Запускать так: sudo -E ./script.sh
#! /bin/bash
####################################
#### Variables
####################################
NEW_HOSTNAME="szud-opensuse"
NEW_DOMAINNAME="sigma.sbrf.ru"
DNS_SERVERS="10.21.7.212 10.21.7.214"
DNS_STATIC_SEARCHLIST="$NEW_DOMAINNAME sberbank.ru"
AD_USER="usik-ma"
DOMAIN_CONTROLLERS=$(cat <<EOF
cab-vsp-dc00001.sigma.sbrf.ru
cab-vsp-dc00002.sigma.sbrf.ru
cab-vsp-dc00003.sigma.sbrf.ru
cab-vsp-dc00004.sigma.sbrf.ru
cab-vsp-dc00005.sigma.sbrf.ru
cab-vsp-dc00006.sigma.sbrf.ru
cab-vsp-dc00007.sigma.sbrf.ru
cab-vsp-dc00008.sigma.sbrf.ru
EOF
)
DEFAULT_REALM="${NEW_DOMAINNAME^^}"
NETBIOS_DOMAIN_NAME=$(echo $DEFAULT_REALM | sed '1,$ s/\..*//g')
SDDM_THEME="elarun"
CA_CERT_PREFIX="SberBank_Root_CA"
########################################################
### SettingUp Network
########################################################
systemctl disable NetworkManager
systemctl stop NetworkManager
systemctl enable wicked
systemctl start wicked
echo 'Waiting for network...'
sleep 10
##############################################
### Setting up NameServers
##############################################
sed -i "/^NETCONFIG_DNS_STATIC_SEARCHLIST=.*\$/ s/=.*$/=\"$DNS_STATIC_SEARCHLIST\"/" /etc/sysconfig/network/config
sed -i "/^NETCONFIG_DNS_STATIC_SERVERS=.*\$/ s/=.*$/=\"$DNS_SERVERS\"/" /etc/sysconfig/network/config
sed -i "/^NETCONFIG_DNS_POLICY=.*\$/ s/=.*$/=\"auto\"/" /etc/sysconfig/network/config
###############################################
### Setting HOSTNAME, DOMAINNAME
###############################################
hostname $NEW_HOSTNAME
domainname $NEW_DOMAINNAME
echo $NEW_HOSTNAME.$NEW_DOMAINNAME | sudo tee /etc/HOSTNAME
echo $NEW_HOSTNAME.$NEW_DOMAINNAME | sudo tee /etc/hostname
sed -i '/^127./D' /etc/hosts
echo "127.0.0.1 `hostname`.`domainname` `hostname` localhost" | sudo tee -a /etc/hosts
echo "127.0.0.2 `hostname`.`domainname` `hostname`" | sudo tee -a /etc/hosts
########################################
### Reload network settings
########################################
netconfig update -f
####################################
#### Setting Software Repos
####################################
zypper repos | grep Yes | cut -f3 -d '|' | sed -e "s/ //" | awk '{print "zypper mr -dRK " $1}' | sudo bash
zypper ar -G -c -n "SB-OpenSUSE-oss" -f http://10.23.48.12/opensuse/distribution/leap/42.1/oss/suse sb-opensuse-oss
zypper mr -erk -p 5 SB-OpenSUSE-oss
zypper ar -G -c -n "SB-OpenSUSE-update-oss" -f http://10.23.48.12/opensuse/update/leap/42.1/oss sb-opensuse-update-oss
zypper mr -erk -p 5 SB-OpenSUSE-update-oss
zypper ar -G -c -n "SB-OpenSUSE-packman" -f http://10.23.48.12/opensuse/packman/openSUSE_Leap_42.1 sb-opensuse-packman
zypper mr -erk -p 5 SB-OpenSUSE-packman
zypper ar -G -c -n "SB-OpenSUSE-Sky" http://10.23.48.12/opensuse/tel.red/repos/opensuse/42.1/ sb-opensuse-sky
zypper mr -erk -p 5 SB-OpenSUSE-Sky
zypper ar -G -c -n "SB-OpenSUSE-YandexBrowser-beta" -f http://10.23.48.12/opensuse/repo.yandex.ru/yandex-browser/rpm/beta/x86_64 sb-opensuse-yandexbrowser-beta
zypper mr -erk -p 5 SB-OpenSUSE-YandexBrowser-beta
#zypper ar -G -c -n "nVidia Graphics Drivers" http://download.nvidia.com/opensuse/leap/42.1 nVidia-Graphics-Drivers
#zypper mr -erk -p 5 nVidia-Graphics-Drivers
#zypper ar -G -c -n "AMD/ATI Graphics Drivers" -f http://geeko.ioda.net/mirror/amd-fglrx/openSUSE_Leap_42.1/ AMD-Graphics-Drivers
#zypper mr -erk -p 5 AMD-Graphics-Drivers
zypper clean
zypper -n up
zypper -n dup
zypper -n in nano yast2-online-update krb5-client yandex-browser-beta mozilla-nss-tools sky kernel-devel pam_krb5 openssl
zypper -n in --type pattern devel_basis
#sudo zypper -n in xrdp mono-complete
###############################################
### Setup Services
###############################################
systemctl enable xrdp
systemctl enable xrdp-sesman
systemctl enable sshd
systemctl enable ntpd
#systemctl enable SuSEfirewall2
#SuSEfirewall2 start
systemctl disable SuSEfirewall2
systemctl stop SuSEfirewall2
systemctl start sshd
systemctl start xrdp
systemctl start xrdp-sesman
systemctl start ntpd
#############################################
#### Setting sudo
#############################################
cat <<EOF > /etc/sudoers.d/domain_users
localuser ALL=(ALL) ALL
%$NETBIOS_DOMAIN_NAME\\\\domain\ users ALL=(ALL) ALL
%domain\ users ALL=(ALL) ALL
%$NETBIOS_DOMAIN_NAME\\\\domain\ admins ALL=(ALL) NOPASSWD: ALL
%domain\ admins ALL=(ALL) NOPASSWD: ALL
EOF
sed -i "/^Defaults\ targetpw.*\$/ s/^/#/" /etc/sudoers
sed -i "/^Defaults\ env_reset.*\$/ s/\ env_reset/\ \!env_reset/" /etc/sudoers
sed -i "/^ALL.*ALL=(ALL).*\$/ s/^/#/" /etc/sudoers
#########################################
### Setup NTP servers
#########################################
echo "Setting ntp client settings..."
yast2 ntp-client delete server="0.opensuse.pool.ntp.org"
yast2 ntp-client delete server="1.opensuse.pool.ntp.org"
yast2 ntp-client delete server="2.opensuse.pool.ntp.org"
yast2 ntp-client delete server="3.opensuse.pool.ntp.org"
for i in $DOMAIN_CONTROLLERS;
do
yast2 ntp-client add server="$i iburst"
done
########################################
#### Install Citrix VDA
########################################
#sudo zypper -n in ./XenDesktopVDA-7.12.0.375-1.sle12_1.x86_64.rpm
#/opt/Citrix/VDA/sbin/ctxsetup.sh
#########################################
### Setup Kerberos /etc/krb5.conf
#########################################
LIBDEFAULTS=$(cat <<EOF
[libdefaults]
dns_lookup_kdc = true
dns_lookup_realm = false
default_realm = $DEFAULT_REALM
clockskew = 300
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
EOF
)
REALMS_KDC=$(for i in $DOMAIN_CONTROLLERS; do echo "kdc = $i";done)
REALMS=$(cat <<EOF
[realms]
$DEFAULT_REALM = {
$REALMS_KDC
default_domain = $DEFAULT_REALM
}
EOF
)
DOMAIN_REALM=$(cat <<EOF
[domain_realm]
.$NEW_DOMAINNAME = $DEFAULT_REALM
$NEW_DOMAINNAME = $DEFAULT_REALM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
}
EOF
)
echo "$LIBDEFAULTS" > /etc/krb5.conf
echo "$REALMS" >> /etc/krb5.conf
echo "$DOMAIN_REALM" >> /etc/krb5.conf
########################################
#### Configure /etc/samba/smb.conf
########################################
SMB_CONF=$(cat <<EOF
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
[global]
workgroup = $NETBIOS_DOMAIN_NAME
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = $DEFAULT_REALM
security = ADS
template homedir = /home/%D/%U
template shell = /bin/bash
usershare max shares = 100
winbind offline logon = true
winbind refresh tickets = true
kerberos method = secrets and keytab
winbind use default domain = yes
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
EOF
)
mv /etc/samba/smb.conf.bak /etc/samba/smb.conf
cp /etc/samba/smb.conf /etc/samba/smb.conf.bak
echo "$SMB_CONF" > /etc/samba/smb.conf
###############################################
#### Configure /etc/security/pam_winbind.conf
###############################################
PAM_WINBIND=$(cat <<EOF
cached_login = yes
krb5_auth = yes
krb5_ccache_type = FILE
EOF
)
mv /etc/security/pam_winbind.conf.bak /etc/security/pam_winbind.conf
cp /etc/security/pam_winbind.conf /etc/security/pam_winbind.conf.bak
while read line
do
echo $line >> /etc/security/pam_winbind.conf_new
echo $line | grep -q "\[global\]"
[ $? -eq 0 ] && echo "$PAM_WINBIND" >> /etc/security/pam_winbind.conf_new
done < /etc/security/pam_winbind.conf
mv /etc/security/pam_winbind.conf_new /etc/security/pam_winbind.conf
########################################
#### Configure /etc/nsswitch.conf
########################################
sed -i '/^passwd:.*compat$/ s/$/ winbind/' /etc/nsswitch.conf
sed -i '/^group:.*compat$/ s/$/ winbind/' /etc/nsswitch.conf
sed -i '/^hosts:/ s/:.*$/: files dns/' /etc/nsswitch.conf
##########################################
#### Configure PAM
##########################################
pam-config --add --winbind --mkhomedir
#--krb5
#################################################
### Disable autologin
#################################################
sed -i "/^DISPLAYMANAGER_AUTOLOGIN=.*\$/ s/=.*$/=\"\"/" /etc/sysconfig/displaymanager
#################################################
#### Set SDDM Theme to allow input Username
#################################################
sed -i "/^Current=.*\$/ s/=.*$/=$SDDM_THEME/" /etc/sddm.conf
########################################
### Add Certificates
###########################################
openssl s_client -showcerts -connect ya.ru:443 </dev/null > chain.pem
csplit -k -f $CA_CERT_PREFIX ./chain.pem '/END CERTIFICATE/+1' {10}
find ./ -iname $CA_CERT_PREFIX\* -type f -exec grep -F -L 'END CERTIFICATE' '{}' + | xargs -d '\n' rm
for file in "$CA_CERT_PREFIX"* ; do sudo mv "$file" /etc/pki/trust/anchors/"$file".pem ; done
for file in /etc/pki/trust/anchors/"$CA_CERT_PREFIX"* ; do sudo cp "$file" /etc/ssl/certs/ ; done
c_rehash /etc/ssl/certs/
c_rehash /etc/pki/trust/anchors/
update-ca-certificates
rm -f ./chain.pem
#######################################################
#### Import CA Certificates into Browsers
# http://blog.xelnor.net/firefox-systemcerts/
#######################################################
HOMEDIR=$(getent passwd $SUDO_USER | cut -d: -f6)
zypper -n install mozilla-nss-tools
rm -Rf $HOMEDIR/.mozilla
rm -Rf $HOMEDIR/.pki
########################################################
#### Create and fill cert8.db in Firefox Profile
########################################################
killall firefox
sudo -u $SUDO_USER firefox -CreateProfile default
FirefoxProfileDir=$(find $HOMEDIR'/.mozilla/firefox/' -iname '*.default');
for certificateFile in /etc/pki/trust/anchors/"$CA_CERT_PREFIX"* ;
do
certutil -A -n "${certificateFile}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d ${FirefoxProfileDir}
done
chmod -R a+rw $HOMEDIR/.mozilla/firefox/*
################################################################################
#### Import certificates into nssdb for Chromium engine
################################################################################
mkdir --parents $HOMEDIR/.pki/nssdb
echo 1q2w3e4r | sudo tee $HOMEDIR/.pki/nssdb/password-file
certutil -N -f $HOMEDIR/.pki/nssdb/password-file -d $HOMEDIR/.pki/nssdb
for certificateFile in /etc/pki/trust/anchors/"$CA_CERT_PREFIX"* ;
do
certutil -f $HOMEDIR/.pki/nssdb/password-file -A -n "${certificateFile}" -t "TCu,Cuw,Tuw" -i ${certificateFile} -d sql:$HOMEDIR/.pki/nssdb
done
chmod -R a+rw $HOMEDIR/.pki/nssdb/*
#########################################################
### Copy databases with imported certs to default profile
#########################################################
rm -Rf /etc/skel/.pki/nssdb/*
rm -Rf /etc/skel/.mozilla/firefox/*
mkdir --parents /etc/skel/.pki/nssdb/
cp -Rf $HOMEDIR/.pki/nssdb/* /etc/skel/.pki/nssdb/
mkdir --parents /etc/skel/.mozilla/firefox/
cp -Rf $HOMEDIR/.mozilla/firefox/* /etc/skel/.mozilla/firefox/
#########################################################
### Disable KDEWallet By Default
#########################################################
cat <<EOF > /etc/skel/.config/kwalletrc
[Wallet]
Enabled=false
EOF
mkdir --parents /etc/skel/.kde/share/config/
cp /etc/skel/.config/kwalletrc /etc/skel/.kde/share/config/kwalletrc
############################################################
#### Install Adobe Flash
############################################################
zypper ar -G -c -n "Adobe Software Repository" -f http://linuxdownload.adobe.com/linux/x86_64/ Adobe
zypper -n rm flash-player-24.0.0.221-1.1.x86_64
zypper mr -dRK sb-opensuse-packman
zypper -n in adobe-release-x86_64 flash-pl*
zypper mr -eRK sb-opensuse-packman
############################################################
### Enable Autostart apps
############################################################
mkdir --parents /etc/skel/.config/autostart/
cp /usr/share/applications/sky.desktop /etc/skel/.config/autostart/
########################################
### Join AD Domain
########################################
systemctl enable nmb.service
systemctl enable smb.service
systemctl enable winbind.service
service nmb restart
service smb restart
service winbind restart
ping -c 5 $DOMAIN_CONTROLLERS &> /dev/null && net ads join -U $AD_USER || echo "Join AD failed. Ping Domain Controller failed"
service winbind restart && service nmb restart && service smb restart
wbinfo -P
wbinfo -t
wbinfo -n=$computername
Setup VDA
#!/bin/bash CTX_XDL_SUPPORT_DDC_AS_CNAME=N \ CTX_XDL_DDC_LIST="v-szud-ctxdc-01.sigma.sbrf.ru v-szud-ctxdc-02.sigma.sbrf.ru" \ CTX_XDL_VDA_PORT=80 \ CTX_XDL_REGISTER_SERVICE=Y \ CTX_XDL_ADD_FIREWALL_RULES=Y \ CTX_XDL_AD_INTEGRATION=1 \ CTX_XDL_HDX_3D_PRO=N \ CTX_XDL_VDI_MODE=Y \ CTX_XDL_SITE_NAME='<none>' \ CTX_XDL_LDAP_LIST='<none>' \ CTX_XDL_SEARCH_BASE='<none>' \ CTX_XDL_START_SERVICE=Y \ /opt/Citrix/VDA/sbin/ctxsetup.sh
Discussion