Запускать так: sudo -E ./script.sh

#! /bin/bash

####################################
#### Variables
####################################
NEW_HOSTNAME="szud-opensuse"
NEW_DOMAINNAME="sigma.sbrf.ru"
DNS_SERVERS="10.21.7.212 10.21.7.214"
DNS_STATIC_SEARCHLIST="$NEW_DOMAINNAME sberbank.ru"
AD_USER="usik-ma"
DOMAIN_CONTROLLERS=$(cat <<EOF
cab-vsp-dc00001.sigma.sbrf.ru
cab-vsp-dc00002.sigma.sbrf.ru
cab-vsp-dc00003.sigma.sbrf.ru
cab-vsp-dc00004.sigma.sbrf.ru
cab-vsp-dc00005.sigma.sbrf.ru
cab-vsp-dc00006.sigma.sbrf.ru
cab-vsp-dc00007.sigma.sbrf.ru
cab-vsp-dc00008.sigma.sbrf.ru
EOF
)
DEFAULT_REALM="${NEW_DOMAINNAME^^}"
NETBIOS_DOMAIN_NAME=$(echo $DEFAULT_REALM | sed  '1,$ s/\..*//g')
SDDM_THEME="elarun"
CA_CERT_PREFIX="SberBank_Root_CA"

########################################################
### SettingUp Network
########################################################
systemctl disable NetworkManager
systemctl stop NetworkManager
systemctl enable wicked
systemctl start wicked
echo 'Waiting for network...'
sleep 10

##############################################
### Setting up NameServers
##############################################
sed -i "/^NETCONFIG_DNS_STATIC_SEARCHLIST=.*\$/ s/=.*$/=\"$DNS_STATIC_SEARCHLIST\"/" /etc/sysconfig/network/config
sed -i "/^NETCONFIG_DNS_STATIC_SERVERS=.*\$/ s/=.*$/=\"$DNS_SERVERS\"/" /etc/sysconfig/network/config
sed -i "/^NETCONFIG_DNS_POLICY=.*\$/ s/=.*$/=\"auto\"/" /etc/sysconfig/network/config

###############################################
### Setting HOSTNAME, DOMAINNAME
###############################################
hostname $NEW_HOSTNAME
domainname $NEW_DOMAINNAME
echo $NEW_HOSTNAME.$NEW_DOMAINNAME | sudo tee /etc/HOSTNAME
echo $NEW_HOSTNAME.$NEW_DOMAINNAME | sudo tee /etc/hostname
sed -i '/^127./D' /etc/hosts
echo "127.0.0.1 `hostname`.`domainname` `hostname` localhost" | sudo tee -a /etc/hosts
echo "127.0.0.2 `hostname`.`domainname` `hostname`" | sudo tee -a /etc/hosts

########################################
### Reload network settings
########################################
netconfig update -f

####################################
#### Setting Software Repos
####################################
zypper repos | grep Yes | cut -f3 -d '|' | sed -e "s/ //" | awk '{print "zypper mr -dRK " $1}' | sudo bash
zypper ar -G -c -n "SB-OpenSUSE-oss" -f http://10.23.48.12/opensuse/distribution/leap/42.1/oss/suse sb-opensuse-oss
zypper mr -erk -p 5 SB-OpenSUSE-oss
zypper ar -G -c -n "SB-OpenSUSE-update-oss" -f http://10.23.48.12/opensuse/update/leap/42.1/oss sb-opensuse-update-oss
zypper mr -erk -p 5 SB-OpenSUSE-update-oss
zypper ar -G -c -n "SB-OpenSUSE-packman" -f http://10.23.48.12/opensuse/packman/openSUSE_Leap_42.1 sb-opensuse-packman
zypper mr -erk -p 5 SB-OpenSUSE-packman
zypper ar -G -c -n "SB-OpenSUSE-Sky" http://10.23.48.12/opensuse/tel.red/repos/opensuse/42.1/ sb-opensuse-sky
zypper mr -erk -p 5 SB-OpenSUSE-Sky
zypper ar -G -c -n "SB-OpenSUSE-YandexBrowser-beta" -f http://10.23.48.12/opensuse/repo.yandex.ru/yandex-browser/rpm/beta/x86_64 sb-opensuse-yandexbrowser-beta
zypper mr -erk -p 5  SB-OpenSUSE-YandexBrowser-beta
#zypper ar -G -c -n "nVidia Graphics Drivers" http://download.nvidia.com/opensuse/leap/42.1 nVidia-Graphics-Drivers
#zypper mr -erk -p 5 nVidia-Graphics-Drivers
#zypper ar -G -c -n "AMD/ATI Graphics Drivers" -f http://geeko.ioda.net/mirror/amd-fglrx/openSUSE_Leap_42.1/  AMD-Graphics-Drivers
#zypper mr -erk -p 5 AMD-Graphics-Drivers

zypper clean
zypper -n up
zypper -n dup
zypper -n in nano yast2-online-update krb5-client yandex-browser-beta mozilla-nss-tools sky kernel-devel pam_krb5 openssl
zypper -n in --type pattern devel_basis

#sudo zypper -n in xrdp mono-complete

###############################################
### Setup Services
###############################################
systemctl enable xrdp 
systemctl enable xrdp-sesman 
systemctl enable sshd 
systemctl enable ntpd 

#systemctl enable SuSEfirewall2 
#SuSEfirewall2 start  
systemctl disable SuSEfirewall2
systemctl stop SuSEfirewall2

systemctl start sshd
systemctl start xrdp 
systemctl start xrdp-sesman
systemctl start ntpd 

#############################################
#### Setting sudo
#############################################
cat <<EOF > /etc/sudoers.d/domain_users
localuser       ALL=(ALL) ALL
%$NETBIOS_DOMAIN_NAME\\\\domain\ users          ALL=(ALL) ALL 
%domain\ users          ALL=(ALL) ALL
%$NETBIOS_DOMAIN_NAME\\\\domain\ admins      ALL=(ALL) NOPASSWD: ALL 
%domain\ admins      ALL=(ALL) NOPASSWD: ALL
EOF

sed -i "/^Defaults\ targetpw.*\$/ s/^/#/" /etc/sudoers
sed -i "/^Defaults\ env_reset.*\$/ s/\ env_reset/\ \!env_reset/" /etc/sudoers
sed -i "/^ALL.*ALL=(ALL).*\$/ s/^/#/" /etc/sudoers

#########################################
### Setup NTP servers
#########################################
echo "Setting ntp client settings..."
yast2 ntp-client delete server="0.opensuse.pool.ntp.org"
yast2 ntp-client delete server="1.opensuse.pool.ntp.org"
yast2 ntp-client delete server="2.opensuse.pool.ntp.org"
yast2 ntp-client delete server="3.opensuse.pool.ntp.org"

for i in $DOMAIN_CONTROLLERS;
do 
yast2 ntp-client add server="$i iburst"
done

########################################
#### Install Citrix VDA
########################################
#sudo zypper -n in ./XenDesktopVDA-7.12.0.375-1.sle12_1.x86_64.rpm
#/opt/Citrix/VDA/sbin/ctxsetup.sh

#########################################
### Setup Kerberos /etc/krb5.conf
#########################################
LIBDEFAULTS=$(cat <<EOF
[libdefaults]
dns_lookup_kdc = true
dns_lookup_realm = false
default_realm = $DEFAULT_REALM
clockskew = 300
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
EOF
)

REALMS_KDC=$(for i in $DOMAIN_CONTROLLERS; do echo "kdc = $i";done)

REALMS=$(cat <<EOF

[realms]
$DEFAULT_REALM = {
$REALMS_KDC
default_domain = $DEFAULT_REALM
}
EOF
)

DOMAIN_REALM=$(cat <<EOF

[domain_realm]
.$NEW_DOMAINNAME = $DEFAULT_REALM 
$NEW_DOMAINNAME = $DEFAULT_REALM

[appdefaults]                                                         
pam = {                                                               
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        minimum_uid = 1
}
        
EOF
)

echo "$LIBDEFAULTS" > /etc/krb5.conf
echo "$REALMS" >> /etc/krb5.conf
echo "$DOMAIN_REALM" >> /etc/krb5.conf

########################################
#### Configure /etc/samba/smb.conf
########################################
SMB_CONF=$(cat <<EOF
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
[global]
        workgroup = $NETBIOS_DOMAIN_NAME
        passdb backend = tdbsam
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        idmap gid = 10000-20000
        idmap uid = 10000-20000
        realm = $DEFAULT_REALM
        security = ADS
        template homedir = /home/%D/%U
        template shell = /bin/bash
        usershare max shares = 100
        winbind offline logon = true
        winbind refresh tickets = true
        kerberos method = secrets and keytab
        winbind use default domain = yes
[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes
[profiles]
        comment = Network Profiles Service
        path = %H
        read only = No
        store dos attributes = Yes
        create mask = 0600
        directory mask = 0700
[users]
        comment = All users
        path = /home
        read only = No
        inherit acls = Yes
        veto files = /aquota.user/groups/shares/
[groups]
        comment = All groups
        path = /home/groups
        read only = No
        inherit acls = Yes
[printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No
[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @ntadmin root
        force group = ntadmin
        create mask = 0664
        directory mask = 0775
EOF
)

mv /etc/samba/smb.conf.bak /etc/samba/smb.conf
cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
echo "$SMB_CONF" > /etc/samba/smb.conf

###############################################
#### Configure /etc/security/pam_winbind.conf
###############################################
PAM_WINBIND=$(cat <<EOF
        cached_login = yes
        krb5_auth = yes
        krb5_ccache_type = FILE
EOF
)

mv /etc/security/pam_winbind.conf.bak /etc/security/pam_winbind.conf
cp /etc/security/pam_winbind.conf /etc/security/pam_winbind.conf.bak
while read line
do
        echo $line >> /etc/security/pam_winbind.conf_new
        echo $line | grep -q "\[global\]" 
        [ $? -eq 0 ] && echo "$PAM_WINBIND" >> /etc/security/pam_winbind.conf_new
done < /etc/security/pam_winbind.conf
mv /etc/security/pam_winbind.conf_new /etc/security/pam_winbind.conf

########################################
#### Configure /etc/nsswitch.conf
########################################
sed -i '/^passwd:.*compat$/ s/$/ winbind/' /etc/nsswitch.conf
sed -i '/^group:.*compat$/ s/$/ winbind/' /etc/nsswitch.conf
sed -i '/^hosts:/ s/:.*$/: files dns/' /etc/nsswitch.conf

##########################################
#### Configure PAM
##########################################
pam-config --add --winbind --mkhomedir 
#--krb5

#################################################
### Disable autologin
#################################################
sed -i "/^DISPLAYMANAGER_AUTOLOGIN=.*\$/ s/=.*$/=\"\"/" /etc/sysconfig/displaymanager

#################################################
#### Set SDDM Theme to allow input Username
#################################################
sed -i "/^Current=.*\$/ s/=.*$/=$SDDM_THEME/" /etc/sddm.conf

########################################
### Add Certificates
###########################################
openssl s_client -showcerts -connect ya.ru:443 </dev/null > chain.pem
csplit -k -f $CA_CERT_PREFIX ./chain.pem '/END CERTIFICATE/+1' {10}
find ./ -iname $CA_CERT_PREFIX\* -type f -exec grep -F -L 'END CERTIFICATE' '{}' + | xargs -d '\n' rm
for file in "$CA_CERT_PREFIX"* ; do sudo mv "$file" /etc/pki/trust/anchors/"$file".pem ; done
for file in /etc/pki/trust/anchors/"$CA_CERT_PREFIX"* ; do sudo cp "$file" /etc/ssl/certs/ ; done                                                                                              
c_rehash /etc/ssl/certs/                                                                                                                                                                  
c_rehash /etc/pki/trust/anchors/                                                                                                                                                          
update-ca-certificates                                                                                                                                                                    
rm -f ./chain.pem                                                                                                                                                                              
                                                                                                                                                                                               
#######################################################                                                                                                                                        
#### Import CA Certificates into Browsers                                                                                                                                                      
#   http://blog.xelnor.net/firefox-systemcerts/                                                                                                                                                
#######################################################                                                                                                                                        
HOMEDIR=$(getent passwd $SUDO_USER | cut -d: -f6)                                                                                                                                              
zypper -n install mozilla-nss-tools                                                                                                                                                       
rm -Rf $HOMEDIR/.mozilla                                                                                                                                                                  
rm -Rf $HOMEDIR/.pki                                                                                                                                                                      
                                                                                                                                                                                               
########################################################                                                                                                                                       
#### Create and fill cert8.db in Firefox Profile                                                                                                                                               
########################################################                                                                                                                                       
killall firefox                                                                                                                                                                           
sudo -u  $SUDO_USER firefox -CreateProfile default
FirefoxProfileDir=$(find $HOMEDIR'/.mozilla/firefox/' -iname '*.default');
for certificateFile in /etc/pki/trust/anchors/"$CA_CERT_PREFIX"* ;
do
 certutil -A -n "${certificateFile}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d ${FirefoxProfileDir}
done
chmod -R a+rw $HOMEDIR/.mozilla/firefox/*

################################################################################
#### Import certificates into nssdb for Chromium engine
################################################################################
mkdir --parents $HOMEDIR/.pki/nssdb
echo 1q2w3e4r | sudo tee $HOMEDIR/.pki/nssdb/password-file
certutil -N -f $HOMEDIR/.pki/nssdb/password-file -d $HOMEDIR/.pki/nssdb
for certificateFile in /etc/pki/trust/anchors/"$CA_CERT_PREFIX"* ;
do
 certutil -f $HOMEDIR/.pki/nssdb/password-file -A -n "${certificateFile}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d sql:$HOMEDIR/.pki/nssdb
done
chmod -R a+rw $HOMEDIR/.pki/nssdb/*

#########################################################
### Copy databases with imported certs to default profile
#########################################################
rm -Rf /etc/skel/.pki/nssdb/*
rm -Rf /etc/skel/.mozilla/firefox/*
mkdir --parents /etc/skel/.pki/nssdb/
cp -Rf $HOMEDIR/.pki/nssdb/* /etc/skel/.pki/nssdb/
mkdir --parents /etc/skel/.mozilla/firefox/
cp -Rf $HOMEDIR/.mozilla/firefox/* /etc/skel/.mozilla/firefox/

#########################################################
### Disable KDEWallet By Default
#########################################################
cat <<EOF > /etc/skel/.config/kwalletrc
[Wallet]
Enabled=false
EOF

mkdir --parents /etc/skel/.kde/share/config/
cp /etc/skel/.config/kwalletrc /etc/skel/.kde/share/config/kwalletrc

############################################################
#### Install Adobe Flash
############################################################
zypper ar -G -c -n "Adobe Software Repository" -f http://linuxdownload.adobe.com/linux/x86_64/ Adobe
zypper -n rm  flash-player-24.0.0.221-1.1.x86_64
zypper mr -dRK sb-opensuse-packman
zypper -n in  adobe-release-x86_64 flash-pl*
zypper mr -eRK sb-opensuse-packman

############################################################
### Enable Autostart apps
############################################################
mkdir --parents /etc/skel/.config/autostart/
cp /usr/share/applications/sky.desktop /etc/skel/.config/autostart/

########################################
### Join AD Domain
########################################
systemctl enable nmb.service
systemctl enable smb.service
systemctl enable winbind.service

service nmb restart
service smb restart
service winbind restart

ping -c 5 $DOMAIN_CONTROLLERS &> /dev/null && net ads join -U $AD_USER || echo "Join AD failed. Ping Domain Controller failed"
service winbind restart && service nmb restart && service smb restart
wbinfo -P
wbinfo -t
wbinfo -n=$computername

Setup VDA

#!/bin/bash
CTX_XDL_SUPPORT_DDC_AS_CNAME=N \
CTX_XDL_DDC_LIST="v-szud-ctxdc-01.sigma.sbrf.ru v-szud-ctxdc-02.sigma.sbrf.ru" \
CTX_XDL_VDA_PORT=80 \
CTX_XDL_REGISTER_SERVICE=Y \
CTX_XDL_ADD_FIREWALL_RULES=Y \
CTX_XDL_AD_INTEGRATION=1 \
CTX_XDL_HDX_3D_PRO=N \
CTX_XDL_VDI_MODE=Y \
CTX_XDL_SITE_NAME='<none>' \
CTX_XDL_LDAP_LIST='<none>' \
CTX_XDL_SEARCH_BASE='<none>' \
CTX_XDL_START_SERVICE=Y \
/opt/Citrix/VDA/sbin/ctxsetup.sh