#! /bin/bash
####################################
#### Set needed Variables
####################################
NEW_DOMAINNAME="autosys.tk"
DNS_SERVERS="192.168.1.100 192.168.1.1"
DNS_STATIC_SEARCHLIST="$NEW_DOMAINNAME"
DOMAIN_CONTROLLERS="dc1.autosys.tk"
DEFAULT_REALM="${NEW_DOMAINNAME^^}"
NETBIOS_DOMAIN_NAME=$(echo $DEFAULT_REALM | sed '1,$ s/\..*//g')
# check root
if [ "$(id -u)" != "0" ]; then
echo "You do not have the appropriate privileges..."
exit 1
fi
##############################################
### Disable IPv6
##############################################
cp /etc/sysctl.conf /etc/sysctl.conf.bak_`date +"%d.%m.%y_%H-%M"`
sed -i '/^net.ipv6.conf/D' /etc/sysctl.conf
echo 'net.ipv6.conf.all.disable_ipv6 = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.default.disable_ipv6 = 1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.lo.disable_ipv6 = 1' | sudo tee -a /etc/sysctl.conf
sysctl -p
##############################################
### Setting up NameServers
##############################################
echo "search $DNS_STATIC_SEARCHLIST" | sudo tee -a /etc/resolvconf/resolv.conf.d/base
echo -ne > /etc/resolvconf/resolv.conf.d/head
for nameserver in $DNS_SERVERS; do echo "nameserver $nameserver" | sudo tee -a /etc/resolvconf/resolv.conf.d/head ;done
resolvconf -u
apt-get update
apt-get -y upgrade
apt-get -y install nano curl openssl libnss3-tools \
chrony krb5-config krb5-locales krb5-user libpam-krb5 \
samba smbclient winbind libpam-winbind libnss-winbind gss-ntlmssp \
ldap-utils cifs-utils libsasl2-modules-gssapi-mit
###############################################
### Setup Services
###############################################
systemctl enable ssh
systemctl enable nmbd.service
systemctl enable samba.service
systemctl enable winbind.service
#############################################
#### Setting sudo
#############################################
cat <<EOF > /etc/sudoers.d/domain_users
ubuntu ALL=(ALL) ALL
mike ALL=(ALL) ALL
%$NETBIOS_DOMAIN_NAME\\\\domain\ admins ALL=(ALL) NOPASSWD: ALL
%domain\ admins ALL=(ALL) NOPASSWD: ALL
EOF
sed -i "/^Defaults\ targetpw.*\$/ s/^/#/" /etc/sudoers
sed -i "/^Defaults\ env_reset.*\$/ s/\ env_reset/\ \!env_reset/" /etc/sudoers
sed -i "/^ALL.*ALL=(ALL).*\$/ s/^/#/" /etc/sudoers
#########################################
### Setup NTP servers
#########################################
sed -i "/^pool.*\$/ s/^/#/" /etc/chrony/chrony.conf
sed -i "/^server.*\$/ s/^/#/" /etc/chrony/chrony.conf
for dc in $DOMAIN_CONTROLLERS;
do
echo "server $dc iburst" | sudo tee -a /etc/chrony/chrony.conf
done
#########################################
### Setup Kerberos /etc/krb5.conf
#########################################
LIBDEFAULTS=$(cat <<EOF
[libdefaults]
dns_lookup_kdc = true
dns_lookup_realm = false
default_realm = $DEFAULT_REALM
clockskew = 300
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
EOF
)
REALMS_KDC=$(for i in $DOMAIN_CONTROLLERS; do echo "kdc = $i";done)
REALMS=$(cat <<EOF
[realms]
$DEFAULT_REALM = {
$REALMS_KDC
default_domain = $DEFAULT_REALM
}
EOF
)
DOMAIN_REALM=$(cat <<EOF
[domain_realm]
.$NEW_DOMAINNAME = $DEFAULT_REALM
$NEW_DOMAINNAME = $DEFAULT_REALM
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
}
EOF
)
echo "$LIBDEFAULTS" > /etc/krb5.conf
echo "$REALMS" >> /etc/krb5.conf
echo "$DOMAIN_REALM" >> /etc/krb5.conf
########################################
#### Configure /etc/samba/smb.conf
########################################
SMB_CONF=$(cat <<EOF
# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
[global]
workgroup = $NETBIOS_DOMAIN_NAME
passdb backend = tdbsam
map to guest = Bad User
include = /etc/samba/dhcp.conf
usershare allow guests = No
idmap gid = 10000-20000
idmap uid = 10000-20000
realm = $DEFAULT_REALM
security = ADS
template homedir = /home/%D/%U
template shell = /bin/bash
usershare max shares = 100
encrypt passwords = yes
kerberos method = secrets and keytab
winbind nested groups = yes
winbind offline logon = yes
winbind refresh tickets = yes
winbind use default domain = yes
dns proxy = no
domain master = no
local master = no
preferred master = no
load printers = no
show add printer wizard = no
printcap name = /dev/null
disable spoolss = yes
client use spnego = yes
client ntlmv2 auth = yes
EOF
)
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak_`date +"%d.%m.%y_%H-%M"`
echo "$SMB_CONF" > /etc/samba/smb.conf
########################################
#### Configure /etc/nsswitch.conf
########################################
sed -i '/^passwd:.*compat$/ s/$/ winbind/' /etc/nsswitch.conf
sed -i '/^group:.*compat$/ s/$/ winbind/' /etc/nsswitch.conf
sed -i '/^hosts:/ s/:.*$/: files dns/' /etc/nsswitch.conf
##########################################
#### Configure PAM
##########################################
sed -i "/^Default:.*\$/ s/:.*$/: yes/" /usr/share/pam-configs/mkhomedir
sed -i '/^mkhomedir/D' /var/lib/pam/seen
pam-auth-update --package
################################################################
### Fix /etc/pam.d/sddm to allow copy /etc/skel/ on first logon
### https://wiki.autosys.tk/doku.php?id=linux_faq:kde_not_copying_etc_skel_on_user_first_login
################################################################
sed -i '/pam_kwallet/ s/^/#/g' /etc/pam.d/sddm
Discussion