171 lines
4.7 KiB
Bash
171 lines
4.7 KiB
Bash
# Install using: sudo su -c "bash <(wget -qO- /url/to/install-fileserver-as-dc-member.sh)"
|
|
|
|
# Make sure script is ran as root
|
|
if [[ $EUID -ne 0 ]]; then
|
|
exec sudo /bin/bash "$0" "$@"
|
|
fi
|
|
read -e -p "Enter DC administrator username: " -i $(logname) ADMINUSER
|
|
read -e -p "Enter realm: " -i "myspace.local" DCREALM
|
|
read -e -p "Enter workgroup: " -i "MYSPACE" WORKGROUP
|
|
read -e -p "Enter fileserver hostname: " -i "ubuntulabb" FSHOSTNAME
|
|
read -e -p "Enter dc hostname: " -i "dc1" DCHOSTNAME
|
|
read -e -p "Enter dc/dns IP: " -i "192.168.0.9" DNSIP
|
|
|
|
apt install -y samba
|
|
apt install -y realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
|
|
hostnamectl set-hostname ${FSHOSTNAME,,}.${DCREALM,,}
|
|
|
|
systemctl disable systemd-resolved.service
|
|
systemctl stop systemd-resolved.service
|
|
# systemctl status systemd-resolved.service
|
|
|
|
# Update /etc/resolv.conf with DC as nameserver
|
|
sed -i -E "s/nameserver .*?/nameserver $DNSIP/" /etc/resolv.conf
|
|
|
|
realm discover ${DCREALM,,}
|
|
realm join -U $ADMINUSER ${DCREALM,,}
|
|
realm list
|
|
|
|
# Update /usr/share/pam-configs/mkhomedir
|
|
sed -i -E "s/Default:.*?/Default: yes/" /usr/share/pam-configs/mkhomedir
|
|
sed -i -E "s/Priority:.*?/Priority: 900/" /usr/share/pam-configs/mkhomedir
|
|
sed -i -E "s/Session-Interactive-Only:.*?//" /usr/share/pam-configs/mkhomedir
|
|
# sed -i '/Session-Interactive-Only:.*?/d' /usr/share/pam-configs/mkhomedir
|
|
|
|
pam-auth-update
|
|
# pam-auth-update --enable mkhomedir
|
|
|
|
systemctl restart sssd
|
|
# systemctl status sssd
|
|
|
|
id $ADMINUSER@${DCREALM,,}
|
|
|
|
realm permit --all
|
|
mkdir -p /var/fileshare/data
|
|
chmod -R uga+rwx /var/fileshare/
|
|
|
|
echo "%domain\ admins@${DCREALM,,} ALL=(ALL) ALL">/etc/sudoers.d/domain-admins
|
|
|
|
apt -y install winbind libpam-winbind libnss-winbind krb5-config
|
|
|
|
sudo tee /etc/krb5.conf > /dev/null <<EOL
|
|
[libdefaults]
|
|
default_realm = ${DCREALM^^}
|
|
dns_lookup_realm = true
|
|
dns_lookup_kdc = true
|
|
ticket_lifetime = 24h
|
|
renew_lifetime = 7d
|
|
forwardable = true
|
|
|
|
[realms]
|
|
${DCREALM^^} = {
|
|
kdc = ${DCHOSTNAME,,}.${DCREALM,,}
|
|
admin_server = ${DCHOSTNAME,,}.${DCREALM,,}
|
|
default_domain = ${DCREALM,,}
|
|
}
|
|
|
|
[domain_realm]
|
|
.${DCREALM,,} = ${DCREALM^^}
|
|
${DCREALM,,} = ${DCREALM^^}
|
|
EOL
|
|
|
|
sudo tee /etc/nsswitch.conf > /dev/null <<EOL
|
|
passwd: compat winbind
|
|
group: compat winbind
|
|
shadow: compat winbind
|
|
|
|
hosts: files dns
|
|
networks: files
|
|
|
|
protocols: db files
|
|
services: db files
|
|
ethers: db files
|
|
rpc: db files
|
|
|
|
netgroup: nis
|
|
EOL
|
|
|
|
sudo tee /etc/pam.d/common-session > /dev/null <<EOL
|
|
session [default=1] pam_permit.so
|
|
session requisite pam_deny.so
|
|
session required pam_permit.so
|
|
session optional pam_umask.so
|
|
session required pam_unix.so
|
|
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
|
|
session required pam_winbind.so
|
|
session optional pam_sss.so
|
|
session optional pam_systemd.so
|
|
EOL
|
|
|
|
sudo tee /etc/pam.d/common-session-noninteractive > /dev/null <<EOL
|
|
session [default=1] pam_permit.so
|
|
session requisite pam_deny.so
|
|
session required pam_permit.so
|
|
session optional pam_umask.so
|
|
session required pam_unix.so
|
|
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
|
|
session required pam_winbind.so
|
|
session optional pam_winbind.so
|
|
EOL
|
|
|
|
sudo tee /etc/samba/smb.conf > /dev/null <<EOL
|
|
[global]
|
|
workgroup = ${WORKGROUP^^}
|
|
realm = ${DCREALM,,}
|
|
security = ads
|
|
encrypt passwords = yes
|
|
idmap config * : backend = tdb
|
|
idmap config * : range = 3000-7999
|
|
idmap config ${DCREALM,,} : backend = rid
|
|
idmap config ${DCREALM,,} : range = 10000-999999
|
|
template homedir = /home/%U
|
|
template shell = /bin/bash
|
|
winbind use default domain = true
|
|
winbind offline logon = false
|
|
|
|
[data]
|
|
comment = Samba File Server Share
|
|
path = /var/fileshare/data
|
|
browsable = yes
|
|
guest ok = yes
|
|
read only = no
|
|
create mask = 777
|
|
force create mode = 777
|
|
directory mask = 777
|
|
force directory mode = 777
|
|
valid users = "@${WORKGROUP^^}\domain users"
|
|
# force user = root
|
|
# force group = root
|
|
writeable = yes
|
|
# admin users = root
|
|
oplocks = yes
|
|
# valid users = @"${DCREALM,,}+Domain Users"
|
|
[/data]
|
|
EOL
|
|
|
|
sudo tee /etc/security/pam_winbind.conf > /dev/null <<EOL
|
|
[global]
|
|
debug = no
|
|
EOL
|
|
|
|
echo "Rejoining domain..."
|
|
# kinit $ADMINUSER@${DCREALM,,}
|
|
net ads join -U $ADMINUSER -S ${DCHOSTNAME,,}.${DCREALM,,}
|
|
|
|
# systemctl restart smbd
|
|
smbcontrol smbd reload-config
|
|
systemctl restart winbind
|
|
|
|
# Clear Winbind cache
|
|
service winbind stop
|
|
service smbd stop
|
|
net cache flush
|
|
rm /var/lib/samba/*.tdb
|
|
service smbd start
|
|
service winbind start
|
|
|
|
echo "Found admin user:"
|
|
getent passwd ${WORKGROUP^^}\\$ADMINUSER
|
|
echo "Found domain users:"
|
|
wbinfo --domain-users
|