#!/bin/bash

# Root-Rechte prüfen
if [ "$(id -u)" -eq 0 ]; then
    echo "❌ Bitte nicht als root ausführen! Das Skript nutzt sudo, falls nötig."
    exit 1
fi

CURRENT_DIR=$(pwd)
AUR_CODE_DIR="/var/lib/user_aur_code"

sudo pacman -Syu glib2 glib2-devel git --no-confirm

mkdir -p $AUR_CODE_DIR
sudo chmod -R 777 $AUR_CODE_DIR

# Install adcli
cd $AUR_CODE_DIR
git clone https://aur.archlinux.org/adcli.git
cd adcli

makepkg -sic
git clean -dfx

# Install realmd
cd $AUR_CODE_DIR
git clone https://aur.archlinux.org/realmd.git
cd realmd

makepkg -sic
git clean -dfx

cd $CURRENT_DIR

sudo mkdir -p /var/lib/samba/private/
sudo pacman -Syu sssd curl ntp polkit

echo "❓ Daten für Domainjoin:"
read -p "Domänenname: " DOMAIN
read -p "Adminuser: " ADMIN

NetBios=$(echo "$DOMAIN" | cut -d '.' -f1)
coms=$( echo "$DOMAIN" | cut -d '.' -f2 )

sudo realm join --verbose --user="$ADMIN" "$DOMAIN" --install=/

sudo systemctl enable sssd
sudo systemctl start sssd

homedir=$(grep homedir /etc/pam.d/common-session | grep 0077 | cut -d '=' -f3 | head -1)
if [ "$homedir" = "0077" ]
then
    echo "ℹ️ pam_mkhomedir.so configured"
    sleep 1
else
    echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0077" | sudo tee -a /etc/pam.d/common-session
fi

sed -i -e 's/fallback_homedir = \/home\/%u@%d/#fallback_homedir = \/home\/%u@%d/g' /etc/sssd/sssd.conf
sed -i -e 's/use_fully_qualified_names = True/use_fully_qualified_names = False/g' /etc/sssd/sssd.conf
sed -i -e 's/access_provider = ad/access_provider = simple/g' /etc/sssd/sssd.conf
sed -i -e 's/sudoers:        files sss/sudoers:        files/g' /etc/nsswitch.conf
echo "override_homedir = /home/%u" | sudo tee -a /etc/sssd/sssd.conf
sudo sudo grep -i override /etc/sssd/sssd.conf

sudo sed -i '/krb5_realm =/a entry_cache_group_timeout = 5400' /etc/sssd/sssd.conf
sudo sed -i '/krb5_realm =/a entry_cache_user_timeout = 5400' /etc/sssd/sssd.conf

sudo echo "#entry_cache_user_timeout = 5400
#entry_cache_group_timeout = 5400
#cache_credentials = TRUE
### Added to help with group mapping
###ldap_use_tokengroups = False
#ldap_schema = rfc2307bis
#ldap_schema = rfc2307
#ldap_schema = IPA
#ldap_schema = AD
#ldap_search_base = DC=$NetBios,DC=$coms
#ldap_group_member = uniquemember
#ad_enable_gc = False
entry_cache_timeout = 600
entry_cache_nowait_percentage = 75 " | sudo tee -a /etc/sssd/sssd.alternatives

echo "✅ Der Computer muss jetzt neugestartet werden. Vor dem Anmelden etwa 3 Minuten warten!"