echo ""
+    echo "sudoers.d/sudoers file seems already to be modified, skipping..."
+    echo ""
+    else
+      disssu=$( sudo grep DISSPROMT readfile | awk '{print $3}' )
+      if [ "$disssu" = "yes" ]
+      then
+      sudo echo "administrator ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers
+      sudo echo "%$myhost""sudoers ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers
+      sudo echo "%DOMAIN\ admins ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/domain_admins
+      #sudo realm permit --groups "$myhost""sudoers"
+      else
+        if [ "$disssu" = "no" ]
+        then
+        sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers
+        sudo echo "%$myhost""sudoers ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers
+        sudo echo "%DOMAIN\ admins ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/domain_admins
+        #sudo realm permit --groups "$myhost""sudoers"
+        else
+        echo "error in readfile config"
+        sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers
+        fi
+      fi
+    fi
+else
+  if [ "$givesudo" = "no" ]
+  then
+  echo "Not giving a sudo"
+  sudo echo "$localadmin"  | sudo tee -a /etc/ssh/login.group.allowed
+  echo "Skipping"
+  states="12"
+  else
+   read -r -p "${RED_TEXT}Do you wish to give users on this machine sudo rights?${END}${NUMBER}(y/n)?${END}" yn
    case $yn in
     [Yy]* ) sudo echo "Checking if there is any previous configuration"
 	if [ -f /etc/sudoers.d/sudoers ] < /dev/null > /dev/null 2>&1
-then
+    then
-echo ""
+    echo ""
-echo "The Sudoers file seems already to be modified, skipping..."
+    echo "The Sudoers file seems already to be modified, skipping..."
-echo ""
+    echo ""
-else
+    else
-read -r -p "${RED_TEXT}Do you wish to DISABLE password prompt for users in terminal?${END}${NUMBER}(y/n)?${END}" yn
+    read -r -p "${RED_TEXT}Do you wish to DISABLE password prompt for users in terminal?${END}${NUMBER}(y/n)?${END}" yn
-   case $yn in
+    case $yn in
     [Yy]* )
 sudo echo "administrator ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers
 sudo echo "%$myhost""sudoers ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers
@@ -125,7 +181,9 @@ fi
     * ) echo "Please answer yes or no."
 	;;
 	esac
-homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 )
+fi
+fi
+homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 | head -1 )
 if [ "$homedir" = "0022" ]
 then
 echo "pam_mkhomedir.so configured"
@@ -181,15 +239,39 @@ sudo echo "#entry_cache_user_timeout = 5400
 #ad_enable_gc = False
 entry_cache_timeout = 600
 entry_cache_nowait_percentage = 75 " | sudo tee -a /etc/sssd/sssd.alternatives
-
 sudo service sssd restart
 sleep 1
 clear
+usesasl=$( sudo grep USESASL readfile | awk '{print $3}' )
+if [ "$usesasl" = "no" ]
+then
+echo "Skipping SASL"
+else
+if [ "$usesasl" = "yes" ]
+then
+sasl=$( sudo grep LDAPS readfile | awk '{print $3}' )
+  if [ "$sasl" = "null" ]
+  then
+  echo "You need to specify domaincontroller in readfile"
+  exit
+  else
+  echo "$sasl"
+  cacer=$( sudo grep CACERT readfile | awk '{print $3}' )
+  if ! ls "$cacer"
+  then echo "No root CA found, check your path to file"
+  else
+  echo "Applied config from readfile"
+  #sed -i "/krb5_realm = /a ldap_uri = $LdapsDC" /etc/sssd/sssd.conf
+  #sed -i "/krb5_realm = /a ldap_tls_cacert = $cacert" /etc/sssd/sssd.conf
+  echo "Applied config from readfile"
+  fi
+  fi
+else
 echo "For SASL put you company root-ca.cer in /usr/share/ca-certificates/root/ folder"
 read -r -p "Do you wish to use SASL (LDAPS) (y/n)?" yn
    case $yn in
     [Yy]* )
-if [ -f /usr/share/ca-certificates/root/*.cer ]
+if [ -f "/usr/share/ca-certificates/root/*.cer" ]
 then
 cacert=$( ls /usr/share/ca-certificates/root/ | grep .cer | head -1 )
 echo "Type in address of your Domaincontroller: ex: dc01.com"
@@ -201,7 +283,7 @@ echo "Found certificate $cacert"
 read -r -p "Is this information correct (y/n)?" yn
    case $yn in
     [Yy]* )
-tlsca=$( cat /etc/sssd/sssd.conf | grep ldap_tls_cacert | awk '{print $1}' )
+tlsca=$( sudo grep ldap_tls_cacert /etc/sssd/sssd.conf | awk '{print $1}' )
  if [ "$tlsca" = "ldap_tls_cacert" ]
  then
  echo "ldap_tls_cacert already in file"
@@ -221,6 +303,8 @@ fi;;
     [Nn]* )echo "";;
     * ) echo "Please answer yes or no.";;
    esac
+fi
+fi
 ################################# Check #######################################
 if ! sudo service sssd restart
 then
@@ -257,7 +341,7 @@ echo "Checking sudoers groups.. ${INTRO_TEXT}OK${END}"
 else
 echo "Checking sudoers groups.. ${RED_TEXT}FAIL${END}"
 fi
-homedir=$(grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3)
+homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 | head -1 )
 if [ "$homedir" = "0022" ] < /dev/null > /dev/null 2>&1
 then
 echo "Checking PAM session configuration.. ${INTRO_TEXT}OK${END}"
@@ -268,8 +352,8 @@ if [ $states1 = 12 ]
 then
 echo "Disabled SSH login.group.allowed"
 else
-cauth=$(grep required /etc/pam.d/common-auth | grep onerr | grep allow | cut -d '=' -f4 | awk '{print $1}')
+cauth=$( grep required /etc/pam.d/common-auth | grep onerr | grep allow | cut -d '=' -f4 | awk '{print $1}' | head -1 )
-if [ "$cauth" = "allow" ] < /dev/null > /dev/null 2>&1
+if [ $cauth = "allow" ] < /dev/null > /dev/null 2>&1
 then
 echo "Checking PAM auth configuration.. ${INTRO_TEXT}OK${END}"
 else
@@ -316,50 +400,107 @@ grouPs="null"
 therealm="null"
 cauth="null"
 clear
-read -r -p 'Do you wish to enable SSH login.group.allowed (y/n)?' yn
-   case $yn in
-    [Yy]* ) sudo echo "Checking if there is any previous configuration"
-	if [ -f /etc/ssh/login.group.allowed ] < /dev/null > /dev/null 2>&1
-then
-echo "Files seems already to be modified, skipping..."
-else
-echo "NOTICE! /etc/ssh/login.group.allowed will be created. make sure yor local user is in it you you could be banned from login"
-echo "auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh/login.group.allowed" | sudo tee -a /etc/pam.d/sshd
-sudo touch /etc/ssh/login.group.allowed
 admins=$( grep home /etc/passwd | grep bash | cut -d ':' -f1 )
-echo ""
+sshsec=$( sudo grep SSHSECURE readfile | awk '{print $3}' )
-echo ""
+if [ "$sshsec" = "yes" ]
-read -r -p "Is your current administrator = $admins ? (y/n)?" yn
+then
-   case $yn in
+  if [ -f /etc/ssh/login.group.allowed ] < /dev/null > /dev/null 2>&1
-    [Yy]* ) sudo echo "$admins"  | sudo tee -a /etc/ssh/login.group.allowed;;
+  then
-    [Nn]* ) echo "please type name of current administrator"
+  echo "SSHsecurity Files seems already to be modified, skipping..."
-read -r -p MYADMIN
+  else
-sudo echo "$MYADMIN" | sudo tee -a /etc/ssh/login.group.allowed;;
+  echo "auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh/login.group.allowed" | sudo tee -a /etc/pam.d/common-auth
-    * ) echo "Please answer yes or no.";;
+  sudo touch /etc/ssh/login.group.allowed
-   esac
+  localadmin=$( sudo grep LOCALADMIN readfile | awk '{print $3}' )
-sudo echo "$myhost""sudoers" | sudo tee -a /etc/ssh/login.group.allowed
+    if [ "$localadmin" = "null" ]
-sudo echo "domain^admins" | sudo tee -a /etc/ssh/login.group.allowed
+    then
-sudo echo "root" | sudo tee -a /etc/ssh/login.group.allowed
+    localadmin=$( grep home /etc/passwd | grep bash | cut -d ':' -f1 )
-echo "enabled SSH-allow"
+    else
-fi;;
+    sudo echo "$NetBios\\$myhost""sudoers""" | sudo tee -a /etc/ssh/login.group.allowed
-    [Nn]* ) echo "Disabled SSH login.group.allowed"
+    sudo echo "$NetBios\\domain^admins" | sudo tee -a /etc/ssh/login.group.allowed
-    states1="12";;
+    sudo echo "root" | sudo tee -a /etc/ssh/login.group.allowed
-    * ) echo "Please answer yes or no.";;
+    sudo echo "$localadmin"  | sudo tee -a /etc/ssh/login.group.allowed
-   esac
+    echo "enabled SSH-allow"
+    fi
+  fi
+else
+if [ "$sshsec" = "no" ]
+then
+echo "Skipping SSHSecurity config"
+else
+      read -r -p "Do you wish to enable SSH login.group.allowed(y/n)?" yn
+    case $yn in
+        [Yy]* ) sudo echo "Checking if there is any previous configuration"
+        if [ -f /etc/ssh/login.group.allowed ] < /dev/null > /dev/null 2>&1
+        then
+        echo " SSHsecurityFiles seems already to be modified, skipping..."
+        else
+        echo "NOTICE! /etc/ssh/login.group.allowed will be created. make sure yor local user is in it you you could be banned from login"
+        echo "auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh/login.group.allowed" | sudo tee -a /etc/pam.d/common-auth
+        sudo touch /etc/ssh/login.group.allowed
+        sudo echo "$NetBios\\$myhost""sudoers""" | sudo tee -a /etc/ssh/login.group.allowed
+        sudo echo "$NetBios\\domain^admins" | sudo tee -a /etc/ssh/login.group.allowed
+        sudo echo "root" | sudo tee -a /etc/ssh/login.group.allowed
+        sudo echo "$localadmin"  | sudo tee -a /etc/ssh/login.group.allowed
+        echo "enabled SSH-allow"
+        echo ""
+        echo ""
+        fi
+;;
+        [Nn]* ) echo "Skipped ssh config"
+        states1="12";;
+    esac
+fi
+fi
 echo ""
 echo "-------------------------------------------------------------------------------------------"
 echo ""
-read -r -p 'Do you wish to give users on this machine sudo rights?(y/n)?' yn
+givesudo=$( sudo grep SUDOERS readfile | awk '{print $3}' )
+if [ "$givesudo" = "yes" ]
+then
+	if [ -f /etc/sudoers.d/sudoers ] < /dev/null > /dev/null 2>&1
+    then
+    echo ""
+    echo "sudoers.d/sudoers file seems already to be modified, skipping..."
+    echo ""
+    else
+      disssu=$( sudo grep DISSPROMT readfile | awk '{print $3}' )
+      if [ "$disssu" = "yes" ]
+      then
+      sudo echo "administrator ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers
+      sudo echo "%$myhost""sudoers ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers
+      sudo echo "%DOMAIN\ admins ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/domain_admins
+      #sudo realm permit --groups "$myhost""sudoers"
+      else
+        if [ "$disssu" = "no" ]
+        then
+        sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers
+        sudo echo "%$myhost""sudoers ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers
+        sudo echo "%DOMAIN\ admins ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/domain_admins
+        #sudo realm permit --groups "$myhost""sudoers"
+        else
+        sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers
+        fi
+      fi
+    fi
+else
+  if [ "$givesudo" = "no" ]
+  then
+  echo "Not giving a sudo"
+  sudo echo "$localadmin"  | sudo tee -a /etc/ssh/login.group.allowed
+  echo "Skipping"
+  states="12"
+  else
+   read -r -p "Do you wish to give users on this machine sudo rights?(y/n)?" yn
    case $yn in
     [Yy]* ) sudo echo "Checking if there is any previous configuration"
 	if [ -f /etc/sudoers.d/sudoers ] < /dev/null > /dev/null 2>&1
-then
+    then
-echo ""
+    echo ""
-echo "The Sudoers file seems already to be modified, skipping..."
+    echo "The Sudoers file seems already to be modified, skipping..."
-echo ""
+    echo ""
-else
+    else
-read -r -p 'Do you wish to DISABLE password promt for users in terminal? (y/n)?' yn
+    read -r -p "Do you wish to DISABLE password prompt for users in terminal?(y/n)?" yn
-   case $yn in
+    case $yn in
     [Yy]* )
 sudo echo "administrator ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers
 sudo echo "%$myhost""sudoers ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers
@@ -367,21 +508,28 @@ sudo echo "%DOMAIN\ admins ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/
 #sudo realm permit --groups "$myhost""sudoers"
 ;;
 
- [Nn]* ) sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers
+ [Nn]* )
+sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers
 sudo echo "%$myhost""sudoers ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers
 sudo echo "%DOMAIN\ admins ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/domain_admins
 #sudo realm permit --groups "$myhost""sudoers"
 ;;
     * ) echo "Please answer yes or no.";;
    esac
-fi;;
+fi
-    [Nn]* ) echo "Disabled sudo rights for users on this machine"
+;;
+    [Nn]* )
+            sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers
+    	    echo "Disabled sudo rights for users on this machine"
     	    echo ""
 	    echo ""
 	    states="12";;
-    * ) echo 'Please answer yes or no.';;
+    * ) echo "Please answer yes or no."
-   esac
+	;;
-homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 )
+	esac
+fi
+fi
+homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 | head -1 )
 if [ "$homedir" = "0022" ]
 then
 echo "pam_mkhomedir.so configured"
@@ -409,13 +557,15 @@ sed -i -e 's/use_fully_qualified_names = True/use_fully_qualified_names = False/
 sed -i -e 's/access_provider = ad/access_provider = simple/g' /etc/sssd/sssd.conf
 sed -i -e 's/sudoers:        files sss/sudoers:        files/g' /etc/nsswitch.conf
 echo "override_homedir = /home/%d/%u" | sudo tee -a /etc/sssd/sssd.conf
-sudo grep -i override /etc/sssd/sssd.conf
+sudo sudo grep -i override /etc/sssd/sssd.conf
 sudo echo "[nss]
 filter_groups = root
 filter_users = root
 reconnection_retries = 3
-entry_cache_timeout = 600
+entry_cache_nowait_percentage = 75" | sudo tee -a /etc/sssd/sssd.conf
-#entry_cache_user_timeout = 5400
+sudo sed -i '/krb5_realm =/a entry_cache_group_timeout = 5400' /etc/sssd/sssd.conf
+sudo sed -i '/krb5_realm =/a entry_cache_user_timeout = 5400' /etc/sssd/sssd.conf
+sudo echo "#entry_cache_user_timeout = 5400
 #entry_cache_group_timeout = 5400
 #cache_credentials = TRUE
 ### Added to help with group mapping
@@ -427,13 +577,40 @@ entry_cache_timeout = 600
 #ldap_search_base = DC=$NetBios,DC=$coms
 #ldap_group_member = uniquemember
 #ad_enable_gc = False
-entry_cache_nowait_percentage = 75" | sudo tee -a /etc/sssd/sssd.conf
+entry_cache_timeout = 600
+entry_cache_nowait_percentage = 75 " | sudo tee -a /etc/sssd/sssd.alternatives
+sudo service sssd restart
 clear
+usesasl=$( sudo grep USESASL readfile | awk '{print $3}' )
+if [ "$usesasl" = "no" ]
+then
+echo "Skipping SASL"
+else
+if [ "$usesasl" = "yes" ]
+then
+sasl=$( sudo grep LDAPS readfile | awk '{print $3}' )
+  if [ "$sasl" = "null" ]
+  then
+  echo "You need to specify domaincontroller in readfile"
+  exit
+  else
+  echo "$sasl"
+  cacer=$( sudo grep CACERT readfile | awk '{print $3}' )
+  if ! ls "$cacer"
+  then echo "No root CA found, check your path to file"
+  else
+  echo "Applied config from readfile"
+  #sed -i "/krb5_realm = /a ldap_uri = $LdapsDC" /etc/sssd/sssd.conf
+  #sed -i "/krb5_realm = /a ldap_tls_cacert = $cacert" /etc/sssd/sssd.conf
+  echo "Applied config from readfile"
+  fi
+  fi
+else
 echo "For SASL put you company root-ca.cer in /usr/share/ca-certificates/root/ folder"
 read -r -p "Do you wish to use SASL (LDAPS) (y/n)?" yn
    case $yn in
     [Yy]* )
-if [ -f /usr/share/ca-certificates/root/*.cer ]
+if [ -f "/usr/share/ca-certificates/root/*.cer" ]
 then
 cacert=$( ls /usr/share/ca-certificates/root/ | grep .cer | head -1 )
 echo "Type in address of your Domaincontroller: ex: dc01.com"
@@ -445,7 +622,7 @@ echo "Found certificate $cacert"
 read -r -p "Is this information correct (y/n)?" yn
    case $yn in
     [Yy]* )
-tlsca=$( cat /etc/sssd/sssd.conf | grep ldap_tls_cacert | awk '{print $1}' )
+tlsca=$( sudo grep ldap_tls_cacert /etc/sssd/sssd.conf | awk '{print $1}' )
  if [ "$tlsca" = "ldap_tls_cacert" ]
  then
  echo "ldap_tls_cacert already in file"
@@ -453,6 +630,7 @@ tlsca=$( cat /etc/sssd/sssd.conf | grep ldap_tls_cacert | awk '{print $1}' )
  else
  sed -i "/krb5_realm = /a ldap_uri = $LdapsDC" /etc/sssd/sssd.conf
  sed -i "/krb5_realm = /a ldap_tls_cacert = $cacert" /etc/sssd/sssd.conf
+ #sed -i -e 's/id_provider = ad/id_provider = ldap/g' /etc/sssd/sssd.conf # failing line: giving no on configured: and user is unable to update password.
  sudo service sssd restart
  fi;;
     [Nn]* )echo "";;
@@ -464,6 +642,8 @@ fi;;
     [Nn]* )echo "";;
     * ) echo "Please answer yes or no.";;
    esac
+fi
+fi
 ####################### Check #########################
 if ! sudo service sssd restart
 then
@@ -498,7 +678,7 @@ echo "Checking sudoers user groups.. OK"
 else
 echo "Checking sudoers user groups.. FAIL"
 fi
-homedir=$(grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3)
+homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 | head -1 )
 if [ "$homedir" = "0022" ] < /dev/null > /dev/null 2>&1
 then
 echo "Checking PAM configuration.. OK"
@@ -509,8 +689,8 @@ if [ "$states1" = "12" ]
 then
 echo "Disabled SSH login.group.allowed"
 else
-cauth=$(grep required /etc/pam.d/sshd | grep onerr | grep allow | cut -d '=' -f4 | awk '{print $1}')
+cauth=$( grep required /etc/pam.d/sshd | grep onerr | grep allow | cut -d '=' -f4 | awk '{print $1}' | head -1 )
-if [ "$cauth" = "allow" ] < /dev/null > /dev/null 2>&1
+if [ $cauth = "allow" ] < /dev/null > /dev/null 2>&1
 then
 echo "Checking PAM auth configuration.. OK"
 else
@@ -644,6 +824,9 @@ sudo echo "${INTRO_TEXT}packages installed${END}"
 fi
 echo "hostname is $myhost"
 echo "Looking for Realms.. please wait"
+REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' )
+if [ "$REALM" = "null" ]
+then
 DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}')
 if ! ping -c 2 "$DOMAIN"   < /dev/null > /dev/null 2>&1
 then
@@ -659,10 +842,14 @@ read -r -p "Do you wish to use it (y/n)?" yn
     [Yy]* ) echo "";;
 
     [Nn]* ) echo "Please enter the domain you wish to join:"
-	read -r DOMAIN;;
+        read -r DOMAIN;;
     * ) echo 'Please answer yes or no.';;
    esac
 fi
+else
+echo "Using Domain: $REALM"
+DOMAIN=$(echo "$REALM")
+fi
 NetBios=$(echo "$DOMAIN" | cut -d '.' -f1)
 clear
 var=$(lsb_release -a | grep -i release | awk '{print $2}' | cut -d '.' -f1)
@@ -767,8 +954,11 @@ clear
 sudo echo "${INTRO_TEXT}packages installed${END}"
 fi
 sleep 1
-DOMAIN=$( realm discover | grep -i realm-name | awk '{print $2}')
+REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' )
-if ! ping -c 1 "$DOMAIN"
+if [ "$REALM" = "null" ]
+then
+DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}')
+if ! ping -c 2 "$DOMAIN"   < /dev/null > /dev/null 2>&1
 then
 clear
 echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}"
@@ -779,13 +969,17 @@ clear
 echo "${NUMBER}I searched for an available domain and found ${MENU}>>> $DOMAIN  <<<${END}${END}"
 read -r -p "Do you wish to use it (y/n)?" yn
    case $yn in
-    [Yy]* ) echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}";;
+    [Yy]* ) echo "";;
 
     [Nn]* ) echo "Please enter the domain you wish to join:"
-	read -r DOMAIN;;
+        read -r DOMAIN;;
     * ) echo 'Please answer yes or no.';;
    esac
 fi
+else
+echo "Using Domain: $REALM"
+DOMAIN=$(echo "$REALM")
+fi
 sudo echo "${INTRO_TEXT}Realm= $DOMAIN${END}"
 sudo echo "${NORMAL}${NORMAL}"
 echo "${INTRO_TEXT}Please type DomainAdmin user:${END}"
@@ -892,15 +1086,15 @@ echo "Checking sudoers users.. ${INTRO_TEXT}OK${END}"
 else
 echo "Checking sudoers users.. ${RED_TEXT}FAIL${END}"
 fi
-homedir=$(grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3)
+homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 | head -1 )
 if [ "$homedir" = "0022" ] < /dev/null > /dev/null 2>&1
 then
 echo "Checking PAM configuration.. ${INTRO_TEXT}OK${END}"
 else
 echo "Checking PAM configuration.. ${RED_TEXT}FAIL${END}"
 fi
-cauth=$(grep required /etc/pam.d/common-auth | grep onerr | grep allow | cut -d '=' -f4 | cut -d 'f' -f1)
+cauth=$( grep required /etc/pam.d/common-auth | grep onerr | grep allow | cut -d '=' -f4 | cut -d 'f' -f1 | head -1 )
-if [ "$cauth" = "allow" ] < /dev/null > /dev/null 2>&1
+if [ $cauth = "allow" ] < /dev/null > /dev/null 2>&1
 then
 echo "Checking PAM auth configuration..${INTRO_TEXT}OK${END}"
 else
@@ -956,25 +1150,32 @@ clear
 sudo echo "${INTRO_TEXT}packages installed${END}"
 fi
 echo "hostname is $myhost"
+REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' )
+if [ "$REALM" = "null" ]
+then
 DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}')
-if ! ping -c 2 "$DOMAIN"  >/dev/null
+if ! ping -c 2 "$DOMAIN"   < /dev/null > /dev/null 2>&1
 then
 clear
-echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below...${END}"
+echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}"
 echo "Please enter the domain you wish to join:"
 read -r DOMAIN
 else
 clear
-echo "${NUMBER}I searched for an available domain and found $DOMAIN ${END}"
+echo "${NUMBER}I searched for an available domain and found ${MENU}>>> $DOMAIN  <<<${END}${END}"
 read -r -p "Do you wish to use it (y/n)?" yn
    case $yn in
-    [Yy]* ) echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}";;
+    [Yy]* ) echo "";;
 
     [Nn]* ) echo "Please enter the domain you wish to join:"
-	read -r DOMAIN;;
+        read -r DOMAIN;;
     * ) echo 'Please answer yes or no.';;
    esac
 fi
+else
+echo "Using Domain: $REALM"
+DOMAIN=$(echo "$REALM")
+fi
 NetBios=$(echo "$DOMAIN" | cut -d '.' -f1)
 echo ""
 echo "${INTRO_TEXT}Please type Admin user:${END}"
@@ -1028,25 +1229,32 @@ sudo echo "${INTRO_TEXT}packages installed${END}"
 fi
 echo "hostname is $myhost"
 sleep 1
+REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' )
+if [ "$REALM" = "null" ]
+then
 DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}')
-if ! ping -c 2 "$DOMAIN"  >/dev/null
+if ! ping -c 2 "$DOMAIN"   < /dev/null > /dev/null 2>&1
 then
 clear
-echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below...${END}"
+echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}"
 echo "Please enter the domain you wish to join:"
 read -r DOMAIN
 else
 clear
-echo "${NUMBER}I searched for an available domain and found $DOMAIN ${END}"
+echo "${NUMBER}I searched for an available domain and found ${MENU}>>> $DOMAIN  <<<${END}${END}"
 read -r -p "Do you wish to use it (y/n)?" yn
    case $yn in
-    [Yy]* ) echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}";;
+    [Yy]* ) echo "";;
 
     [Nn]* ) echo "Please enter the domain you wish to join:"
-	read -r DOMAIN;;
+        read -r DOMAIN;;
     * ) echo 'Please answer yes or no.';;
    esac
 fi
+else
+echo "Using Domain: $REALM"
+DOMAIN=$(echo "$REALM")
+fi
 NetBios=$(echo "$DOMAIN" | cut -d '.' -f1)
 echo ""
 echo "${INTRO_TEXT}Please type Admin user:${END}"
@@ -1206,25 +1414,32 @@ sudo apt-get -qq install -y realmd sssd sssd-tools samba-common krb5-user
 sudo apt-get -qq install -f -y
 echo "hostname is $myhost"
 echo "Looking for Realms.. please wait"
+REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' )
+if [ "$REALM" = "null" ]
+then
 DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}')
-if ! ping -c 2 "$DOMAIN"  >/dev/null
+if ! ping -c 2 "$DOMAIN"   < /dev/null > /dev/null 2>&1
 then
 clear
-echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}"
+echo "I searched for an available domain and found nothing, please type your domain manually below..."
 echo "Please enter the domain you wish to join:"
 read -r DOMAIN
 else
 clear
-echo "${NUMBER}I searched for an available domain and found ${MENU}>>> $DOMAIN  <<<${END}${END}"
+echo "I searched for an available domain and found>>> $DOMAIN  <<<"
 read -r -p "Do you wish to use it (y/n)?" yn
    case $yn in
     [Yy]* ) echo "";;
 
     [Nn]* ) echo "Please enter the domain you wish to join:"
-	read -r DOMAIN;;
+        read -r DOMAIN;;
     * ) echo 'Please answer yes or no.';;
    esac
 fi
+else
+echo "Using Domain: $REALM"
+DOMAIN=$(echo "$REALM")
+fi
 clear
 echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}"
 echo "${INTRO_TEXT}Please type Admin user:${END}"
@@ -1255,25 +1470,32 @@ sudo apt-get -qq install -y realmd sssd sssd-tools samba-common krb5-user
 sudo apt-get -qq install -f -y
 echo "hostname is $myhost"
 echo "Looking for Realms.. please wait"
+REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' )
+if [ "$REALM" = "null" ]
+then
 DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}')
-if ! ping -c 2 "$DOMAIN"  >/dev/null
+if ! ping -c 2 "$DOMAIN"   < /dev/null > /dev/null 2>&1
 then
 clear
-echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}"
+echo "I searched for an available domain and found nothing, please type your domain manually below..."
 echo "Please enter the domain you wish to join:"
 read -r DOMAIN
 else
 clear
-echo "${NUMBER}I searched for an available domain and found ${MENU}>>> $DOMAIN  <<<${END}${END}"
+echo "I searched for an available domain and found>>> $DOMAIN  <<<"
 read -r -p "Do you wish to use it (y/n)?" yn
    case $yn in
     [Yy]* ) echo "";;
 
     [Nn]* ) echo "Please enter the domain you wish to join:"
-	read -r DOMAIN;;
+        read -r DOMAIN;;
     * ) echo 'Please answer yes or no.';;
    esac
 fi
+else
+echo "Using Domain: $REALM"
+DOMAIN=$(echo "$REALM")
+fi
 clear
 echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}"
 echo "${INTRO_TEXT}Please type Admin user:${END}"
@@ -1345,15 +1567,15 @@ grouPs=$(grep -i "$myhost" /etc/sudoers.d/sudoers | cut -d '%' -f2 | awk '{print
 else
 echo Checking sudoers file.. "${RED_TEXT}FAIL${END}"
 fi
-homedir=$(grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3)
+homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 | head -1 )
 if [ "$homedir" -eq "0022" ] < /dev/null > /dev/null 2>&1
 then
 echo Checking PAM configuration.. "${INTRO_TEXT}OK${END}"
 else
 echo Checking PAM configuration.. "${RED_TEXT}FAIL${END}"
 fi
-cauth=$(grep required /etc/pam.d/common-auth | grep onerr | grep allow | cut -d '=' -f4 | cut -d 'f' -f1)
+cauth=$( grep required /etc/pam.d/common-auth | grep onerr | grep allow | cut -d '=' -f4 | cut -d 'f' -f1 | head -1 )
-if [ "$cauth" = "allow" ] < /dev/null > /dev/null 2>&1
+if [ $cauth = "allow" ] < /dev/null > /dev/null 2>&1
 then
 echo Checking PAM auth configuration.. "${INTRO_TEXT}OK${END}"
 else
@@ -1381,7 +1603,7 @@ echo ""
 fi
 echo "-------------------------------------------------------------------------------------"
 echo ""
-if ! realm discover $therealm
+if ! realm discover "$therealm"
 then
 echo "realm not found"
 else
@@ -1418,7 +1640,7 @@ else
 echo "Checking sudoers file.. FAIL not configured"
 fi
 fi
-homedir=$(grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3)
+homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 | head -1 )
 if [ "$homedir" = "0022" ] < /dev/null > /dev/null 2>&1
 then
 echo "Checking PAM configuration.. OK"
@@ -1950,11 +2172,14 @@ sudo echo "${INTRO_TEXT}packages installed${END}"
 fi
 echo "hostname is $myhost"
 echo "Looking for Realms.. please wait"
+REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' )
+if [ "$REALM" = "null" ]
+then
 DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}')
-if ! ping -c 2 "$DOMAIN"  >/dev/null
+if ! ping -c 2 "$DOMAIN"   < /dev/null > /dev/null 2>&1
 then
 clear
-echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below...${END}"
+echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}"
 echo "Please enter the domain you wish to join:"
 read -r DOMAIN
 else
@@ -1965,10 +2190,14 @@ read -r -p "Do you wish to use it (y/n)?" yn
     [Yy]* ) echo "";;
 
     [Nn]* ) echo "Please enter the domain you wish to join:"
-	read -r DOMAIN;;
+        read -r DOMAIN;;
     * ) echo 'Please answer yes or no.';;
    esac
 fi
+else
+echo "Using Domain: $REALM"
+DOMAIN=$(echo "$REALM")
+fi
 NetBios=$(echo "$DOMAIN" | cut -d '.' -f1)
 clear
 var=$(lsb_release -a | grep -i release | awk '{print $2}' | cut -d '.' -f1)

readfile

@@ -1,6 +1,12 @@
-2020-03-24 # Work in progress
+# "null" is for manual setup and will result in promts. misconfuguration will result in skipping that config and giving promts.
-SASL = null  # Address of domaincontroller
+################  Config      ####################
+DOMAIN = null # insert domain name ex:domain.com leave null for autodiscover ( promt )
+################ ldaps config ####################
+USESASL = null # yes or no to use SASL
+LDAPS = null  # Address of domaincontroller
 CACERT = null # full path and file to CAroot like: /usr/share/ca-certificates/root/myCA.cer
-SUDOERS = null # yes or no for adding group in sudoers
+################ auth config  ####################
-SSHSECURE = null # yes or no for for Blocking anyone but aprooved users
+LOCALADMIN = null # name of the user for the local account # like :administrator #null sets administrator as default user
-SUDOPROMT = null # yes or no for disable sudo promt in terminal
+SUDOERS = null # yes or no for adding group in sudoers #null for manual setup
+SSHSECURE = null # yes or no for for Blocking anyone but aprooved users #null for manual setup
+DISSPROMT = null # yes or no for disable sudo promt in terminal