#! /bin/bash
####################################
#### Variables
####################################
NEW_HOSTNAME="centos-01"
NEW_DOMAINNAME="test.com"
DNS_SERVERS="192.168.246.130"
DNS_STATIC_SEARCHLIST="$NEW_DOMAINNAME"
AD_USER="usik-ma"
DOMAIN_CONTROLLERS=$(cat <<EOF
dc01.test.com
dc02.test.com
EOF
)
DEFAULT_REALM="${NEW_DOMAINNAME^^}"
NETBIOS_DOMAIN_NAME=$(echo $DEFAULT_REALM | sed '1,$ s/\..*//g')
CA_CERT_PREFIX="SberBank_Root_CA"
##############################################
### Disable IPv6
##############################################
cp /etc/sysctl.conf /etc/sysctl.conf.bak_`date +"%d.%m.%y_%H-%M"`
sed -i '/^net.ipv6.conf/D' /etc/sysctl.conf
echo 'net.ipv6.conf.all.disable_ipv6 = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.default.disable_ipv6 = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.lo.disable_ipv6 = 1' | sudo tee -a /etc/sysctl.conf
sysctl -p
dhclient
##############################################
### Setting up Network
##############################################
hostnamectl set-hostname $NEW_HOSTNAME.$NEW_DOMAINNAME
sed -i '/^127./D' /etc/hosts
echo "127.0.0.1 $NEW_HOSTNAME.$NEW_DOMAINNAME $NEW_HOSTNAME localhost.localdomain localhost" | sudo tee -a /etc/hosts
echo "NETWORKING=yes" | sudo tee /etc/sysconfig/network
echo "HOSTNAME=$NEW_HOSTNAME.$NEW_DOMAINNAME" | sudo tee -a /etc/sysconfig/network
echo "SEARCH=$DNS_STATIC_SEARCHLIST" | sudo tee -a /etc/sysconfig/network
dnsnumber=1
for nameserver in $DNS_SERVERS; do
echo "DNS$dnsnumber=$nameserver" | sudo tee -a /etc/sysconfig/network
let "dnsnumber = dnsnumber + 1"
done
CONNECTIONS=$(nmcli -t -f NAME connection show)
for connection in $CONNECTIONS; do
nmcli con mod $connection connection.autoconnect yes
nmcli con mod $connection ipv4.dns-search $DNS_STATIC_SEARCHLIST
nmcli con mod $connection ipv4.ignore-auto-dns yes
sudo nmcli c modify $connection ipv4.dns ''
for nameserver in $DNS_SERVERS; do
nmcli c modify $connection +ipv4.dns $nameserver
done
nmcli c down $connection
nmcli c up $connection
done
echo "Waiting for network..."
sleep 10
###########################################
### Add Corporate IronPort Certificates
###########################################
update-ca-trust force-enable
echo "Trying to reach ya.ru..."
ping -c 5 ya.ru &> /dev/null && openssl s_client -showcerts -connect ya.ru:443 </dev/null > chain.pem || exit
csplit -k -f $CA_CERT_PREFIX ./chain.pem '/END CERTIFICATE/+1' {10}
find ./ -iname $CA_CERT_PREFIX\* -type f -exec grep -F -L 'END CERTIFICATE' '{}' + | xargs -d '\n' rm
for file in "$CA_CERT_PREFIX"* ; do sudo mv "$file" /etc/pki/ca-trust/source/anchors/"$file".pem ; done
for file in /etc/pki/ca-trust/source/anchors/"$CA_CERT_PREFIX"* ; do sudo cp "$file" /etc/ssl/certs/ ; done
update-ca-trust extract
rm -f ./chain.pem
####################################
#### Setup Software
####################################
yum -y update
yum -y install chrony nano yum-utils openssl
yum -y install realmd oddjob oddjob-mkhomedir sssd adcli samba-common-tools
yum -y groupinstall "X Window System" "Fonts" kde-desktop
yum -y groupinstall "Internet Browser" "Office Suite and Productivity"
#yum -y groupinstall "Graphical Administration Tools" "General Purpose Desktop" "Graphics Creation Tools"
systemctl set-default graphical.target
systemctl disable initial-setup-text
systemctl disable initial-setup-graphical
yum -y install --nogpgcheck https://repo.yandex.ru/yandex-browser/rpm/beta/x86_64/yandex-browser-beta-17.1.1.773-1.x86_64.rpm
yum -y install --nogpgcheck https://tel.red/repos/redhat/7/noarch/telred-redhat-7-latest.el7.noarch.rpm
yum -y install --nogpgcheck http://linuxdownload.adobe.com/adobe-release/adobe-release-x86_64-1.0-1.noarch.rpm
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TELRED
yum -y update
yum -y install xorg-x11-server-Xvfb evolution evolution-ews evolution-plugins \
clamav yandex-browser-beta flash-plugin alsa-plugins-pulseaudio libcurl sky
#############################################
#### Setting sudo
#############################################
cat <<EOF > /etc/sudoers.d/domain_users
localuser ALL=(ALL) ALL
%domain\ users\@$NEW_DOMAINNAME ALL=(ALL) ALL
%domain\ users ALL=(ALL) ALL
%domain\ admins\@$NEW_DOMAINNAME ALL=(ALL) NOPASSWD: ALL
%domain\ admins ALL=(ALL) NOPASSWD: ALL
EOF
sed -i "/^Defaults\ targetpw.*\$/ s/^/#/" /etc/sudoers
sed -i "/^Defaults\ env_reset.*\$/ s/\ env_reset/\ \!env_reset/" /etc/sudoers
sed -i "/^ALL.*ALL=(ALL).*\$/ s/^/#/" /etc/sudoers
#########################################
### Setup NTP servers
#########################################
sudo systemctl start chronyd.service
sed -i "/^pool.*\$/ s/^/#/" /etc/chrony.conf
sed -i "/^server.*\$/ s/^/#/" /etc/chrony.conf
for dc in $DOMAIN_CONTROLLERS;
do
echo "server $dc iburst" | sudo tee -a /etc/chrony.conf
done
sudo systemctl restart chronyd.service
########################################################
#### Setup Kerberos and Samba
########################################################
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak_`date +"%d.%m.%y_%H-%M"`
mv /etc/krb5.conf /etc/krb5.conf.bak_`date +"%d.%m.%y_%H-%M"`
authconfig --smbsecurity=ads --smbworkgroup=$NETBIOS_DOMAIN_NAME \
--smbrealm=$DEFAULT_REALM --krb5realm=$DEFAULT_REALM \
--krb5kdc=$(echo $DOMAIN_CONTROLLERS | sed "s/\ /,/g") --enablekrb5kdcdns \
--enablekrb5realmdns --update
sed -i "/^.*kerberos method =.*\$/ s/=.*$/= secrets and keytab/" /etc/samba/smb.conf
sed -i "/^.*template shell =.*\$/ s/=.*$/= \/bin\/bash/" /etc/samba/smb.conf
sed -i "/^.*winbind offline logon =.*\$/ s/=.*$/= yes/" /etc/samba/smb.conf
sed -i "/^.*winbind use default domain =.*\$/ s/=.*$/= yes/" /etc/samba/smb.conf
cat <<EOF >> /etc/samba/smb.conf
usershare max shares = 100
winbind refresh tickets = yes
encrypt passwords = yes
EOF
############################################################
### Enable Autostart apps
############################################################
mkdir --parents /etc/skel/.config/autostart/
cp /usr/share/applications/sky.desktop /etc/skel/.config/autostart/
#######################################################
#### Import CA Certificates into Browsers
# http://blog.xelnor.net/firefox-systemcerts/
#######################################################
HOMEDIR=$(getent passwd $SUDO_USER | cut -d: -f6)
rm -Rf $HOMEDIR/.mozilla
rm -Rf $HOMEDIR/.pki
########################################################
#### Create and fill cert8.db in Firefox Profile
########################################################
killall firefox
sudo -u $SUDO_USER xvfb-run --server-args="-screen 0, 1280x1024x24" firefox -CreateProfile default
FirefoxProfileDir=$(find $HOMEDIR'/.mozilla/firefox/' -iname '*.default');
for certificateFile in /etc/pki/ca-trust/source/anchors/"$CA_CERT_PREFIX"* ;
do
certutil -A -n "${certificateFile}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d ${FirefoxProfileDir}
done
chmod -R a+rw $HOMEDIR/.mozilla/firefox/*
################################################################################
#### Import certificates into nssdb for Chromium engine
################################################################################
mkdir --parents $HOMEDIR/.pki/nssdb
echo 1q2w3e4r | sudo tee $HOMEDIR/.pki/nssdb/password-file
certutil -N -f $HOMEDIR/.pki/nssdb/password-file -d $HOMEDIR/.pki/nssdb
for certificateFile in /etc/pki/ca-trust/source/anchors/"$CA_CERT_PREFIX"* ;
do
certutil -f $HOMEDIR/.pki/nssdb/password-file -A -n "${certificateFile}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d sql:$HOMEDIR/.pki/nssdb
done
chmod -R a+rw $HOMEDIR/.pki/nssdb/*
#########################################################
### Copy databases with imported certs to default profile
#########################################################
rm -Rf /etc/skel/.pki/nssdb/*
rm -Rf /etc/skel/.mozilla/firefox/*
mkdir --parents /etc/skel/.pki/nssdb/
cp -Rf $HOMEDIR/.pki/nssdb/* /etc/skel/.pki/nssdb/
mkdir --parents /etc/skel/.mozilla/firefox/
cp -Rf $HOMEDIR/.mozilla/firefox/* /etc/skel/.mozilla/firefox/
#########################################################
### Disable KDEWallet By Default
#########################################################
mkdir --parents /etc/skel/.config/
cat <<EOF > /etc/skel/.config/kwalletrc
[Wallet]
Enabled=false
EOF
mkdir --parents /etc/skel/.kde/share/config/
cp /etc/skel/.config/kwalletrc /etc/skel/.kde/share/config/kwalletrc
#################################################################
#### Add Launchers
#################################################################
#mkdir --parents /etc/skel/.kde/share/config/
#
#cat <<EOF > /ets/skel/.kde/share/config/plasma-desktop-appletsrc
#[Containments][1][Applets][5][Configuration][Launchers]
#Items=file:///opt/yandex/browser-beta/yandex_browser?wmClass=yandex-browser-beta%20%28%2Fhome%2Fmike%40test.com%2F.config%2Fyandex-browser-beta%29,file:///usr/share/applications/sky.desktop?wmClass=Sky,file:///usr/share/applications/kde4/konsole.desktop?wmClass=Konsole,file:///usr/share/applications/evolution.desktop?wmClass=Evolution
#EOF
##############################################
#### Join domain using SSSD
##############################################
#realm join -U $AD_USER $NEW_DOMAINNAME
#!/bin/bash
service postgresql initdb
CTX_XDL_SUPPORT_DDC_AS_CNAME=N \
CTX_XDL_DDC_LIST="v-szud-ctxdc-01.sigma.sbrf.ru v-szud-ctxdc-02.sigma.sbrf.ru" \
CTX_XDL_VDA_PORT=80 \
CTX_XDL_REGISTER_SERVICE=Y \
CTX_XDL_ADD_FIREWALL_RULES=Y \
CTX_XDL_AD_INTEGRATION=4 \
CTX_XDL_HDX_3D_PRO=N \
CTX_XDL_VDI_MODE=Y \
CTX_XDL_SITE_NAME='<none>' \
CTX_XDL_LDAP_LIST='<none>' \
CTX_XDL_SEARCH_BASE='<none>' \
CTX_XDL_START_SERVICE=Y \
/opt/Citrix/VDA/sbin/ctxsetup.sh
Discussion