# Install using: sudo su -c "bash <(wget -qO- /url/to/install-fileserver-as-dc-member.sh)"

# Make sure script is ran as root
if [[ $EUID -ne 0 ]]; then
        exec sudo /bin/bash "$0" "$@"
fi
read -e -p "Enter DC administrator username: " -i $(logname) ADMINUSER
read -e -p "Enter realm: " -i "myspace.local" DCREALM
read -e -p "Enter workgroup: " -i "MYSPACE" WORKGROUP
read -e -p "Enter fileserver hostname: " -i "ubuntulabb" FSHOSTNAME
read -e -p "Enter dc hostname: " -i "dc1" DCHOSTNAME
read -e -p "Enter dc/dns IP: " -i "192.168.0.9" DNSIP

apt install -y samba
apt install -y realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
hostnamectl set-hostname ${FSHOSTNAME,,}.${DCREALM,,}

systemctl disable systemd-resolved.service
systemctl stop systemd-resolved.service
# systemctl status systemd-resolved.service

# Update /etc/resolv.conf with DC as nameserver
sed -i -E "s/nameserver .*?/nameserver $DNSIP/" /etc/resolv.conf

realm discover ${DCREALM,,}
realm join -U $ADMINUSER ${DCREALM,,}
realm list

# Update /usr/share/pam-configs/mkhomedir
sed -i -E "s/Default:.*?/Default: yes/" /usr/share/pam-configs/mkhomedir
sed -i -E "s/Priority:.*?/Priority: 900/" /usr/share/pam-configs/mkhomedir
sed -i -E "s/Session-Interactive-Only:.*?//" /usr/share/pam-configs/mkhomedir
# sed -i '/Session-Interactive-Only:.*?/d' /usr/share/pam-configs/mkhomedir

pam-auth-update
# pam-auth-update --enable mkhomedir

systemctl restart sssd
# systemctl status sssd

id $ADMINUSER@${DCREALM,,}

realm permit --all
mkdir -p /var/fileshare/data
chmod -R uga+rwx /var/fileshare/

echo "%domain\ admins@${DCREALM,,} ALL=(ALL) ALL">/etc/sudoers.d/domain-admins

apt -y install winbind libpam-winbind libnss-winbind krb5-config

sudo tee /etc/krb5.conf > /dev/null <<EOL
[libdefaults]
    default_realm = ${DCREALM^^}
    dns_lookup_realm = true
    dns_lookup_kdc = true
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true

[realms]
    ${DCREALM^^} = {
        kdc = ${DCHOSTNAME,,}.${DCREALM,,}
        admin_server = ${DCHOSTNAME,,}.${DCREALM,,}
        default_domain = ${DCREALM,,}
    }

[domain_realm]
    .${DCREALM,,} = ${DCREALM^^}
    ${DCREALM,,} = ${DCREALM^^}
EOL

sudo tee /etc/nsswitch.conf > /dev/null <<EOL
passwd: compat winbind
group: compat winbind
shadow: compat winbind

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis
EOL

sudo tee /etc/pam.d/common-session > /dev/null <<EOL
session [default=1]     pam_permit.so
session requisite       pam_deny.so
session required        pam_permit.so
session optional        pam_umask.so
session required        pam_unix.so
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required        pam_winbind.so
session optional        pam_sss.so
session optional        pam_systemd.so
EOL

sudo tee /etc/pam.d/common-session-noninteractive > /dev/null <<EOL
session [default=1]     pam_permit.so
session requisite       pam_deny.so
session required        pam_permit.so
session optional        pam_umask.so
session required        pam_unix.so
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required        pam_winbind.so
session optional        pam_winbind.so
EOL

sudo tee /etc/samba/smb.conf > /dev/null <<EOL
[global]
	workgroup = ${WORKGROUP^^}
	realm = ${DCREALM,,}
	security = ads
	encrypt passwords = yes
	idmap config * : backend = tdb
	idmap config * : range = 3000-7999
	idmap config ${DCREALM,,} : backend = rid
	idmap config ${DCREALM,,} : range = 10000-999999
	template homedir = /home/%U@%D
	template shell = /bin/bash
	winbind use default domain = true
	winbind offline logon = false

[data]
	comment = Samba File Server Share
	path = /var/fileshare/data
	browsable = yes
	guest ok = yes
	read only = no
	create mask = 777
	force create mode = 777
	directory mask = 777
	force directory mode = 777
	valid users = "@${WORKGROUP^^}\domain users"
	# force user = root
	# force group = root
	writeable = yes
	# admin users = root
	oplocks = yes
	# valid users = @"${DCREALM,,}+Domain Users"
[/data]
[homes]
	comment = Home Directories
	browsable = yes
	read only = no
	writeable = yes
	oplocks = yes
	valid users = %S
[/homes]
EOL

sudo tee /etc/security/pam_winbind.conf > /dev/null <<EOL
[global]
debug = no
EOL

sudo tee /usr/local/bin/clear-net-cache.sh > /dev/null <<EOL
service winbind stop
service smbd stop
net cache flush
rm /var/lib/samba/*.tdb
service smbd start
service winbind start
EOL
chmod ugo+rwx /usr/local/bin/clear-net-cache.sh


echo "Rejoining domain..."
# kinit $ADMINUSER@${DCREALM,,}
net ads join -U $ADMINUSER -S ${DCHOSTNAME,,}.${DCREALM,,}

# systemctl restart smbd
smbcontrol smbd reload-config
systemctl restart winbind

# Clear Winbind cache
/usr/local/bin/clear-net-cache.sh

echo "Found admin user:"
getent passwd ${WORKGROUP^^}\\$ADMINUSER
echo "Found domain users:"
wbinfo --domain-users