#! /bin/bash
####################################
#### Variables
####################################
NEW_HOSTNAME="centos-01"
NEW_DOMAINNAME="test.com"
DNS_SERVERS="192.168.246.130"
DNS_STATIC_SEARCHLIST="$NEW_DOMAINNAME"
AD_USER="usik-ma"
DOMAIN_CONTROLLERS=$(cat <<EOF
dc01.test.com
dc02.test.com
EOF
)
DEFAULT_REALM="${NEW_DOMAINNAME^^}"
NETBIOS_DOMAIN_NAME=$(echo $DEFAULT_REALM | sed '1,$ s/\..*//g')
CA_CERT_PREFIX="SberBank_Root_CA"
##############################################
### Disable IPv6
##############################################
cp /etc/sysctl.conf /etc/sysctl.conf.bak_`date +"%d.%m.%y_%H-%M"`
sed -i '/^net.ipv6.conf/D' /etc/sysctl.conf
echo 'net.ipv6.conf.all.disable_ipv6 = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.default.disable_ipv6 = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.lo.disable_ipv6 = 1' | sudo tee -a /etc/sysctl.conf
sysctl -p
dhclient
##############################################
### Setting up Network
##############################################
hostnamectl set-hostname $NEW_HOSTNAME.$NEW_DOMAINNAME
sed -i '/^127./D' /etc/hosts
sed -i '/^::1/D' /etc/hosts
echo "127.0.0.1 $NEW_HOSTNAME.$NEW_DOMAINNAME $NEW_HOSTNAME localhost.localdomain localhost" | sudo tee -a /etc/hosts
echo "NETWORKING=yes" | sudo tee /etc/sysconfig/network
echo "HOSTNAME=$NEW_HOSTNAME" | sudo tee -a /etc/sysconfig/network
echo "SEARCH=$DNS_STATIC_SEARCHLIST" | sudo tee -a /etc/sysconfig/network
dnsnumber=1
for nameserver in $DNS_SERVERS; do
echo "DNS$dnsnumber=$nameserver" | sudo tee -a /etc/sysconfig/network
let "dnsnumber = dnsnumber + 1"
done
CONNECTIONS=$(nmcli -t -f NAME connection show)
for connection in $CONNECTIONS; do
nmcli con mod $connection connection.autoconnect yes
nmcli con mod $connection ipv4.dns-search $DNS_STATIC_SEARCHLIST
nmcli con mod $connection ipv4.ignore-auto-dns yes
sudo nmcli c modify $connection ipv4.dns ''
for nameserver in $DNS_SERVERS; do
nmcli c modify $connection +ipv4.dns $nameserver
done
nmcli c down $connection
nmcli c up $connection
done
echo "Waiting for network..."
sleep 10
echo "$NEW_HOSTNAME" | sudo tee /etc/hostname
###########################################
### Add Corporate IronPort Certificates
###########################################
update-ca-trust force-enable
echo "Trying to reach ya.ru..."
ping -c 5 ya.ru &> /dev/null && openssl s_client -showcerts -connect ya.ru:443 </dev/null > chain.pem || exit
csplit -k -f $CA_CERT_PREFIX ./chain.pem '/END CERTIFICATE/+1' {10}
find ./ -iname $CA_CERT_PREFIX\* -type f -exec grep -F -L 'END CERTIFICATE' '{}' + | xargs -d '\n' rm
for file in "$CA_CERT_PREFIX"* ; do sudo mv "$file" /etc/pki/ca-trust/source/anchors/"$file".pem ; done
for file in /etc/pki/ca-trust/source/anchors/"$CA_CERT_PREFIX"* ; do sudo cp "$file" /etc/ssl/certs/ ; done
update-ca-trust extract
rm -f ./chain.pem
####################################
#### Setup Software
####################################
yum -y update
yum -y install chrony nano yum-utils openssl
yum -y install samba samba-winbind* authconfig samba-common-tools net-tools \
pam_krb5 bind-utils samba-winbind samba-winbind-clients krb5-workstation \
oddjob-mkhomedir
yum -y install cyrus-sasl cyrus-sasl-gssapi
yum -y groupinstall "X Window System" "Fonts" kde-desktop
yum -y groupinstall "Internet Browser" "Office Suite and Productivity"
#yum -y groupinstall "Graphical Administration Tools" \
#"General Purpose Desktop" "Graphics Creation Tools"
systemctl set-default graphical.target
systemctl disable initial-setup-text
systemctl disable initial-setup-graphical
yum -y install --nogpgcheck https://repo.yandex.ru/yandex-browser/rpm/beta/x86_64/yandex-browser-beta-17.1.1.773-1.x86_64.rpm
yum -y install --nogpgcheck https://tel.red/repos/redhat/7/noarch/telred-redhat-7-latest.el7.noarch.rpm
yum -y install --nogpgcheck http://linuxdownload.adobe.com/adobe-release/adobe-release-x86_64-1.0-1.noarch.rpm
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-adobe-linux
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-TELRED
yum -y update
yum -y install xorg-x11-server-Xvfb evolution evolution-ews evolution-plugins \
clamav yandex-browser-beta flash-plugin alsa-plugins-pulseaudio libcurl sky
#############################################
#### Setting sudo
#############################################
cat <<EOF > /etc/sudoers.d/domain_users
localuser ALL=(ALL) ALL
%domain\ users\@$NEW_DOMAINNAME ALL=(ALL) ALL
%domain\ users ALL=(ALL) ALL
%domain\ admins\@$NEW_DOMAINNAME ALL=(ALL) NOPASSWD: ALL
%domain\ admins ALL=(ALL) NOPASSWD: ALL
EOF
sed -i "/^Defaults\ targetpw.*\$/ s/^/#/" /etc/sudoers
sed -i "/^Defaults\ env_reset.*\$/ s/\ env_reset/\ \!env_reset/" /etc/sudoers
sed -i "/^ALL.*ALL=(ALL).*\$/ s/^/#/" /etc/sudoers
#########################################
### Setup NTP servers
#########################################
sudo systemctl start chronyd.service
sed -i "/^pool.*\$/ s/^/#/" /etc/chrony.conf
sed -i "/^server.*\$/ s/^/#/" /etc/chrony.conf
for dc in $DOMAIN_CONTROLLERS;
do
echo "server $dc iburst" | sudo tee -a /etc/chrony.conf
done
sudo systemctl restart chronyd.service
########################################################
#### Setup Kerberos and Samba
########################################################
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak_`date +"%d.%m.%y_%H-%M"`
mv /etc/krb5.conf /etc/krb5.conf.bak_`date +"%d.%m.%y_%H-%M"`
#########################################
### Setup Kerberos /etc/krb5.conf
#########################################
LIBDEFAULTS=$(cat <<EOF
[libdefaults]
dns_lookup_kdc = true
dns_lookup_realm = false
default_realm = $DEFAULT_REALM
clockskew = 300
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
EOF
)
REALMS_KDC=$(for i in $DOMAIN_CONTROLLERS; do echo "kdc = $i";done)
REALMS=$(cat <<EOF
[realms]
$DEFAULT_REALM = {
$REALMS_KDC
default_domain = $DEFAULT_REALM
}
EOF
)
DOMAIN_REALM=$(cat <<EOF
[domain_realm]
.$NEW_DOMAINNAME = $DEFAULT_REALM
$NEW_DOMAINNAME = $DEFAULT_REALM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
}
EOF
)
echo "$LIBDEFAULTS" > /etc/krb5.conf
echo "$REALMS" >> /etc/krb5.conf
echo "$DOMAIN_REALM" >> /etc/krb5.conf
########################################
#### Configure /etc/samba/smb.conf
########################################
SMB_CONF=$(cat <<EOF
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
[global]
workgroup = $NETBIOS_DOMAIN_NAME
passdb backend = tdbsam
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = $DEFAULT_REALM
security = ADS
template homedir = /home/%D/%U
template shell = /bin/bash
usershare max shares = 100
winbind offline logon = no
winbind refresh tickets = yes
kerberos method = secrets and keytab
winbind use default domain = yes
encrypt passwords = yes
dns proxy = no
socket options = TCP_NODELAY
domain master = no
local master = no
preferred master = no
os level = 0
domain logons = no
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
EOF
)
echo "$SMB_CONF" > /etc/samba/smb.conf
########################################
#### Configure /etc/nsswitch.conf
########################################
sed -i '/^passwd:.*compat$/ s/$/ winbind/' /etc/nsswitch.conf
sed -i '/^group:.*compat$/ s/$/ winbind/' /etc/nsswitch.conf
sed -i '/^hosts:/ s/:.*$/: files dns/' /etc/nsswitch.conf
########################################
#### Configure /etc/security/pam_winbind.conf
########################################
sed -i "/^.*krb5_auth.*\$/ s/^.*krb5_auth.*\$/krb5_auth = yes/" /etc/security/pam_winbind.conf
sed -i "/^.*krb5_ccache_type.*\$/ s/^.*krb5_ccache_type.*\$/krb5_ccache_type = FILE/" /etc/security/pam_winbind.conf
sed -i "/^.*mkhomedir.*\$/ s/^.*mkhomedir.*\$/mkhomedir = yes/" /etc/security/pam_winbind.conf
systemctl enable smb
systemctl enable winbind
systemctl restart smb
systemctl restart winbind
############################################################
### Enable Autostart apps
############################################################
mkdir --parents /etc/skel/.config/autostart/
cp /usr/share/applications/sky.desktop /etc/skel/.config/autostart/
#######################################################
#### Import CA Certificates into Browsers
# http://blog.xelnor.net/firefox-systemcerts/
#######################################################
HOMEDIR=$(getent passwd $SUDO_USER | cut -d: -f6)
rm -Rf $HOMEDIR/.mozilla
rm -Rf $HOMEDIR/.pki
########################################################
#### Create and fill cert8.db in Firefox Profile
########################################################
killall firefox
sudo -u $SUDO_USER xvfb-run --server-args="-screen 0, 1280x1024x24" firefox -CreateProfile default
FirefoxProfileDir=$(find $HOMEDIR'/.mozilla/firefox/' -iname '*.default');
for certificateFile in /etc/pki/ca-trust/source/anchors/"$CA_CERT_PREFIX"* ;
do
certutil -A -n "${certificateFile}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d ${FirefoxProfileDir}
done
chmod -R a+rw $HOMEDIR/.mozilla/firefox/*
################################################################################
#### Import certificates into nssdb for Chromium engine
################################################################################
mkdir --parents $HOMEDIR/.pki/nssdb
echo 1q2w3e4r | sudo tee $HOMEDIR/.pki/nssdb/password-file
certutil -N -f $HOMEDIR/.pki/nssdb/password-file -d $HOMEDIR/.pki/nssdb
for certificateFile in /etc/pki/ca-trust/source/anchors/"$CA_CERT_PREFIX"* ;
do
certutil -f $HOMEDIR/.pki/nssdb/password-file -A -n "${certificateFile}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d sql:$HOMEDIR/.pki/nssdb
done
chmod -R a+rw $HOMEDIR/.pki/nssdb/*
#########################################################
### Copy databases with imported certs to default profile
#########################################################
rm -Rf /etc/skel/.pki/nssdb/*
rm -Rf /etc/skel/.mozilla/firefox/*
mkdir --parents /etc/skel/.pki/nssdb/
cp -Rf $HOMEDIR/.pki/nssdb/* /etc/skel/.pki/nssdb/
mkdir --parents /etc/skel/.mozilla/firefox/
cp -Rf $HOMEDIR/.mozilla/firefox/* /etc/skel/.mozilla/firefox/
#########################################################
### Disable KDEWallet By Default
#########################################################
mkdir --parents /etc/skel/.config/
cat <<EOF > /etc/skel/.config/kwalletrc
[Wallet]
Enabled=false
EOF
mkdir --parents /etc/skel/.kde/share/config/
cp /etc/skel/.config/kwalletrc /etc/skel/.kde/share/config/kwalletrc
#################################################################
#### Add Launchers
#################################################################
#mkdir --parents /etc/skel/.kde/share/config/
#
#cat <<EOF > /ets/skel/.kde/share/config/plasma-desktop-appletsrc
#[Containments][1][Applets][5][Configuration][Launchers]
#Items=file:///opt/yandex/browser-beta/yandex_browser?wmClass=yandex-browser-beta%20%28%2Fhome%2Fmike%40test.com%2F.config%2Fyandex-browser-beta%29,file:///usr/share/applications/sky.desktop?wmClass=Sky,file:///usr/share/applications/kde4/konsole.desktop?wmClass=Konsole,file:///usr/share/applications/evolution.desktop?wmClass=Evolution
#EOF
##############################################
#### Join domain using Samba-Winbind
##############################################
#net ads join -U $AD_USER
#!/bin/bash
systemctl enable postgresql.service
systemctl start postgresql
postgresql-setup initdb
CTX_XDL_SUPPORT_DDC_AS_CNAME=N \
CTX_XDL_DDC_LIST="v-szud-ctxdc-01.sigma.sbrf.ru v-szud-ctxdc-02.sigma.sbrf.ru" \
CTX_XDL_VDA_PORT=80 \
CTX_XDL_REGISTER_SERVICE=Y \
CTX_XDL_ADD_FIREWALL_RULES=Y \
CTX_XDL_AD_INTEGRATION=1 \
CTX_XDL_HDX_3D_PRO=N \
CTX_XDL_VDI_MODE=Y \
CTX_XDL_SITE_NAME='<none>' \
CTX_XDL_LDAP_LIST='<none>' \
CTX_XDL_SEARCH_BASE='<none>' \
CTX_XDL_START_SERVICE=Y \
/opt/Citrix/VDA/sbin/ctxsetup.sh
Discussion