Запускать так: sudo -E ./script.sh
#! /bin/bash #################################### #### Variables #################################### NEW_HOSTNAME="szud-opensuse" NEW_DOMAINNAME="sigma.sbrf.ru" DNS_SERVERS="10.21.7.212 10.21.7.214" DNS_STATIC_SEARCHLIST="$NEW_DOMAINNAME sberbank.ru" AD_USER="usik-ma" DOMAIN_CONTROLLERS=$(cat <<EOF cab-vsp-dc00001.sigma.sbrf.ru cab-vsp-dc00002.sigma.sbrf.ru cab-vsp-dc00003.sigma.sbrf.ru cab-vsp-dc00004.sigma.sbrf.ru cab-vsp-dc00005.sigma.sbrf.ru cab-vsp-dc00006.sigma.sbrf.ru cab-vsp-dc00007.sigma.sbrf.ru cab-vsp-dc00008.sigma.sbrf.ru EOF ) DEFAULT_REALM="${NEW_DOMAINNAME^^}" NETBIOS_DOMAIN_NAME=$(echo $DEFAULT_REALM | sed '1,$ s/\..*//g') SDDM_THEME="elarun" CA_CERT_PREFIX="SberBank_Root_CA" ######################################################## ### SettingUp Network ######################################################## systemctl disable NetworkManager systemctl stop NetworkManager systemctl enable wicked systemctl start wicked echo 'Waiting for network...' sleep 10 ############################################## ### Setting up NameServers ############################################## sed -i "/^NETCONFIG_DNS_STATIC_SEARCHLIST=.*\$/ s/=.*$/=\"$DNS_STATIC_SEARCHLIST\"/" /etc/sysconfig/network/config sed -i "/^NETCONFIG_DNS_STATIC_SERVERS=.*\$/ s/=.*$/=\"$DNS_SERVERS\"/" /etc/sysconfig/network/config sed -i "/^NETCONFIG_DNS_POLICY=.*\$/ s/=.*$/=\"auto\"/" /etc/sysconfig/network/config ############################################### ### Setting HOSTNAME, DOMAINNAME ############################################### hostname $NEW_HOSTNAME domainname $NEW_DOMAINNAME echo $NEW_HOSTNAME.$NEW_DOMAINNAME | sudo tee /etc/HOSTNAME echo $NEW_HOSTNAME.$NEW_DOMAINNAME | sudo tee /etc/hostname sed -i '/^127./D' /etc/hosts echo "127.0.0.1 `hostname`.`domainname` `hostname` localhost" | sudo tee -a /etc/hosts echo "127.0.0.2 `hostname`.`domainname` `hostname`" | sudo tee -a /etc/hosts ######################################## ### Reload network settings ######################################## netconfig update -f #################################### #### Setting Software Repos #################################### zypper repos | grep Yes | cut -f3 -d '|' | sed -e "s/ //" | awk '{print "zypper mr -dRK " $1}' | sudo bash zypper ar -G -c -n "SB-OpenSUSE-oss" -f http://10.23.48.12/opensuse/distribution/leap/42.1/oss/suse sb-opensuse-oss zypper mr -erk -p 5 SB-OpenSUSE-oss zypper ar -G -c -n "SB-OpenSUSE-update-oss" -f http://10.23.48.12/opensuse/update/leap/42.1/oss sb-opensuse-update-oss zypper mr -erk -p 5 SB-OpenSUSE-update-oss zypper ar -G -c -n "SB-OpenSUSE-packman" -f http://10.23.48.12/opensuse/packman/openSUSE_Leap_42.1 sb-opensuse-packman zypper mr -erk -p 5 SB-OpenSUSE-packman zypper ar -G -c -n "SB-OpenSUSE-Sky" http://10.23.48.12/opensuse/tel.red/repos/opensuse/42.1/ sb-opensuse-sky zypper mr -erk -p 5 SB-OpenSUSE-Sky zypper ar -G -c -n "SB-OpenSUSE-YandexBrowser-beta" -f http://10.23.48.12/opensuse/repo.yandex.ru/yandex-browser/rpm/beta/x86_64 sb-opensuse-yandexbrowser-beta zypper mr -erk -p 5 SB-OpenSUSE-YandexBrowser-beta #zypper ar -G -c -n "nVidia Graphics Drivers" http://download.nvidia.com/opensuse/leap/42.1 nVidia-Graphics-Drivers #zypper mr -erk -p 5 nVidia-Graphics-Drivers #zypper ar -G -c -n "AMD/ATI Graphics Drivers" -f http://geeko.ioda.net/mirror/amd-fglrx/openSUSE_Leap_42.1/ AMD-Graphics-Drivers #zypper mr -erk -p 5 AMD-Graphics-Drivers zypper clean zypper -n up zypper -n dup zypper -n in nano yast2-online-update krb5-client yandex-browser-beta mozilla-nss-tools sky kernel-devel pam_krb5 openssl zypper -n in --type pattern devel_basis #sudo zypper -n in xrdp mono-complete ############################################### ### Setup Services ############################################### systemctl enable xrdp systemctl enable xrdp-sesman systemctl enable sshd systemctl enable ntpd #systemctl enable SuSEfirewall2 #SuSEfirewall2 start systemctl disable SuSEfirewall2 systemctl stop SuSEfirewall2 systemctl start sshd systemctl start xrdp systemctl start xrdp-sesman systemctl start ntpd ############################################# #### Setting sudo ############################################# cat <<EOF > /etc/sudoers.d/domain_users localuser ALL=(ALL) ALL %$NETBIOS_DOMAIN_NAME\\\\domain\ users ALL=(ALL) ALL %domain\ users ALL=(ALL) ALL %$NETBIOS_DOMAIN_NAME\\\\domain\ admins ALL=(ALL) NOPASSWD: ALL %domain\ admins ALL=(ALL) NOPASSWD: ALL EOF sed -i "/^Defaults\ targetpw.*\$/ s/^/#/" /etc/sudoers sed -i "/^Defaults\ env_reset.*\$/ s/\ env_reset/\ \!env_reset/" /etc/sudoers sed -i "/^ALL.*ALL=(ALL).*\$/ s/^/#/" /etc/sudoers ######################################### ### Setup NTP servers ######################################### echo "Setting ntp client settings..." yast2 ntp-client delete server="0.opensuse.pool.ntp.org" yast2 ntp-client delete server="1.opensuse.pool.ntp.org" yast2 ntp-client delete server="2.opensuse.pool.ntp.org" yast2 ntp-client delete server="3.opensuse.pool.ntp.org" for i in $DOMAIN_CONTROLLERS; do yast2 ntp-client add server="$i iburst" done ######################################## #### Install Citrix VDA ######################################## #sudo zypper -n in ./XenDesktopVDA-7.12.0.375-1.sle12_1.x86_64.rpm #/opt/Citrix/VDA/sbin/ctxsetup.sh ######################################### ### Setup Kerberos /etc/krb5.conf ######################################### LIBDEFAULTS=$(cat <<EOF [libdefaults] dns_lookup_kdc = true dns_lookup_realm = false default_realm = $DEFAULT_REALM clockskew = 300 default_ccache_name = FILE:/tmp/krb5cc_%{uid} EOF ) REALMS_KDC=$(for i in $DOMAIN_CONTROLLERS; do echo "kdc = $i";done) REALMS=$(cat <<EOF [realms] $DEFAULT_REALM = { $REALMS_KDC default_domain = $DEFAULT_REALM } EOF ) DOMAIN_REALM=$(cat <<EOF [domain_realm] .$NEW_DOMAINNAME = $DEFAULT_REALM $NEW_DOMAINNAME = $DEFAULT_REALM [appdefaults] pam = { ticket_lifetime = 1d renew_lifetime = 1d forwardable = true proxiable = false minimum_uid = 1 } EOF ) echo "$LIBDEFAULTS" > /etc/krb5.conf echo "$REALMS" >> /etc/krb5.conf echo "$DOMAIN_REALM" >> /etc/krb5.conf ######################################## #### Configure /etc/samba/smb.conf ######################################## SMB_CONF=$(cat <<EOF # smb.conf is the main Samba configuration file. You find a full commented # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the # samba-doc package is installed. [global] workgroup = $NETBIOS_DOMAIN_NAME passdb backend = tdbsam printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User include = /etc/samba/dhcp.conf logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = No idmap gid = 10000-20000 idmap uid = 10000-20000 realm = $DEFAULT_REALM security = ADS template homedir = /home/%D/%U template shell = /bin/bash usershare max shares = 100 winbind offline logon = true winbind refresh tickets = true kerberos method = secrets and keytab winbind use default domain = yes [homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes [profiles] comment = Network Profiles Service path = %H read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700 [users] comment = All users path = /home read only = No inherit acls = Yes veto files = /aquota.user/groups/shares/ [groups] comment = All groups path = /home/groups read only = No inherit acls = Yes [printers] comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @ntadmin root force group = ntadmin create mask = 0664 directory mask = 0775 EOF ) mv /etc/samba/smb.conf.bak /etc/samba/smb.conf cp /etc/samba/smb.conf /etc/samba/smb.conf.bak echo "$SMB_CONF" > /etc/samba/smb.conf ############################################### #### Configure /etc/security/pam_winbind.conf ############################################### PAM_WINBIND=$(cat <<EOF cached_login = yes krb5_auth = yes krb5_ccache_type = FILE EOF ) mv /etc/security/pam_winbind.conf.bak /etc/security/pam_winbind.conf cp /etc/security/pam_winbind.conf /etc/security/pam_winbind.conf.bak while read line do echo $line >> /etc/security/pam_winbind.conf_new echo $line | grep -q "\[global\]" [ $? -eq 0 ] && echo "$PAM_WINBIND" >> /etc/security/pam_winbind.conf_new done < /etc/security/pam_winbind.conf mv /etc/security/pam_winbind.conf_new /etc/security/pam_winbind.conf ######################################## #### Configure /etc/nsswitch.conf ######################################## sed -i '/^passwd:.*compat$/ s/$/ winbind/' /etc/nsswitch.conf sed -i '/^group:.*compat$/ s/$/ winbind/' /etc/nsswitch.conf sed -i '/^hosts:/ s/:.*$/: files dns/' /etc/nsswitch.conf ########################################## #### Configure PAM ########################################## pam-config --add --winbind --mkhomedir #--krb5 ################################################# ### Disable autologin ################################################# sed -i "/^DISPLAYMANAGER_AUTOLOGIN=.*\$/ s/=.*$/=\"\"/" /etc/sysconfig/displaymanager ################################################# #### Set SDDM Theme to allow input Username ################################################# sed -i "/^Current=.*\$/ s/=.*$/=$SDDM_THEME/" /etc/sddm.conf ######################################## ### Add Certificates ########################################### openssl s_client -showcerts -connect ya.ru:443 </dev/null > chain.pem csplit -k -f $CA_CERT_PREFIX ./chain.pem '/END CERTIFICATE/+1' {10} find ./ -iname $CA_CERT_PREFIX\* -type f -exec grep -F -L 'END CERTIFICATE' '{}' + | xargs -d '\n' rm for file in "$CA_CERT_PREFIX"* ; do sudo mv "$file" /etc/pki/trust/anchors/"$file".pem ; done for file in /etc/pki/trust/anchors/"$CA_CERT_PREFIX"* ; do sudo cp "$file" /etc/ssl/certs/ ; done c_rehash /etc/ssl/certs/ c_rehash /etc/pki/trust/anchors/ update-ca-certificates rm -f ./chain.pem ####################################################### #### Import CA Certificates into Browsers # http://blog.xelnor.net/firefox-systemcerts/ ####################################################### HOMEDIR=$(getent passwd $SUDO_USER | cut -d: -f6) zypper -n install mozilla-nss-tools rm -Rf $HOMEDIR/.mozilla rm -Rf $HOMEDIR/.pki ######################################################## #### Create and fill cert8.db in Firefox Profile ######################################################## killall firefox sudo -u $SUDO_USER firefox -CreateProfile default FirefoxProfileDir=$(find $HOMEDIR'/.mozilla/firefox/' -iname '*.default'); for certificateFile in /etc/pki/trust/anchors/"$CA_CERT_PREFIX"* ; do certutil -A -n "${certificateFile}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d ${FirefoxProfileDir} done chmod -R a+rw $HOMEDIR/.mozilla/firefox/* ################################################################################ #### Import certificates into nssdb for Chromium engine ################################################################################ mkdir --parents $HOMEDIR/.pki/nssdb echo 1q2w3e4r | sudo tee $HOMEDIR/.pki/nssdb/password-file certutil -N -f $HOMEDIR/.pki/nssdb/password-file -d $HOMEDIR/.pki/nssdb for certificateFile in /etc/pki/trust/anchors/"$CA_CERT_PREFIX"* ; do certutil -f $HOMEDIR/.pki/nssdb/password-file -A -n "${certificateFile}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d sql:$HOMEDIR/.pki/nssdb done chmod -R a+rw $HOMEDIR/.pki/nssdb/* ######################################################### ### Copy databases with imported certs to default profile ######################################################### rm -Rf /etc/skel/.pki/nssdb/* rm -Rf /etc/skel/.mozilla/firefox/* mkdir --parents /etc/skel/.pki/nssdb/ cp -Rf $HOMEDIR/.pki/nssdb/* /etc/skel/.pki/nssdb/ mkdir --parents /etc/skel/.mozilla/firefox/ cp -Rf $HOMEDIR/.mozilla/firefox/* /etc/skel/.mozilla/firefox/ ######################################################### ### Disable KDEWallet By Default ######################################################### cat <<EOF > /etc/skel/.config/kwalletrc [Wallet] Enabled=false EOF mkdir --parents /etc/skel/.kde/share/config/ cp /etc/skel/.config/kwalletrc /etc/skel/.kde/share/config/kwalletrc ############################################################ #### Install Adobe Flash ############################################################ zypper ar -G -c -n "Adobe Software Repository" -f http://linuxdownload.adobe.com/linux/x86_64/ Adobe zypper -n rm flash-player-24.0.0.221-1.1.x86_64 zypper mr -dRK sb-opensuse-packman zypper -n in adobe-release-x86_64 flash-pl* zypper mr -eRK sb-opensuse-packman ############################################################ ### Enable Autostart apps ############################################################ mkdir --parents /etc/skel/.config/autostart/ cp /usr/share/applications/sky.desktop /etc/skel/.config/autostart/ ######################################## ### Join AD Domain ######################################## systemctl enable nmb.service systemctl enable smb.service systemctl enable winbind.service service nmb restart service smb restart service winbind restart ping -c 5 $DOMAIN_CONTROLLERS &> /dev/null && net ads join -U $AD_USER || echo "Join AD failed. Ping Domain Controller failed" service winbind restart && service nmb restart && service smb restart wbinfo -P wbinfo -t wbinfo -n=$computername
Setup VDA
#!/bin/bash CTX_XDL_SUPPORT_DDC_AS_CNAME=N \ CTX_XDL_DDC_LIST="v-szud-ctxdc-01.sigma.sbrf.ru v-szud-ctxdc-02.sigma.sbrf.ru" \ CTX_XDL_VDA_PORT=80 \ CTX_XDL_REGISTER_SERVICE=Y \ CTX_XDL_ADD_FIREWALL_RULES=Y \ CTX_XDL_AD_INTEGRATION=1 \ CTX_XDL_HDX_3D_PRO=N \ CTX_XDL_VDI_MODE=Y \ CTX_XDL_SITE_NAME='<none>' \ CTX_XDL_LDAP_LIST='<none>' \ CTX_XDL_SEARCH_BASE='<none>' \ CTX_XDL_START_SERVICE=Y \ /opt/Citrix/VDA/sbin/ctxsetup.sh
Discussion