DragonSlayer_14/Linux-Active-Directory-join-script
1
0
Fork 0
mirror of https://github.com/PierreGode/Linux-Active-Directory-join-script.git synced 2025-12-21 08:50:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #18 from PierreGode/readfile

Browse Source 
Readfile
This commit is contained in:
PierreGode 2020-04-03 11:46:38 +02:00 committed by GitHub
commit c2f67ff05d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 380 additions and 145 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

509
ADconnection.sh
View File

@ -10,12 +10,13 @@
##################################################################################################################################
#known bugs: Sometimes the script bugs after AD administrator tries to authenticate, temporary solution is running the script again
# a couple of times. if it still is not working see lines 30-39
#known bugs: see line 31-32
#known bugs: see line 32-33
#known bugs:sometimes domain discovery fails, it can help canceling the script and re-running it, if not verify dns setting on client,
#and on DC, also check that searchname has your domain
# see lines 370-388 for more advanced or specific setups of SSSD
#more Distros will be added during 2019
#support added for ubutnu 19.04 2019-11-11
# /etc/sssd/sssd.alternatives for more advanced or specific setups of SSSD
#more Distros will be added during 2020
#Added support for elementary 01/2020
#Added support for Ubuntu 20 02/2020
# ~~~~~~~~~~ Environment Setup ~~~~~~~~~~ #
NORMAL=$(printf "\033[m")
@ -28,17 +29,14 @@
################################ fix errors # funktion not called ################
fixerrors(){
#this funktion is not called in the script : to activate, uncomment line line 31 #fixerrors
#this funktion is not called in the script : to activate, uncomment line line 38 #fixerrors
#This funktion installs additional packages due to known issues with Joining and the join hangs after the admin auth
sudo add-apt-repository ppa:xtrusia/packagekit-fix
sudo apt-get update
sudo apt-get install packagekit
MENU_FN
}
PRECHECK_FN
#fixerrors
#Realmdupdate11
#Added support for elementary 01/2020
#Added support for Ubuntu 20 02/2020
}
####################### final auth ##################################################################
#this section will do the last part, configure sssd, ssh, login session sam files and sudoers#
fi_auth(){
@ -55,50 +53,108 @@ grouPs="null"
therealm="null"
cauth="null"
clear
read -r -p "${RED_TEXT}Do you wish to enable SSH login.group.allowed${END}${NUMBER}(y/n)?${END}" yn
case $yn in
[Yy]* ) sudo echo "Checking if there is any previous configuration"
if [ -f /etc/ssh/login.group.allowed ] < /dev/null > /dev/null 2>&1
then
echo "Files seems already to be modified, skipping..."
else
echo "NOTICE! /etc/ssh/login.group.allowed will be created. make sure yor local user is in it you you could be banned from login"
echo "auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh/login.group.allowed" | sudo tee -a /etc/pam.d/common-auth
sudo touch /etc/ssh/login.group.allowed
admins=$( grep home /etc/passwd | grep bash | cut -d ':' -f1 )
echo ""
echo ""
read -r -p "Is your current administrator = '$admins' ? (y/n)?" yn
case $yn in
[Yy]* ) sudo echo "$admins" | sudo tee -a /etc/ssh/login.group.allowed;;
[Nn]* ) echo "please type name of current administrator"
read -r -p MYADMIN
sudo echo "$MYADMIN" | sudo tee -a /etc/ssh/login.group.allowed;;
* ) echo "Please answer yes or no.";;
esac
sudo echo "$NetBios\\$myhost""sudoers""" | sudo tee -a /etc/ssh/login.group.allowed
sudo echo "$NetBios\\domain^admins" | sudo tee -a /etc/ssh/login.group.allowed
sudo echo "root" | sudo tee -a /etc/ssh/login.group.allowed
echo "enabled SSH-allow"
fi;;
[Nn]* ) echo "Disabled SSH login.group.allowed"
states1="12";;
* ) echo "Please answer yes or no.";;
esac
sshsec=$( sudo grep SSHSECURE readfile | awk '{print $3}' )
if [ "$sshsec" = "yes" ]
then
if [ -f /etc/ssh/login.group.allowed ] < /dev/null > /dev/null 2>&1
then
echo "SSHsecurity Files seems already to be modified, skipping..."
else
echo "auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh/login.group.allowed" | sudo tee -a /etc/pam.d/common-auth
sudo touch /etc/ssh/login.group.allowed
localadmin=$( sudo grep LOCALADMIN readfile | awk '{print $3}' )
if [ "$localadmin" = "null" ]
then
localadmin=$( grep home /etc/passwd | grep bash | cut -d ':' -f1 )
else
sudo echo "$NetBios\\$myhost""sudoers""" | sudo tee -a /etc/ssh/login.group.allowed
sudo echo "$NetBios\\domain^admins" | sudo tee -a /etc/ssh/login.group.allowed
sudo echo "root" | sudo tee -a /etc/ssh/login.group.allowed
sudo echo "$localadmin" | sudo tee -a /etc/ssh/login.group.allowed
echo "enabled SSH-allow"
fi
fi
else
if [ "$sshsec" = "no" ]
then
echo "Skipping SSHSecurity config"
else
read -r -p "${RED_TEXT}Do you wish to enable SSH login.group.allowed${END}${NUMBER}(y/n)?${END}" yn
case $yn in
[Yy]* ) sudo echo "Checking if there is any previous configuration"
if [ -f /etc/ssh/login.group.allowed ] < /dev/null > /dev/null 2>&1
then
echo " SSHsecurityFiles seems already to be modified, skipping..."
else
echo "NOTICE! /etc/ssh/login.group.allowed will be created. make sure yor local user is in it you you could be banned from login"
echo "auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh/login.group.allowed" | sudo tee -a /etc/pam.d/common-auth
sudo touch /etc/ssh/login.group.allowed
sudo echo "$NetBios\\$myhost""sudoers""" | sudo tee -a /etc/ssh/login.group.allowed
sudo echo "$NetBios\\domain^admins" | sudo tee -a /etc/ssh/login.group.allowed
sudo echo "root" | sudo tee -a /etc/ssh/login.group.allowed
sudo echo "$localadmin" | sudo tee -a /etc/ssh/login.group.allowed
echo "enabled SSH-allow"
echo ""
echo ""
fi
;;
[Nn]* ) echo "Skipped ssh config"
states1="12";;
esac
fi
fi
echo ""
echo "-------------------------------------------------------------------------------------------"
echo ""
read -r -p "${RED_TEXT}Do you wish to give users on this machine sudo rights?${END}${NUMBER}(y/n)?${END}" yn
givesudo=$( sudo grep SUDOERS readfile | awk '{print $3}' )
if [ "$givesudo" = "yes" ]
then
if [ -f /etc/sudoers.d/sudoers ] < /dev/null > /dev/null 2>&1
then
echo ""
echo "sudoers.d/sudoers file seems already to be modified, skipping..."
echo ""
else
disssu=$( sudo grep DISSPROMT readfile | awk '{print $3}' )
if [ "$disssu" = "yes" ]
then
sudo echo "administrator ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers
sudo echo "%$myhost""sudoers ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers
sudo echo "%DOMAIN\ admins ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/domain_admins
#sudo realm permit --groups "$myhost""sudoers"
else
if [ "$disssu" = "no" ]
then
sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers
sudo echo "%$myhost""sudoers ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers
sudo echo "%DOMAIN\ admins ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/domain_admins
#sudo realm permit --groups "$myhost""sudoers"
else
echo "error in readfile config"
sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers
fi
fi
fi
else
if [ "$givesudo" = "no" ]
then
echo "Not giving a sudo"
sudo echo "$localadmin" | sudo tee -a /etc/ssh/login.group.allowed
echo "Skipping"
states="12"
else
read -r -p "${RED_TEXT}Do you wish to give users on this machine sudo rights?${END}${NUMBER}(y/n)?${END}" yn
case $yn in
[Yy]* ) sudo echo "Checking if there is any previous configuration"
if [ -f /etc/sudoers.d/sudoers ] < /dev/null > /dev/null 2>&1
then
echo ""
echo "The Sudoers file seems already to be modified, skipping..."
echo ""
else
read -r -p "${RED_TEXT}Do you wish to DISABLE password prompt for users in terminal?${END}${NUMBER}(y/n)?${END}" yn
case $yn in
then
echo ""
echo "The Sudoers file seems already to be modified, skipping..."
echo ""
else
read -r -p "${RED_TEXT}Do you wish to DISABLE password prompt for users in terminal?${END}${NUMBER}(y/n)?${END}" yn
case $yn in
[Yy]* )
sudo echo "administrator ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers
sudo echo "%$myhost""sudoers ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers
@ -125,7 +181,9 @@ fi
* ) echo "Please answer yes or no."
;;
esac
homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 )
fi
fi
homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 | head -1 )
if [ "$homedir" = "0022" ]
then
echo "pam_mkhomedir.so configured"
@ -181,15 +239,39 @@ sudo echo "#entry_cache_user_timeout = 5400
#ad_enable_gc = False
entry_cache_timeout = 600
entry_cache_nowait_percentage = 75 " | sudo tee -a /etc/sssd/sssd.alternatives
sudo service sssd restart
sleep 1
clear
usesasl=$( sudo grep USESASL readfile | awk '{print $3}' )
if [ "$usesasl" = "no" ]
then
echo "Skipping SASL"
else
if [ "$usesasl" = "yes" ]
then
sasl=$( sudo grep LDAPS readfile | awk '{print $3}' )
if [ "$sasl" = "null" ]
then
echo "You need to specify domaincontroller in readfile"
exit
else
echo "$sasl"
cacer=$( sudo grep CACERT readfile | awk '{print $3}' )
if ! ls "$cacer"
then echo "No root CA found, check your path to file"
else
echo "Applied config from readfile"
#sed -i "/krb5_realm = /a ldap_uri = $LdapsDC" /etc/sssd/sssd.conf
#sed -i "/krb5_realm = /a ldap_tls_cacert = $cacert" /etc/sssd/sssd.conf
echo "Applied config from readfile"
fi
fi
else
echo "For SASL put you company root-ca.cer in /usr/share/ca-certificates/root/ folder"
read -r -p "Do you wish to use SASL (LDAPS) (y/n)?" yn
case $yn in
[Yy]* )
if [ -f /usr/share/ca-certificates/root/*.cer ]
if [ -f "/usr/share/ca-certificates/root/*.cer" ]
then
cacert=$( ls /usr/share/ca-certificates/root/ | grep .cer | head -1 )
echo "Type in address of your Domaincontroller: ex: dc01.com"
@ -201,7 +283,7 @@ echo "Found certificate $cacert"
read -r -p "Is this information correct (y/n)?" yn
case $yn in
[Yy]* )
tlsca=$( cat /etc/sssd/sssd.conf | grep ldap_tls_cacert | awk '{print $1}' )
tlsca=$( sudo grep ldap_tls_cacert /etc/sssd/sssd.conf | awk '{print $1}' )
if [ "$tlsca" = "ldap_tls_cacert" ]
then
echo "ldap_tls_cacert already in file"
@ -221,6 +303,8 @@ fi;;
[Nn]* )echo "";;
* ) echo "Please answer yes or no.";;
esac
fi
fi
################################# Check #######################################
if ! sudo service sssd restart
then
@ -257,7 +341,7 @@ echo "Checking sudoers groups.. ${INTRO_TEXT}OK${END}"
else
echo "Checking sudoers groups.. ${RED_TEXT}FAIL${END}"
fi
homedir=$(grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3)
homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 | head -1 )
if [ "$homedir" = "0022" ] < /dev/null > /dev/null 2>&1
then
echo "Checking PAM session configuration.. ${INTRO_TEXT}OK${END}"
@ -268,8 +352,8 @@ if [ $states1 = 12 ]
then
echo "Disabled SSH login.group.allowed"
else
cauth=$(grep required /etc/pam.d/common-auth | grep onerr | grep allow | cut -d '=' -f4 | awk '{print $1}')
if [ "$cauth" = "allow" ] < /dev/null > /dev/null 2>&1
cauth=$( grep required /etc/pam.d/common-auth | grep onerr | grep allow | cut -d '=' -f4 | awk '{print $1}' | head -1 )
if [ $cauth = "allow" ] < /dev/null > /dev/null 2>&1
then
echo "Checking PAM auth configuration.. ${INTRO_TEXT}OK${END}"
else
@ -316,50 +400,107 @@ grouPs="null"
therealm="null"
cauth="null"
clear
read -r -p 'Do you wish to enable SSH login.group.allowed (y/n)?' yn
case $yn in
[Yy]* ) sudo echo "Checking if there is any previous configuration"
if [ -f /etc/ssh/login.group.allowed ] < /dev/null > /dev/null 2>&1
then
echo "Files seems already to be modified, skipping..."
else
echo "NOTICE! /etc/ssh/login.group.allowed will be created. make sure yor local user is in it you you could be banned from login"
echo "auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh/login.group.allowed" | sudo tee -a /etc/pam.d/sshd
sudo touch /etc/ssh/login.group.allowed
admins=$( grep home /etc/passwd | grep bash | cut -d ':' -f1 )
echo ""
echo ""
read -r -p "Is your current administrator = $admins ? (y/n)?" yn
case $yn in
[Yy]* ) sudo echo "$admins" | sudo tee -a /etc/ssh/login.group.allowed;;
[Nn]* ) echo "please type name of current administrator"
read -r -p MYADMIN
sudo echo "$MYADMIN" | sudo tee -a /etc/ssh/login.group.allowed;;
* ) echo "Please answer yes or no.";;
esac
sudo echo "$myhost""sudoers" | sudo tee -a /etc/ssh/login.group.allowed
sudo echo "domain^admins" | sudo tee -a /etc/ssh/login.group.allowed
sudo echo "root" | sudo tee -a /etc/ssh/login.group.allowed
echo "enabled SSH-allow"
fi;;
[Nn]* ) echo "Disabled SSH login.group.allowed"
states1="12";;
* ) echo "Please answer yes or no.";;
esac
sshsec=$( sudo grep SSHSECURE readfile | awk '{print $3}' )
if [ "$sshsec" = "yes" ]
then
if [ -f /etc/ssh/login.group.allowed ] < /dev/null > /dev/null 2>&1
then
echo "SSHsecurity Files seems already to be modified, skipping..."
else
echo "auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh/login.group.allowed" | sudo tee -a /etc/pam.d/common-auth
sudo touch /etc/ssh/login.group.allowed
localadmin=$( sudo grep LOCALADMIN readfile | awk '{print $3}' )
if [ "$localadmin" = "null" ]
then
localadmin=$( grep home /etc/passwd | grep bash | cut -d ':' -f1 )
else
sudo echo "$NetBios\\$myhost""sudoers""" | sudo tee -a /etc/ssh/login.group.allowed
sudo echo "$NetBios\\domain^admins" | sudo tee -a /etc/ssh/login.group.allowed
sudo echo "root" | sudo tee -a /etc/ssh/login.group.allowed
sudo echo "$localadmin" | sudo tee -a /etc/ssh/login.group.allowed
echo "enabled SSH-allow"
fi
fi
else
if [ "$sshsec" = "no" ]
then
echo "Skipping SSHSecurity config"
else
read -r -p "Do you wish to enable SSH login.group.allowed(y/n)?" yn
case $yn in
[Yy]* ) sudo echo "Checking if there is any previous configuration"
if [ -f /etc/ssh/login.group.allowed ] < /dev/null > /dev/null 2>&1
then
echo " SSHsecurityFiles seems already to be modified, skipping..."
else
echo "NOTICE! /etc/ssh/login.group.allowed will be created. make sure yor local user is in it you you could be banned from login"
echo "auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh/login.group.allowed" | sudo tee -a /etc/pam.d/common-auth
sudo touch /etc/ssh/login.group.allowed
sudo echo "$NetBios\\$myhost""sudoers""" | sudo tee -a /etc/ssh/login.group.allowed
sudo echo "$NetBios\\domain^admins" | sudo tee -a /etc/ssh/login.group.allowed
sudo echo "root" | sudo tee -a /etc/ssh/login.group.allowed
sudo echo "$localadmin" | sudo tee -a /etc/ssh/login.group.allowed
echo "enabled SSH-allow"
echo ""
echo ""
fi
;;
[Nn]* ) echo "Skipped ssh config"
states1="12";;
esac
fi
fi
echo ""
echo "-------------------------------------------------------------------------------------------"
echo ""
read -r -p 'Do you wish to give users on this machine sudo rights?(y/n)?' yn
givesudo=$( sudo grep SUDOERS readfile | awk '{print $3}' )
if [ "$givesudo" = "yes" ]
then
if [ -f /etc/sudoers.d/sudoers ] < /dev/null > /dev/null 2>&1
then
echo ""
echo "sudoers.d/sudoers file seems already to be modified, skipping..."
echo ""
else
disssu=$( sudo grep DISSPROMT readfile | awk '{print $3}' )
if [ "$disssu" = "yes" ]
then
sudo echo "administrator ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers
sudo echo "%$myhost""sudoers ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers
sudo echo "%DOMAIN\ admins ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/domain_admins
#sudo realm permit --groups "$myhost""sudoers"
else
if [ "$disssu" = "no" ]
then
sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers
sudo echo "%$myhost""sudoers ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers
sudo echo "%DOMAIN\ admins ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/domain_admins
#sudo realm permit --groups "$myhost""sudoers"
else
sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers
fi
fi
fi
else
if [ "$givesudo" = "no" ]
then
echo "Not giving a sudo"
sudo echo "$localadmin" | sudo tee -a /etc/ssh/login.group.allowed
echo "Skipping"
states="12"
else
read -r -p "Do you wish to give users on this machine sudo rights?(y/n)?" yn
case $yn in
[Yy]* ) sudo echo "Checking if there is any previous configuration"
if [ -f /etc/sudoers.d/sudoers ] < /dev/null > /dev/null 2>&1
then
echo ""
echo "The Sudoers file seems already to be modified, skipping..."
echo ""
else
read -r -p 'Do you wish to DISABLE password promt for users in terminal? (y/n)?' yn
case $yn in
then
echo ""
echo "The Sudoers file seems already to be modified, skipping..."
echo ""
else
read -r -p "Do you wish to DISABLE password prompt for users in terminal?(y/n)?" yn
case $yn in
[Yy]* )
sudo echo "administrator ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers
sudo echo "%$myhost""sudoers ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers
@ -367,21 +508,28 @@ sudo echo "%DOMAIN\ admins ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/
#sudo realm permit --groups "$myhost""sudoers"
;;
[Nn]* ) sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers
[Nn]* )
sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers
sudo echo "%$myhost""sudoers ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers
sudo echo "%DOMAIN\ admins ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/domain_admins
#sudo realm permit --groups "$myhost""sudoers"
;;
* ) echo "Please answer yes or no.";;
esac
fi;;
[Nn]* ) echo "Disabled sudo rights for users on this machine"
fi
;;
[Nn]* )
sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers
echo "Disabled sudo rights for users on this machine"
echo ""
echo ""
states="12";;
* ) echo 'Please answer yes or no.';;
esac
homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 )
* ) echo "Please answer yes or no."
;;
esac
fi
fi
homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 | head -1 )
if [ "$homedir" = "0022" ]
then
echo "pam_mkhomedir.so configured"
@ -409,13 +557,15 @@ sed -i -e 's/use_fully_qualified_names = True/use_fully_qualified_names = False/
sed -i -e 's/access_provider = ad/access_provider = simple/g' /etc/sssd/sssd.conf
sed -i -e 's/sudoers: files sss/sudoers: files/g' /etc/nsswitch.conf
echo "override_homedir = /home/%d/%u" | sudo tee -a /etc/sssd/sssd.conf
sudo grep -i override /etc/sssd/sssd.conf
sudo sudo grep -i override /etc/sssd/sssd.conf
sudo echo "[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 600
#entry_cache_user_timeout = 5400
entry_cache_nowait_percentage = 75" | sudo tee -a /etc/sssd/sssd.conf
sudo sed -i '/krb5_realm =/a entry_cache_group_timeout = 5400' /etc/sssd/sssd.conf
sudo sed -i '/krb5_realm =/a entry_cache_user_timeout = 5400' /etc/sssd/sssd.conf
sudo echo "#entry_cache_user_timeout = 5400
#entry_cache_group_timeout = 5400
#cache_credentials = TRUE
### Added to help with group mapping
@ -427,13 +577,40 @@ entry_cache_timeout = 600
#ldap_search_base = DC=$NetBios,DC=$coms
#ldap_group_member = uniquemember
#ad_enable_gc = False
entry_cache_nowait_percentage = 75" | sudo tee -a /etc/sssd/sssd.conf
entry_cache_timeout = 600
entry_cache_nowait_percentage = 75 " | sudo tee -a /etc/sssd/sssd.alternatives
sudo service sssd restart
clear
usesasl=$( sudo grep USESASL readfile | awk '{print $3}' )
if [ "$usesasl" = "no" ]
then
echo "Skipping SASL"
else
if [ "$usesasl" = "yes" ]
then
sasl=$( sudo grep LDAPS readfile | awk '{print $3}' )
if [ "$sasl" = "null" ]
then
echo "You need to specify domaincontroller in readfile"
exit
else
echo "$sasl"
cacer=$( sudo grep CACERT readfile | awk '{print $3}' )
if ! ls "$cacer"
then echo "No root CA found, check your path to file"
else
echo "Applied config from readfile"
#sed -i "/krb5_realm = /a ldap_uri = $LdapsDC" /etc/sssd/sssd.conf
#sed -i "/krb5_realm = /a ldap_tls_cacert = $cacert" /etc/sssd/sssd.conf
echo "Applied config from readfile"
fi
fi
else
echo "For SASL put you company root-ca.cer in /usr/share/ca-certificates/root/ folder"
read -r -p "Do you wish to use SASL (LDAPS) (y/n)?" yn
case $yn in
[Yy]* )
if [ -f /usr/share/ca-certificates/root/*.cer ]
if [ -f "/usr/share/ca-certificates/root/*.cer" ]
then
cacert=$( ls /usr/share/ca-certificates/root/ | grep .cer | head -1 )
echo "Type in address of your Domaincontroller: ex: dc01.com"
@ -445,7 +622,7 @@ echo "Found certificate $cacert"
read -r -p "Is this information correct (y/n)?" yn
case $yn in
[Yy]* )
tlsca=$( cat /etc/sssd/sssd.conf | grep ldap_tls_cacert | awk '{print $1}' )
tlsca=$( sudo grep ldap_tls_cacert /etc/sssd/sssd.conf | awk '{print $1}' )
if [ "$tlsca" = "ldap_tls_cacert" ]
then
echo "ldap_tls_cacert already in file"
@ -453,6 +630,7 @@ tlsca=$( cat /etc/sssd/sssd.conf | grep ldap_tls_cacert | awk '{print $1}' )
else
sed -i "/krb5_realm = /a ldap_uri = $LdapsDC" /etc/sssd/sssd.conf
sed -i "/krb5_realm = /a ldap_tls_cacert = $cacert" /etc/sssd/sssd.conf
#sed -i -e 's/id_provider = ad/id_provider = ldap/g' /etc/sssd/sssd.conf # failing line: giving no on configured: and user is unable to update password.
sudo service sssd restart
fi;;
[Nn]* )echo "";;
@ -464,6 +642,8 @@ fi;;
[Nn]* )echo "";;
* ) echo "Please answer yes or no.";;
esac
fi
fi
####################### Check #########################
if ! sudo service sssd restart
then
@ -498,7 +678,7 @@ echo "Checking sudoers user groups.. OK"
else
echo "Checking sudoers user groups.. FAIL"
fi
homedir=$(grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3)
homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 | head -1 )
if [ "$homedir" = "0022" ] < /dev/null > /dev/null 2>&1
then
echo "Checking PAM configuration.. OK"
@ -509,8 +689,8 @@ if [ "$states1" = "12" ]
then
echo "Disabled SSH login.group.allowed"
else
cauth=$(grep required /etc/pam.d/sshd | grep onerr | grep allow | cut -d '=' -f4 | awk '{print $1}')
if [ "$cauth" = "allow" ] < /dev/null > /dev/null 2>&1
cauth=$( grep required /etc/pam.d/sshd | grep onerr | grep allow | cut -d '=' -f4 | awk '{print $1}' | head -1 )
if [ $cauth = "allow" ] < /dev/null > /dev/null 2>&1
then
echo "Checking PAM auth configuration.. OK"
else
@ -644,6 +824,9 @@ sudo echo "${INTRO_TEXT}packages installed${END}"
fi
echo "hostname is $myhost"
echo "Looking for Realms.. please wait"
REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' )
if [ "$REALM" = "null" ]
then
DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}')
if ! ping -c 2 "$DOMAIN" < /dev/null > /dev/null 2>&1
then
@ -659,10 +842,14 @@ read -r -p "Do you wish to use it (y/n)?" yn
[Yy]* ) echo "";;
[Nn]* ) echo "Please enter the domain you wish to join:"
read -r DOMAIN;;
read -r DOMAIN;;
* ) echo 'Please answer yes or no.';;
esac
fi
else
echo "Using Domain: $REALM"
DOMAIN=$(echo "$REALM")
fi
NetBios=$(echo "$DOMAIN" | cut -d '.' -f1)
clear
var=$(lsb_release -a | grep -i release | awk '{print $2}' | cut -d '.' -f1)
@ -767,8 +954,11 @@ clear
sudo echo "${INTRO_TEXT}packages installed${END}"
fi
sleep 1
DOMAIN=$( realm discover | grep -i realm-name | awk '{print $2}')
if ! ping -c 1 "$DOMAIN"
REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' )
if [ "$REALM" = "null" ]
then
DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}')
if ! ping -c 2 "$DOMAIN" < /dev/null > /dev/null 2>&1
then
clear
echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}"
@ -779,13 +969,17 @@ clear
echo "${NUMBER}I searched for an available domain and found ${MENU}>>> $DOMAIN <<<${END}${END}"
read -r -p "Do you wish to use it (y/n)?" yn
case $yn in
[Yy]* ) echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}";;
[Yy]* ) echo "";;
[Nn]* ) echo "Please enter the domain you wish to join:"
read -r DOMAIN;;
read -r DOMAIN;;
* ) echo 'Please answer yes or no.';;
esac
fi
else
echo "Using Domain: $REALM"
DOMAIN=$(echo "$REALM")
fi
sudo echo "${INTRO_TEXT}Realm= $DOMAIN${END}"
sudo echo "${NORMAL}${NORMAL}"
echo "${INTRO_TEXT}Please type DomainAdmin user:${END}"
@ -892,15 +1086,15 @@ echo "Checking sudoers users.. ${INTRO_TEXT}OK${END}"
else
echo "Checking sudoers users.. ${RED_TEXT}FAIL${END}"
fi
homedir=$(grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3)
homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 | head -1 )
if [ "$homedir" = "0022" ] < /dev/null > /dev/null 2>&1
then
echo "Checking PAM configuration.. ${INTRO_TEXT}OK${END}"
else
echo "Checking PAM configuration.. ${RED_TEXT}FAIL${END}"
fi
cauth=$(grep required /etc/pam.d/common-auth | grep onerr | grep allow | cut -d '=' -f4 | cut -d 'f' -f1)
if [ "$cauth" = "allow" ] < /dev/null > /dev/null 2>&1
cauth=$( grep required /etc/pam.d/common-auth | grep onerr | grep allow | cut -d '=' -f4 | cut -d 'f' -f1 | head -1 )
if [ $cauth = "allow" ] < /dev/null > /dev/null 2>&1
then
echo "Checking PAM auth configuration..${INTRO_TEXT}OK${END}"
else
@ -956,25 +1150,32 @@ clear
sudo echo "${INTRO_TEXT}packages installed${END}"
fi
echo "hostname is $myhost"
REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' )
if [ "$REALM" = "null" ]
then
DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}')
if ! ping -c 2 "$DOMAIN" >/dev/null
if ! ping -c 2 "$DOMAIN" < /dev/null > /dev/null 2>&1
then
clear
echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below...${END}"
echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}"
echo "Please enter the domain you wish to join:"
read -r DOMAIN
else
clear
echo "${NUMBER}I searched for an available domain and found $DOMAIN ${END}"
echo "${NUMBER}I searched for an available domain and found ${MENU}>>> $DOMAIN <<<${END}${END}"
read -r -p "Do you wish to use it (y/n)?" yn
case $yn in
[Yy]* ) echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}";;
[Yy]* ) echo "";;
[Nn]* ) echo "Please enter the domain you wish to join:"
read -r DOMAIN;;
read -r DOMAIN;;
* ) echo 'Please answer yes or no.';;
esac
fi
else
echo "Using Domain: $REALM"
DOMAIN=$(echo "$REALM")
fi
NetBios=$(echo "$DOMAIN" | cut -d '.' -f1)
echo ""
echo "${INTRO_TEXT}Please type Admin user:${END}"
@ -1028,25 +1229,32 @@ sudo echo "${INTRO_TEXT}packages installed${END}"
fi
echo "hostname is $myhost"
sleep 1
REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' )
if [ "$REALM" = "null" ]
then
DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}')
if ! ping -c 2 "$DOMAIN" >/dev/null
if ! ping -c 2 "$DOMAIN" < /dev/null > /dev/null 2>&1
then
clear
echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below...${END}"
echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}"
echo "Please enter the domain you wish to join:"
read -r DOMAIN
else
clear
echo "${NUMBER}I searched for an available domain and found $DOMAIN ${END}"
echo "${NUMBER}I searched for an available domain and found ${MENU}>>> $DOMAIN <<<${END}${END}"
read -r -p "Do you wish to use it (y/n)?" yn
case $yn in
[Yy]* ) echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}";;
[Yy]* ) echo "";;
[Nn]* ) echo "Please enter the domain you wish to join:"
read -r DOMAIN;;
read -r DOMAIN;;
* ) echo 'Please answer yes or no.';;
esac
fi
else
echo "Using Domain: $REALM"
DOMAIN=$(echo "$REALM")
fi
NetBios=$(echo "$DOMAIN" | cut -d '.' -f1)
echo ""
echo "${INTRO_TEXT}Please type Admin user:${END}"
@ -1206,25 +1414,32 @@ sudo apt-get -qq install -y realmd sssd sssd-tools samba-common krb5-user
sudo apt-get -qq install -f -y
echo "hostname is $myhost"
echo "Looking for Realms.. please wait"
REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' )
if [ "$REALM" = "null" ]
then
DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}')
if ! ping -c 2 "$DOMAIN" >/dev/null
if ! ping -c 2 "$DOMAIN" < /dev/null > /dev/null 2>&1
then
clear
echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}"
echo "I searched for an available domain and found nothing, please type your domain manually below..."
echo "Please enter the domain you wish to join:"
read -r DOMAIN
else
clear
echo "${NUMBER}I searched for an available domain and found ${MENU}>>> $DOMAIN <<<${END}${END}"
echo "I searched for an available domain and found>>> $DOMAIN <<<"
read -r -p "Do you wish to use it (y/n)?" yn
case $yn in
[Yy]* ) echo "";;
[Nn]* ) echo "Please enter the domain you wish to join:"
read -r DOMAIN;;
read -r DOMAIN;;
* ) echo 'Please answer yes or no.';;
esac
fi
else
echo "Using Domain: $REALM"
DOMAIN=$(echo "$REALM")
fi
clear
echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}"
echo "${INTRO_TEXT}Please type Admin user:${END}"
@ -1255,25 +1470,32 @@ sudo apt-get -qq install -y realmd sssd sssd-tools samba-common krb5-user
sudo apt-get -qq install -f -y
echo "hostname is $myhost"
echo "Looking for Realms.. please wait"
REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' )
if [ "$REALM" = "null" ]
then
DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}')
if ! ping -c 2 "$DOMAIN" >/dev/null
if ! ping -c 2 "$DOMAIN" < /dev/null > /dev/null 2>&1
then
clear
echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}"
echo "I searched for an available domain and found nothing, please type your domain manually below..."
echo "Please enter the domain you wish to join:"
read -r DOMAIN
else
clear
echo "${NUMBER}I searched for an available domain and found ${MENU}>>> $DOMAIN <<<${END}${END}"
echo "I searched for an available domain and found>>> $DOMAIN <<<"
read -r -p "Do you wish to use it (y/n)?" yn
case $yn in
[Yy]* ) echo "";;
[Nn]* ) echo "Please enter the domain you wish to join:"
read -r DOMAIN;;
read -r DOMAIN;;
* ) echo 'Please answer yes or no.';;
esac
fi
else
echo "Using Domain: $REALM"
DOMAIN=$(echo "$REALM")
fi
clear
echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}"
echo "${INTRO_TEXT}Please type Admin user:${END}"
@ -1345,15 +1567,15 @@ grouPs=$(grep -i "$myhost" /etc/sudoers.d/sudoers | cut -d '%' -f2 | awk '{print
else
echo Checking sudoers file.. "${RED_TEXT}FAIL${END}"
fi
homedir=$(grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3)
homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 | head -1 )
if [ "$homedir" -eq "0022" ] < /dev/null > /dev/null 2>&1
then
echo Checking PAM configuration.. "${INTRO_TEXT}OK${END}"
else
echo Checking PAM configuration.. "${RED_TEXT}FAIL${END}"
fi
cauth=$(grep required /etc/pam.d/common-auth | grep onerr | grep allow | cut -d '=' -f4 | cut -d 'f' -f1)
if [ "$cauth" = "allow" ] < /dev/null > /dev/null 2>&1
cauth=$( grep required /etc/pam.d/common-auth | grep onerr | grep allow | cut -d '=' -f4 | cut -d 'f' -f1 | head -1 )
if [ $cauth = "allow" ] < /dev/null > /dev/null 2>&1
then
echo Checking PAM auth configuration.. "${INTRO_TEXT}OK${END}"
else
@ -1381,7 +1603,7 @@ echo ""
fi
echo "-------------------------------------------------------------------------------------"
echo ""
if ! realm discover $therealm
if ! realm discover "$therealm"
then
echo "realm not found"
else
@ -1418,7 +1640,7 @@ else
echo "Checking sudoers file.. FAIL not configured"
fi
fi
homedir=$(grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3)
homedir=$( grep homedir /etc/pam.d/common-session | grep 0022 | cut -d '=' -f3 | head -1 )
if [ "$homedir" = "0022" ] < /dev/null > /dev/null 2>&1
then
echo "Checking PAM configuration.. OK"
@ -1950,11 +2172,14 @@ sudo echo "${INTRO_TEXT}packages installed${END}"
fi
echo "hostname is $myhost"
echo "Looking for Realms.. please wait"
REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' )
if [ "$REALM" = "null" ]
then
DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}')
if ! ping -c 2 "$DOMAIN" >/dev/null
if ! ping -c 2 "$DOMAIN" < /dev/null > /dev/null 2>&1
then
clear
echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below...${END}"
echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}"
echo "Please enter the domain you wish to join:"
read -r DOMAIN
else
@ -1965,10 +2190,14 @@ read -r -p "Do you wish to use it (y/n)?" yn
[Yy]* ) echo "";;
[Nn]* ) echo "Please enter the domain you wish to join:"
read -r DOMAIN;;
read -r DOMAIN;;
* ) echo 'Please answer yes or no.';;
esac
fi
else
echo "Using Domain: $REALM"
DOMAIN=$(echo "$REALM")
fi
NetBios=$(echo "$DOMAIN" | cut -d '.' -f1)
clear
var=$(lsb_release -a | grep -i release | awk '{print $2}' | cut -d '.' -f1)

16
readfile
View File

@ -1,6 +1,12 @@
2020-03-24 # Work in progress
SASL = null # Address of domaincontroller
# "null" is for manual setup and will result in promts. misconfuguration will result in skipping that config and giving promts.
################ Config ####################
DOMAIN = null # insert domain name ex:domain.com leave null for autodiscover ( promt )
################ ldaps config ####################
USESASL = null # yes or no to use SASL
LDAPS = null # Address of domaincontroller
CACERT = null # full path and file to CAroot like: /usr/share/ca-certificates/root/myCA.cer
SUDOERS = null # yes or no for adding group in sudoers
SSHSECURE = null # yes or no for for Blocking anyone but aprooved users
SUDOPROMT = null # yes or no for disable sudo promt in terminal
################ auth config ####################
LOCALADMIN = null # name of the user for the local account # like :administrator #null sets administrator as default user
SUDOERS = null # yes or no for adding group in sudoers #null for manual setup
SSHSECURE = null # yes or no for for Blocking anyone but aprooved users #null for manual setup
DISSPROMT = null # yes or no for disable sudo promt in terminal