User Tools

Site Tools


Sidebar


Здравствуйте!

Меня зовут Михаил!
Я системный администратор
и наполняю эту wiki,
решая разнообразные IT-задачки.

Моя специализация - виртуализация!

Я всегда готов помочь Вам
наладить IT-инфраструктуру
за скромное вознаграждение!

mike@autosys.tk
+7 (910) 911-96-23

linux_faq:centos_7_minimal_winbind_setup_script

Script

#! /bin/bash

####################################
#### Variables
####################################
NEW_HOSTNAME="centos-01"
NEW_DOMAINNAME="test.com"
DNS_SERVERS="192.168.246.130"
DNS_STATIC_SEARCHLIST="$NEW_DOMAINNAME"
AD_USER="usik-ma"
DOMAIN_CONTROLLERS=$(cat <<EOF
dc01.test.com
dc02.test.com
EOF
)
DEFAULT_REALM="${NEW_DOMAINNAME^^}"
NETBIOS_DOMAIN_NAME=$(echo $DEFAULT_REALM | sed  '1,$ s/\..*//g')
CA_CERT_PREFIX="SberBank_Root_CA"

##############################################
### Disable IPv6
##############################################
cp /etc/sysctl.conf /etc/sysctl.conf.bak_`date +"%d.%m.%y_%H-%M"`
sed -i '/^net.ipv6.conf/D' /etc/sysctl.conf
echo 'net.ipv6.conf.all.disable_ipv6 = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.default.disable_ipv6 = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.lo.disable_ipv6 = 1' | sudo tee -a /etc/sysctl.conf
sysctl -p
dhclient

##############################################
### Setting up Network
##############################################
hostnamectl set-hostname $NEW_HOSTNAME.$NEW_DOMAINNAME
sed -i '/^127./D' /etc/hosts
sed -i '/^::1/D' /etc/hosts
echo "127.0.0.1 $NEW_HOSTNAME.$NEW_DOMAINNAME $NEW_HOSTNAME localhost.localdomain localhost" | sudo tee -a /etc/hosts

echo "NETWORKING=yes" | sudo tee /etc/sysconfig/network
echo "HOSTNAME=$NEW_HOSTNAME" | sudo tee -a /etc/sysconfig/network
echo "SEARCH=$DNS_STATIC_SEARCHLIST" | sudo tee -a /etc/sysconfig/network

dnsnumber=1
for nameserver in $DNS_SERVERS; do
echo "DNS$dnsnumber=$nameserver" | sudo tee -a /etc/sysconfig/network
let "dnsnumber = dnsnumber + 1"
done

CONNECTIONS=$(nmcli -t -f NAME connection show)
for connection in $CONNECTIONS; do
nmcli con mod $connection connection.autoconnect yes
nmcli con mod $connection ipv4.dns-search $DNS_STATIC_SEARCHLIST
nmcli con mod $connection ipv4.ignore-auto-dns yes
sudo nmcli c modify $connection ipv4.dns ''
  for nameserver in $DNS_SERVERS; do
    nmcli c modify $connection +ipv4.dns $nameserver
  done
nmcli c down $connection
nmcli c up $connection
done
echo "Waiting for network..."
sleep 10

echo "$NEW_HOSTNAME" | sudo tee /etc/hostname

###########################################
### Add Corporate IronPort Certificates
###########################################
update-ca-trust force-enable
echo "Trying to reach ya.ru..."
ping -c 5 ya.ru &> /dev/null && openssl s_client -showcerts -connect ya.ru:443 </dev/null > chain.pem || exit
csplit -k -f $CA_CERT_PREFIX ./chain.pem '/END CERTIFICATE/+1' {10}
find ./ -iname $CA_CERT_PREFIX\* -type f -exec grep -F -L 'END CERTIFICATE' '{}' + | xargs -d '\n' rm
for file in "$CA_CERT_PREFIX"* ; do sudo mv "$file" /etc/pki/ca-trust/source/anchors/"$file".pem ; done
for file in /etc/pki/ca-trust/source/anchors/"$CA_CERT_PREFIX"* ; do sudo cp "$file" /etc/ssl/certs/ ; done
update-ca-trust extract
rm -f ./chain.pem

####################################
#### Setup Software
####################################
yum -y update
yum -y install chrony nano yum-utils openssl
yum -y install samba samba-winbind* authconfig samba-common-tools net-tools \
pam_krb5 bind-utils samba-winbind samba-winbind-clients krb5-workstation \
oddjob-mkhomedir
yum -y install cyrus-sasl cyrus-sasl-gssapi
yum -y groupinstall "X Window System" "Fonts" kde-desktop
yum -y groupinstall "Internet Browser" "Office Suite and Productivity"
#yum -y groupinstall "Graphical Administration Tools" \
#"General Purpose Desktop" "Graphics Creation Tools"
systemctl set-default graphical.target
systemctl disable initial-setup-text
systemctl disable initial-setup-graphical

yum -y install --nogpgcheck  https://repo.yandex.ru/yandex-browser/rpm/beta/x86_64/yandex-browser-beta-17.1.1.773-1.x86_64.rpm
yum -y install --nogpgcheck https://tel.red/repos/redhat/7/noarch/telred-redhat-7-latest.el7.noarch.rpm
yum -y install --nogpgcheck http://linuxdownload.adobe.com/adobe-release/adobe-release-x86_64-1.0-1.noarch.rpm
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TELRED

yum -y update

yum -y install xorg-x11-server-Xvfb evolution evolution-ews evolution-plugins \
clamav yandex-browser-beta flash-plugin alsa-plugins-pulseaudio libcurl sky

#############################################
#### Setting sudo
#############################################
cat <<EOF > /etc/sudoers.d/domain_users
localuser       ALL=(ALL) ALL
%domain\ users\@$NEW_DOMAINNAME          ALL=(ALL) ALL
%domain\ users          ALL=(ALL) ALL
%domain\ admins\@$NEW_DOMAINNAME      ALL=(ALL) NOPASSWD: ALL
%domain\ admins      ALL=(ALL) NOPASSWD: ALL
EOF

sed -i "/^Defaults\ targetpw.*\$/ s/^/#/" /etc/sudoers
sed -i "/^Defaults\ env_reset.*\$/ s/\ env_reset/\ \!env_reset/" /etc/sudoers
sed -i "/^ALL.*ALL=(ALL).*\$/ s/^/#/" /etc/sudoers

#########################################
### Setup NTP servers
#########################################
sudo systemctl start chronyd.service
sed -i "/^pool.*\$/ s/^/#/" /etc/chrony.conf
sed -i "/^server.*\$/ s/^/#/" /etc/chrony.conf

for dc in $DOMAIN_CONTROLLERS;
do
echo "server $dc iburst" | sudo tee -a /etc/chrony.conf
done
sudo systemctl restart chronyd.service

########################################################
#### Setup Kerberos and Samba
########################################################
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak_`date +"%d.%m.%y_%H-%M"`
mv /etc/krb5.conf /etc/krb5.conf.bak_`date +"%d.%m.%y_%H-%M"`

#########################################
### Setup Kerberos /etc/krb5.conf
#########################################
LIBDEFAULTS=$(cat <<EOF
[libdefaults]
dns_lookup_kdc = true
dns_lookup_realm = false
default_realm = $DEFAULT_REALM
clockskew = 300
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
EOF
)

REALMS_KDC=$(for i in $DOMAIN_CONTROLLERS; do echo "kdc = $i";done)

REALMS=$(cat <<EOF

[realms]
$DEFAULT_REALM = {
$REALMS_KDC
default_domain = $DEFAULT_REALM
}
EOF
)

DOMAIN_REALM=$(cat <<EOF

[domain_realm]
.$NEW_DOMAINNAME = $DEFAULT_REALM
$NEW_DOMAINNAME = $DEFAULT_REALM

[appdefaults]
pam = {
        ticket_lifetime = 1d
        renew_lifetime = 1d
        forwardable = true
        proxiable = false
        minimum_uid = 1
}
EOF
)

echo "$LIBDEFAULTS" > /etc/krb5.conf
echo "$REALMS" >> /etc/krb5.conf
echo "$DOMAIN_REALM" >> /etc/krb5.conf

########################################
#### Configure /etc/samba/smb.conf
########################################
SMB_CONF=$(cat <<EOF
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
[global]
        workgroup = $NETBIOS_DOMAIN_NAME
        passdb backend = tdbsam
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        idmap gid = 10000-20000
        idmap uid = 10000-20000
        realm = $DEFAULT_REALM
        security = ADS
        template homedir = /home/%D/%U
        template shell = /bin/bash
        usershare max shares = 100
        winbind offline logon = no
        winbind refresh tickets = yes
        kerberos method = secrets and keytab
        winbind use default domain = yes
        encrypt passwords = yes
        dns proxy = no
        socket options = TCP_NODELAY
        domain master = no
        local master = no
        preferred master = no
        os level = 0
        domain logons = no
        load printers = no
        show add printer wizard = no
        printcap name = /dev/null
        disable spoolss = yes
EOF
)

echo "$SMB_CONF" > /etc/samba/smb.conf

########################################
#### Configure /etc/nsswitch.conf
########################################
sed -i '/^passwd:.*compat$/ s/$/ winbind/' /etc/nsswitch.conf
sed -i '/^group:.*compat$/ s/$/ winbind/' /etc/nsswitch.conf
sed -i '/^hosts:/ s/:.*$/: files dns/' /etc/nsswitch.conf

########################################
#### Configure /etc/security/pam_winbind.conf
########################################
sed -i "/^.*krb5_auth.*\$/ s/^.*krb5_auth.*\$/krb5_auth = yes/" /etc/security/pam_winbind.conf
sed -i "/^.*krb5_ccache_type.*\$/ s/^.*krb5_ccache_type.*\$/krb5_ccache_type = FILE/" /etc/security/pam_winbind.conf
sed -i "/^.*mkhomedir.*\$/ s/^.*mkhomedir.*\$/mkhomedir = yes/" /etc/security/pam_winbind.conf

systemctl enable smb
systemctl enable winbind
systemctl restart smb
systemctl restart winbind

############################################################
### Enable Autostart apps
############################################################
mkdir --parents /etc/skel/.config/autostart/
cp /usr/share/applications/sky.desktop /etc/skel/.config/autostart/

#######################################################                                                                                                                                        
#### Import CA Certificates into Browsers                                                                                                                                                      
#   http://blog.xelnor.net/firefox-systemcerts/                                                                                                                                                
#######################################################                                                                                                                                        
HOMEDIR=$(getent passwd $SUDO_USER | cut -d: -f6)                                                                                                                                                                                                                                                                                                   
rm -Rf $HOMEDIR/.mozilla                                                                                                                                                                  
rm -Rf $HOMEDIR/.pki                                                                                                                                                                      
                                                                                                                                                                                               
########################################################                                                                                                                                       
#### Create and fill cert8.db in Firefox Profile                                                                                                                                               
########################################################                                                                                                                                       
killall firefox                                                                                                                                                                           
sudo -u  $SUDO_USER xvfb-run --server-args="-screen 0, 1280x1024x24" firefox -CreateProfile default
FirefoxProfileDir=$(find $HOMEDIR'/.mozilla/firefox/' -iname '*.default');
for certificateFile in /etc/pki/ca-trust/source/anchors/"$CA_CERT_PREFIX"* ;
do
 certutil -A -n "${certificateFile}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d ${FirefoxProfileDir}
done
chmod -R a+rw $HOMEDIR/.mozilla/firefox/*

################################################################################
#### Import certificates into nssdb for Chromium engine
################################################################################
mkdir --parents $HOMEDIR/.pki/nssdb
echo 1q2w3e4r | sudo tee $HOMEDIR/.pki/nssdb/password-file
certutil -N -f $HOMEDIR/.pki/nssdb/password-file -d $HOMEDIR/.pki/nssdb
for certificateFile in /etc/pki/ca-trust/source/anchors/"$CA_CERT_PREFIX"* ;
do
 certutil -f $HOMEDIR/.pki/nssdb/password-file -A -n "${certificateFile}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d sql:$HOMEDIR/.pki/nssdb
done
chmod -R a+rw $HOMEDIR/.pki/nssdb/*

#########################################################
### Copy databases with imported certs to default profile
#########################################################
rm -Rf /etc/skel/.pki/nssdb/*
rm -Rf /etc/skel/.mozilla/firefox/*
mkdir --parents /etc/skel/.pki/nssdb/
cp -Rf $HOMEDIR/.pki/nssdb/* /etc/skel/.pki/nssdb/
mkdir --parents /etc/skel/.mozilla/firefox/
cp -Rf $HOMEDIR/.mozilla/firefox/* /etc/skel/.mozilla/firefox/

#########################################################
### Disable KDEWallet By Default
#########################################################
mkdir --parents /etc/skel/.config/
cat <<EOF > /etc/skel/.config/kwalletrc
[Wallet]
Enabled=false
EOF

mkdir --parents /etc/skel/.kde/share/config/
cp /etc/skel/.config/kwalletrc /etc/skel/.kde/share/config/kwalletrc

#################################################################
#### Add Launchers
#################################################################
#mkdir --parents /etc/skel/.kde/share/config/
#
#cat <<EOF > /ets/skel/.kde/share/config/plasma-desktop-appletsrc
#[Containments][1][Applets][5][Configuration][Launchers]
#Items=file:///opt/yandex/browser-beta/yandex_browser?wmClass=yandex-browser-beta%20%28%2Fhome%2Fmike%40test.com%2F.config%2Fyandex-browser-beta%29,file:///usr/share/applications/sky.desktop?wmClass=Sky,file:///usr/share/applications/kde4/konsole.desktop?wmClass=Konsole,file:///usr/share/applications/evolution.desktop?wmClass=Evolution
#EOF

##############################################
#### Join domain using Samba-Winbind
##############################################
#net ads join -U $AD_USER

Setup Citrix VDA 1.3

#!/bin/bash
systemctl enable postgresql.service
systemctl start postgresql
postgresql-setup initdb
CTX_XDL_SUPPORT_DDC_AS_CNAME=N \
CTX_XDL_DDC_LIST="v-szud-ctxdc-01.sigma.sbrf.ru v-szud-ctxdc-02.sigma.sbrf.ru" \
CTX_XDL_VDA_PORT=80 \
CTX_XDL_REGISTER_SERVICE=Y \
CTX_XDL_ADD_FIREWALL_RULES=Y \
CTX_XDL_AD_INTEGRATION=1 \
CTX_XDL_HDX_3D_PRO=N \
CTX_XDL_VDI_MODE=Y \
CTX_XDL_SITE_NAME='<none>' \
CTX_XDL_LDAP_LIST='<none>' \
CTX_XDL_SEARCH_BASE='<none>' \
CTX_XDL_START_SERVICE=Y \
/opt/Citrix/VDA/sbin/ctxsetup.sh

Discussion

Enter your comment. Wiki syntax is allowed:
H S N​ Q O
 
linux_faq/centos_7_minimal_winbind_setup_script.txt · Last modified: 2017/03/20 12:04 by admin