├── .github └── workflows │ ├── Shellcheck.yaml │ └── review.yml ├── ADconnection.sh ├── CONTRIBUTING.md ├── MacOS.sh ├── README.md └── readfile /.github/workflows/Shellcheck.yaml: -------------------------------------------------------------------------------- 1 | name: ADconnection.sh Test Pipeline 2 | 3 | on: 4 | push: 5 | branches: [master] 6 | pull_request: 7 | branches: [master] 8 | 9 | jobs: 10 | test-adconnection: 11 | runs-on: ubuntu-latest 12 | 13 | steps: 14 | - name: Checkout repository 15 | uses: actions/checkout@v3 16 | 17 | - name: Install shellcheck 18 | run: sudo apt-get update && sudo apt-get install -y shellcheck 19 | 20 | - name: Shellcheck lint ADconnection.sh 21 | run: shellcheck ./ADconnection.sh 22 | 23 | - name: Bash syntax check ADconnection.sh 24 | run: bash -n ./ADconnection.sh 25 | 26 | - name: Run ADconnection.sh --help 27 | run: bash ./ADconnection.sh --help 28 | -------------------------------------------------------------------------------- /.github/workflows/review.yml: -------------------------------------------------------------------------------- 1 | name: PR summary by AI 2 | 3 | on: 4 | pull_request: 5 | types: 6 | - opened 7 | - synchronize 8 | - reopened 9 | 10 | permissions: 11 | contents: read 12 | pull-requests: write 13 | issues: write 14 | 15 | jobs: 16 | pr_summary: 17 | name: PR Summary 18 | runs-on: ubuntu-latest 19 | steps: 20 | - name: Checkout Code 21 | uses: actions/checkout@v3 22 | 23 | - name: Read README.md 24 | id: read_readme 25 | run: | 26 | README_CONTENT=$(cat README.md) 27 | echo "::set-output name=README::$README_CONTENT" 28 | 29 | - name: Set Up Python 30 | uses: actions/setup-python@v4 31 | with: 32 | python-version: '3.9' 33 | 34 | - name: Install Python Dependencies 35 | run: | 36 | python -m pip install --upgrade pip 37 | pip install requests 38 | 39 | - name: PR Summary 40 | env: 41 | OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} 42 | GITHUB_TOKEN: ${{ secrets.G_TOKEN }} 43 | README_CONTENT: ${{ steps.read_readme.outputs.README }} 44 | run: | 45 | python - < /dev/null 2>&1 48 | then 49 | echo "SSHsecurity Files seems already to be modified, skipping..." 50 | else 51 | echo "auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh/login.group.allowed" | sudo tee -a /etc/pam.d/common-auth 52 | sudo touch /etc/ssh/login.group.allowed 53 | localadmin=$( sudo grep LOCALADMIN readfile | awk '{print $3}' ) 54 | if [ "$localadmin" = "null" ] 55 | then 56 | localadmin=$( grep home /etc/passwd | grep bash | cut -d ':' -f1 ) 57 | else 58 | sudo echo "$NetBios\\$myhost""sudoers""" | sudo tee -a /etc/ssh/login.group.allowed 59 | sudo echo "$NetBios\\domain^admins" | sudo tee -a /etc/ssh/login.group.allowed 60 | sudo echo "root" | sudo tee -a /etc/ssh/login.group.allowed 61 | #sudo echo "$localadmin" | sudo tee -a /etc/ssh/login.group.allowed 62 | cat /etc/passwd | grep home | while read locaussh 63 | do echo $locaussh | grep home | grep bash | cut -d ':' -f1 | sudo tee -a sudo tee -a /etc/ssh/login.group.allowed 64 | done 65 | echo "enabled SSH-allow" 66 | fi 67 | fi 68 | else 69 | if [ "$sshsec" = "no" ] 70 | then 71 | echo "Skipping SSHSecurity config" 72 | else 73 | read -r -p "${RED_TEXT}Do you wish to enable SSH login.group.allowed${END}${NUMBER}(y/n)?${END}" yn 74 | case $yn in 75 | [Yy]* ) sudo echo "Checking if there is any previous configuration" 76 | if [ -f /etc/ssh/login.group.allowed ] < /dev/null > /dev/null 2>&1 77 | then 78 | echo " SSHsecurityFiles seems already to be modified, skipping..." 79 | else 80 | echo "NOTICE! /etc/ssh/login.group.allowed will be created. make sure your local user is in it you you could be banned from login" 81 | echo "auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh/login.group.allowed" | sudo tee -a /etc/pam.d/common-auth 82 | sudo touch /etc/ssh/login.group.allowed 83 | sudo echo "$NetBios\\$myhost""sudoers""" | sudo tee -a /etc/ssh/login.group.allowed 84 | sudo echo "$NetBios\\domain^admins" | sudo tee -a /etc/ssh/login.group.allowed 85 | sudo echo "root" | sudo tee -a /etc/ssh/login.group.allowed 86 | #sudo echo "$localadmin" | sudo tee -a /etc/ssh/login.group.allowed 87 | cat /etc/passwd | grep home | while read locaussh 88 | do echo $locaussh | grep home | grep bash | cut -d ':' -f1 | sudo tee -a sudo tee -a /etc/ssh/login.group.allowed 89 | done 90 | echo "enabled SSH-allow" 91 | echo "" 92 | echo "" 93 | fi 94 | ;; 95 | [Nn]* ) echo "Skipped ssh config" 96 | states1="12";; 97 | esac 98 | fi 99 | fi 100 | echo "" 101 | echo "-------------------------------------------------------------------------------------------" 102 | echo "" 103 | givesudo=$( sudo grep SUDOERS readfile | awk '{print $3}' ) 104 | if [ "$givesudo" = "yes" ] 105 | then 106 | if [ -f /etc/sudoers.d/sudoers ] < /dev/null > /dev/null 2>&1 107 | then 108 | echo "" 109 | echo "sudoers.d/sudoers file seems already to be modified, skipping..." 110 | echo "" 111 | else 112 | disssu=$( sudo grep DISSPROMT readfile | awk '{print $3}' ) 113 | if [ "$disssu" = "yes" ] 114 | then 115 | sudo echo "administrator ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers 116 | sudo echo "%$myhost""sudoers ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers 117 | sudo echo "%DOMAIN\ admins ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/domain_admins 118 | #sudo realm permit --groups "$myhost""sudoers" 119 | else 120 | if [ "$disssu" = "no" ] 121 | then 122 | sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers 123 | sudo echo "%$myhost""sudoers ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers 124 | sudo echo "%DOMAIN\ admins ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/domain_admins 125 | #sudo realm permit --groups "$myhost""sudoers" 126 | else 127 | echo "error in readfile config, setting to default" 128 | sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers 129 | fi 130 | fi 131 | fi 132 | else 133 | if [ "$givesudo" = "no" ] 134 | then 135 | echo "Not giving a sudo" 136 | sudo echo "$localadmin" | sudo tee -a /etc/ssh/login.group.allowed 137 | echo "Skipping" 138 | states="12" 139 | else 140 | read -r -p "${RED_TEXT}Do you wish to give users on this machine sudo rights?${END}${NUMBER}(y/n)?${END}" yn 141 | case $yn in 142 | [Yy]* ) sudo echo "Checking if there is any previous configuration" 143 | if [ -f /etc/sudoers.d/sudoers ] < /dev/null > /dev/null 2>&1 144 | then 145 | echo "" 146 | echo "The Sudoers file seems already to be modified, skipping..." 147 | echo "" 148 | else 149 | read -r -p "${RED_TEXT}Do you wish to DISABLE password prompt for users in terminal?${END}${NUMBER}(y/n)?${END}" yn 150 | case $yn in 151 | [Yy]* ) 152 | sudo echo "administrator ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers 153 | sudo echo "%$myhost""sudoers ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers 154 | sudo echo "%DOMAIN\ admins ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/domain_admins 155 | #sudo realm permit --groups "$myhost""sudoers" 156 | ;; 157 | 158 | [Nn]* ) 159 | sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers 160 | sudo echo "%$myhost""sudoers ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers 161 | sudo echo "%DOMAIN\ admins ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/domain_admins 162 | #sudo realm permit --groups "$myhost""sudoers" 163 | ;; 164 | * ) echo "Please answer yes or no.";; 165 | esac 166 | fi 167 | ;; 168 | [Nn]* ) 169 | sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers 170 | echo "Disabled sudo rights for users on this machine" 171 | echo "" 172 | echo "" 173 | states="12";; 174 | * ) echo "Please answer yes or no." 175 | ;; 176 | esac 177 | fi 178 | fi 179 | homedir=$( grep homedir /etc/pam.d/common-session | grep 0077 | cut -d '=' -f3 | head -1 ) 180 | if [ "$homedir" = "0077" ] 181 | then 182 | echo "pam_mkhomedir.so configured" 183 | sleep 1 184 | else 185 | echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0077" | sudo tee -a /etc/pam.d/common-session 186 | fi 187 | Arm=$( sudo hostnamectl | grep Architecture | awk '{print $2}' ) 188 | if [ "$Arm" = "arm" ] 189 | then 190 | sudo sh -c "echo 'greeter-show-manual-login=true' | sudo tee -a /usr/share/lightdm/lightdm.conf.d/50-ubuntu-mate.conf" 191 | sudo sh -c "echo 'allow-guest=false' | sudo tee -a /usr/share/lightdm/lightdm.conf.d/50-ubuntu-mate.conf" 192 | else 193 | logintrue=$( grep -i -m1 "login" /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf ) 194 | if [ -f /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf ] 195 | then 196 | if [ "$logintrue" = "greeter-show-manual-login=true" ] 197 | then 198 | echo "50-ubuntu.conf is already configured.. skipping" 199 | else 200 | sudo sh -c "echo 'greeter-show-manual-login=true' | sudo tee -a /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf" 201 | sudo sh -c "echo 'allow-guest=false' | sudo tee -a /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf" 202 | fi 203 | else 204 | echo "No lightdm to configure" 205 | fi 206 | fi 207 | clear 208 | sed -i -e 's/fallback_homedir = \/home\/%u@%d/#fallback_homedir = \/home\/%u@%d/g' /etc/sssd/sssd.conf 209 | sed -i -e 's/use_fully_qualified_names = True/use_fully_qualified_names = False/g' /etc/sssd/sssd.conf 210 | sed -i -e 's/access_provider = ad/access_provider = simple/g' /etc/sssd/sssd.conf 211 | sed -i -e 's/sudoers: files sss/sudoers: files/g' /etc/nsswitch.conf 212 | echo "override_homedir = /home/%u" | sudo tee -a /etc/sssd/sssd.conf 213 | sudo sudo grep -i override /etc/sssd/sssd.conf 214 | #sudo echo "[nss] 215 | #filter_groups = root 216 | #filter_users = root 217 | #reconnection_retries = 3 218 | #entry_cache_nowait_percentage = 75" | sudo tee -a /etc/sssd/sssd.conf 219 | sudo sed -i '/krb5_realm =/a entry_cache_group_timeout = 5400' /etc/sssd/sssd.conf 220 | sudo sed -i '/krb5_realm =/a entry_cache_user_timeout = 5400' /etc/sssd/sssd.conf 221 | 222 | ####################################################################################### 223 | sudo echo "#entry_cache_user_timeout = 5400 224 | #entry_cache_group_timeout = 5400 225 | #cache_credentials = TRUE 226 | ### Added to help with group mapping 227 | ###ldap_use_tokengroups = False 228 | #ldap_schema = rfc2307bis 229 | #ldap_schema = rfc2307 230 | #ldap_schema = IPA 231 | #ldap_schema = AD 232 | #ldap_search_base = DC=$NetBios,DC=$coms 233 | #ldap_group_member = uniquemember 234 | #ad_enable_gc = False 235 | entry_cache_timeout = 600 236 | entry_cache_nowait_percentage = 75 " | sudo tee -a /etc/sssd/sssd.alternatives 237 | 238 | ############################## load from readfile to sssd ########################################## 239 | if [ -f readfile ] 240 | then 241 | sudo service sssd restart 242 | sleep 1 243 | clear 244 | usesasl=$( sudo grep USESASL readfile | awk '{print $3}' ) 245 | if [ "$usesasl" = "no" ] 246 | then 247 | echo "Skipping SASL" 248 | else 249 | if [ "$usesasl" = "yes" ] 250 | then 251 | sasl=$( sudo grep LDAPS readfile | awk '{print $3}' ) 252 | if [ "$sasl" = "null" ] 253 | then 254 | echo "You need to specify domaincontroller in readfile" 255 | exit 256 | else 257 | echo "$sasl" 258 | cacer=$( sudo grep CACERT readfile | awk '{print $3}' ) 259 | if ! ls "$cacer" 260 | then echo "No root CA found, check your path to file" 261 | else 262 | echo "Applied config from readfile" 263 | sed -i "/krb5_realm = /a ldap_uri = $sasl" /etc/sssd/sssd.conf 264 | sed -i "/krb5_realm = /a ldap_tls_cacert = $cacer" /etc/sssd/sssd.conf 265 | echo "Applied config from readfile" 266 | fi 267 | fi 268 | else 269 | echo "For SASL put you company root-ca.cer in /usr/share/ca-certificates/root/ folder" 270 | read -r -p "Do you wish to use SASL (LDAPS) (y/n)?" yn 271 | case $yn in 272 | [Yy]* ) 273 | if [ -f "/usr/share/ca-certificates/root/*.cer" ] 274 | then 275 | cacert=$( ls /usr/share/ca-certificates/root/ | grep .cer | head -1 ) 276 | echo "Type in address of your Domaincontroller: ex: dc01.com" 277 | read -r yourDC 278 | clear 279 | sasl=$( echo "ldaps://"$yourDC":636" ) 280 | echo "DC sssd configuration will be $sasl" 281 | echo "Found certificate $cacer" 282 | read -r -p "Is this information correct (y/n)?" yn 283 | case $yn in 284 | [Yy]* ) 285 | tlsca=$( sudo grep ldap_tls_cacert /etc/sssd/sssd.conf | awk '{print $1}' ) 286 | if [ "$tlsca" = "ldap_tls_cacert" ] 287 | then 288 | echo "ldap_tls_cacert already in file" 289 | exit 1 290 | else 291 | sed -i "/krb5_realm = /a ldap_uri = $sasl" /etc/sssd/sssd.conf 292 | sed -i "/krb5_realm = /a ldap_tls_cacert = $cacer" /etc/sssd/sssd.conf 293 | #sed -i -e 's/id_provider = ad/id_provider = ldap/g' /etc/sssd/sssd.conf # failing line: giving no on configured: and user is unable to update password. 294 | sudo service sssd restart 295 | fi;; 296 | [Nn]* )echo "";; 297 | * ) echo "Please answer yes or no.";; 298 | esac 299 | else 300 | echo "No certificate found" 301 | fi;; 302 | [Nn]* )echo "";; 303 | * ) echo "Please answer yes or no.";; 304 | esac 305 | fi 306 | fi 307 | else 308 | echo "Skipped ldaps" 309 | fi 310 | 311 | ############################## altSecurityIdentities ############################################### 312 | #sudo echo " 313 | #ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities 314 | #ldap_user_ssh_public_key = altSecurityIdentities" | sudo tee -a /etc/sssd/sssd.conf 315 | 316 | ################################# Check ####################################### 317 | if ! sudo service sssd restart 318 | then 319 | echo "sssd config.. ${RED_TEXT}FAIL${END}" 320 | else 321 | echo "sssd config.. ${INTRO_TEXT}OK${END}" 322 | fi 323 | if ! realm discover < /dev/null > /dev/null 2>&1 324 | then 325 | echo "Realm not installed" 326 | else 327 | therealm=$(realm discover "$DOMAIN" | grep -i configured: | cut -d ':' -f2 | sed -e 's/^[[:space:]]*//') 328 | if [ "$therealm" = "no" ] 329 | then 330 | echo "Realm configured?.. ${NUMBER}NO${END}" 331 | else 332 | echo "Realm configured?.. ${INTRO_TEXT}YES${END}" 333 | fi 334 | fi 335 | if [ $states = 12 ] 336 | then 337 | echo "Sudoers not configured... skipping" 338 | else 339 | if [ -f /etc/sudoers.d/sudoers ] < /dev/null > /dev/null 2>&1 340 | then 341 | echo "Checking sudoers file.. ${INTRO_TEXT}OK${END}" 342 | else 343 | echo "Checking sudoers file.. ${RED_TEXT}FAIL${END}" 344 | fi 345 | grouPs=$(grep -i "$myhost" /etc/sudoers.d/sudoers | cut -d '%' -f2 | awk '{print $1}' | head -1) 346 | if [ "$grouPs" = "$myhost""sudoers" ] 347 | then 348 | echo "Checking sudoers groups.. ${INTRO_TEXT}OK${END}" 349 | else 350 | echo "Checking sudoers groups.. ${RED_TEXT}FAIL${END}" 351 | fi 352 | homedir=$( grep homedir /etc/pam.d/common-session | grep 0077 | cut -d '=' -f3 | head -1 ) 353 | if [ "$homedir" = "0077" ] < /dev/null > /dev/null 2>&1 354 | then 355 | echo "Checking PAM session configuration.. ${INTRO_TEXT}OK${END}" 356 | else 357 | echo "Checking PAM session configuration.. ${RED_TEXT}FAIL${END}" 358 | fi 359 | if [ $states1 = 12 ] 360 | then 361 | echo "Disabled SSH login.group.allowed" 362 | else 363 | cauth=$( grep required /etc/pam.d/common-auth | grep onerr | grep allow | cut -d '=' -f4 | awk '{print $1}' | head -1 ) 364 | if [ $cauth = "allow" ] < /dev/null > /dev/null 2>&1 365 | then 366 | echo "Checking PAM auth configuration.. ${INTRO_TEXT}OK${END}" 367 | else 368 | echo "Checking PAM auth configuration.. ${RED_TEXT}FAIL${END}" 369 | fi 370 | fi 371 | #realm discover $DOMAIN 372 | if ! realm discover 373 | then 374 | echo "realm not found" 375 | else 376 | if [ "$therealm" = "no" ] 377 | then 378 | echo "${RED_TEXT}Join has Failed${END}" 379 | else 380 | lastverify=$( realm discover "$DOMAIN" | grep -m 1 "$DOMAIN" ) 381 | echo "" 382 | echo "${INTRO_TEXT}joined to $lastverify${END}" 383 | echo "" 384 | notify-send ADconnection "Joined $lastverify " 385 | fi 386 | fi 387 | echo "${INTRO_TEXT}Please reboot your machine and wait 3 min for Active Directory to sync before login${INTRO_TEXT}" 388 | exit 389 | fi 390 | echo "${INTRO_TEXT}Please reboot your machine and wait 3 min for Active Directory to sync before login${INTRO_TEXT}" 391 | exit 392 | } 393 | 394 | ####################### final auth yum ################################################################## 395 | #this section will do the last part, configure sssd, sam files and sudoers# same as final auth 396 | #Fixes to CentOS 2019/12# 397 | fi_auth_yum(){ 398 | export HOSTNAME 399 | myhost=$( hostname | cut -d '.' -f1 ) 400 | sudo echo "############################" 401 | sudo echo "Configuratig files.." 402 | sudo echo "Verifying the setup" 403 | sudo systemctl enable sssd 404 | sudo systemctl start sssd 405 | states="null" 406 | states1="null" 407 | grouPs="null" 408 | therealm="null" 409 | cauth="null" 410 | clear 411 | admins=$( grep home /etc/passwd | grep bash | cut -d ':' -f1 ) 412 | sshsec=$( sudo grep SSHSECURE readfile | awk '{print $3}' ) 413 | if [ "$sshsec" = "yes" ] 414 | then 415 | if [ -f /etc/ssh/login.group.allowed ] < /dev/null > /dev/null 2>&1 416 | then 417 | echo "SSHsecurity Files seems already to be modified, skipping..." 418 | else 419 | echo "auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh/login.group.allowed" | sudo tee -a /etc/pam.d/common-auth 420 | sudo touch /etc/ssh/login.group.allowed 421 | localadmin=$( sudo grep LOCALADMIN readfile | awk '{print $3}' ) 422 | if [ "$localadmin" = "null" ] 423 | then 424 | localadmin=$( grep home /etc/passwd | grep bash | cut -d ':' -f1 ) 425 | else 426 | sudo echo "$NetBios\\$myhost""sudoers""" | sudo tee -a /etc/ssh/login.group.allowed 427 | sudo echo "$NetBios\\domain^admins" | sudo tee -a /etc/ssh/login.group.allowed 428 | sudo echo "root" | sudo tee -a /etc/ssh/login.group.allowed 429 | sudo echo "$localadmin" | sudo tee -a /etc/ssh/login.group.allowed 430 | echo "enabled SSH-allow" 431 | fi 432 | fi 433 | else 434 | if [ "$sshsec" = "no" ] 435 | then 436 | echo "Skipping SSHSecurity config" 437 | else 438 | read -r -p "Do you wish to enable SSH login.group.allowed(y/n)?" yn 439 | case $yn in 440 | [Yy]* ) sudo echo "Checking if there is any previous configuration" 441 | if [ -f /etc/ssh/login.group.allowed ] < /dev/null > /dev/null 2>&1 442 | then 443 | echo " SSHsecurityFiles seems already to be modified, skipping..." 444 | else 445 | echo "NOTICE! /etc/ssh/login.group.allowed will be created. make sure yor local user is in it you you could be banned from login" 446 | echo "auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh/login.group.allowed" | sudo tee -a /etc/pam.d/common-auth 447 | sudo touch /etc/ssh/login.group.allowed 448 | sudo echo "$NetBios\\$myhost""sudoers""" | sudo tee -a /etc/ssh/login.group.allowed 449 | sudo echo "$NetBios\\domain^admins" | sudo tee -a /etc/ssh/login.group.allowed 450 | sudo echo "root" | sudo tee -a /etc/ssh/login.group.allowed 451 | sudo echo "$localadmin" | sudo tee -a /etc/ssh/login.group.allowed 452 | echo "enabled SSH-allow" 453 | echo "" 454 | echo "" 455 | fi 456 | ;; 457 | [Nn]* ) echo "Skipped ssh config" 458 | states1="12";; 459 | esac 460 | fi 461 | fi 462 | echo "" 463 | echo "-------------------------------------------------------------------------------------------" 464 | echo "" 465 | givesudo=$( sudo grep SUDOERS readfile | awk '{print $3}' ) 466 | if [ "$givesudo" = "yes" ] 467 | then 468 | if [ -f /etc/sudoers.d/sudoers ] < /dev/null > /dev/null 2>&1 469 | then 470 | echo "" 471 | echo "sudoers.d/sudoers file seems already to be modified, skipping..." 472 | echo "" 473 | else 474 | disssu=$( sudo grep DISSPROMT readfile | awk '{print $3}' ) 475 | if [ "$disssu" = "yes" ] 476 | then 477 | sudo echo "administrator ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers 478 | sudo echo "%$myhost""sudoers ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers 479 | sudo echo "%DOMAIN\ admins ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/domain_admins 480 | #sudo realm permit --groups "$myhost""sudoers" 481 | else 482 | if [ "$disssu" = "no" ] 483 | then 484 | sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers 485 | sudo echo "%$myhost""sudoers ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers 486 | sudo echo "%DOMAIN\ admins ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/domain_admins 487 | #sudo realm permit --groups "$myhost""sudoers" 488 | else 489 | sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers 490 | fi 491 | fi 492 | fi 493 | else 494 | if [ "$givesudo" = "no" ] 495 | then 496 | echo "Not giving a sudo" 497 | sudo echo "$localadmin" | sudo tee -a /etc/ssh/login.group.allowed 498 | echo "Skipping" 499 | states="12" 500 | else 501 | read -r -p "Do you wish to give users on this machine sudo rights?(y/n)?" yn 502 | case $yn in 503 | [Yy]* ) sudo echo "Checking if there is any previous configuration" 504 | if [ -f /etc/sudoers.d/sudoers ] < /dev/null > /dev/null 2>&1 505 | then 506 | echo "" 507 | echo "The Sudoers file seems already to be modified, skipping..." 508 | echo "" 509 | else 510 | read -r -p "Do you wish to DISABLE password prompt for users in terminal?(y/n)?" yn 511 | case $yn in 512 | [Yy]* ) 513 | sudo echo "administrator ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers 514 | sudo echo "%$myhost""sudoers ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers 515 | sudo echo "%DOMAIN\ admins ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/domain_admins 516 | #sudo realm permit --groups "$myhost""sudoers" 517 | ;; 518 | 519 | [Nn]* ) 520 | sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers 521 | sudo echo "%$myhost""sudoers ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers 522 | sudo echo "%DOMAIN\ admins ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/domain_admins 523 | #sudo realm permit --groups "$myhost""sudoers" 524 | ;; 525 | * ) echo "Please answer yes or no.";; 526 | esac 527 | fi 528 | ;; 529 | [Nn]* ) 530 | sudo echo "administrator ALL=(ALL:ALL) ALL" | sudo tee -a /etc/sudoers.d/sudoers 531 | echo "Disabled sudo rights for users on this machine" 532 | echo "" 533 | echo "" 534 | states="12";; 535 | * ) echo "Please answer yes or no." 536 | ;; 537 | esac 538 | fi 539 | fi 540 | homedir=$( grep homedir /etc/pam.d/common-session | grep 0077 | cut -d '=' -f3 | head -1 ) 541 | if [ "$homedir" = "0077" ] 542 | then 543 | echo "pam_mkhomedir.so configured" 544 | sleep 1 545 | else 546 | echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0077" | sudo tee -a /etc/pam.d/common-session 547 | fi 548 | logintrue=$( grep -i -m1 "login" /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf ) 549 | if [ -f /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf ] 550 | then 551 | if [ "$logintrue" = "greeter-show-manual-login=true" ] 552 | then 553 | echo "50-ubuntu.conf is already configured.. skipping" 554 | else 555 | sudo sh -c "echo 'greeter-show-manual-login=true' | sudo tee -a /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf" 556 | sudo sh -c "echo 'allow-guest=false' | sudo tee -a /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf" 557 | fi 558 | else 559 | echo "No lightdm to configure" 560 | fi 561 | coms=$( echo "$DOMAIN" | cut -d '.' -f2 ) 562 | clear 563 | sed -i -e 's/fallback_homedir = \/home\/%u@%d/#fallback_homedir = \/home\/%u@%d/g' /etc/sssd/sssd.conf 564 | sed -i -e 's/use_fully_qualified_names = True/use_fully_qualified_names = False/g' /etc/sssd/sssd.conf 565 | sed -i -e 's/access_provider = ad/access_provider = simple/g' /etc/sssd/sssd.conf 566 | sed -i -e 's/sudoers: files sss/sudoers: files/g' /etc/nsswitch.conf 567 | echo "override_homedir = /home/%u" | sudo tee -a /etc/sssd/sssd.conf 568 | sudo sudo grep -i override /etc/sssd/sssd.conf 569 | #sudo echo "[nss] 570 | #filter_groups = root 571 | #filter_users = root 572 | #reconnection_retries = 3 573 | #entry_cache_nowait_percentage = 75" | sudo tee -a /etc/sssd/sssd.conf 574 | sudo sed -i '/krb5_realm =/a entry_cache_group_timeout = 5400' /etc/sssd/sssd.conf 575 | sudo sed -i '/krb5_realm =/a entry_cache_user_timeout = 5400' /etc/sssd/sssd.conf 576 | sudo echo "#entry_cache_user_timeout = 5400 577 | #entry_cache_group_timeout = 5400 578 | #cache_credentials = TRUE 579 | ### Added to help with group mapping 580 | ###ldap_use_tokengroups = False 581 | #ldap_schema = rfc2307bis 582 | #ldap_schema = rfc2307 583 | #ldap_schema = IPA 584 | #ldap_schema = AD 585 | #ldap_search_base = DC=$NetBios,DC=$coms 586 | #ldap_group_member = uniquemember 587 | #ad_enable_gc = False 588 | entry_cache_timeout = 600 589 | entry_cache_nowait_percentage = 75 " | sudo tee -a /etc/sssd/sssd.alternatives 590 | sudo service sssd restart 591 | clear 592 | usesasl=$( sudo grep USESASL readfile | awk '{print $3}' ) 593 | if [ "$usesasl" = "no" ] 594 | then 595 | echo "Skipping SASL" 596 | else 597 | if [ "$usesasl" = "yes" ] 598 | then 599 | sasl=$( sudo grep LDAPS readfile | awk '{print $3}' ) 600 | if [ "$sasl" = "null" ] 601 | then 602 | echo "You need to specify domaincontroller in readfile" 603 | exit 604 | else 605 | echo "$sasl" 606 | cacer=$( sudo grep CACERT readfile | awk '{print $3}' ) 607 | if ! ls "$cacer" 608 | then echo "No root CA found, check your path to file" 609 | else 610 | echo "Applied config from readfile" 611 | sed -i "/krb5_realm = /a ldap_uri = $sasl" /etc/sssd/sssd.conf 612 | sed -i "/krb5_realm = /a ldap_tls_cacert = $cacer" /etc/sssd/sssd.conf 613 | echo "Applied config from readfile" 614 | fi 615 | fi 616 | else 617 | echo "For SASL put you company root-ca.cer in /usr/share/ca-certificates/root/ folder" 618 | read -r -p "Do you wish to use SASL (LDAPS) (y/n)?" yn 619 | case $yn in 620 | [Yy]* ) 621 | if [ -f "/usr/share/ca-certificates/root/*.cer" ] 622 | then 623 | cacert=$( ls /usr/share/ca-certificates/root/ | grep .cer | head -1 ) 624 | echo "Type in address of your Domaincontroller: ex: dc01.com" 625 | read -r yourDC 626 | clear 627 | sasl=$( echo "ldaps://"$yourDC":636" ) 628 | echo "DC sssd configuration will be $sasl" 629 | echo "Found certificate $cacer" 630 | read -r -p "Is this information correct (y/n)?" yn 631 | case $yn in 632 | [Yy]* ) 633 | tlsca=$( sudo grep ldap_tls_cacert /etc/sssd/sssd.conf | awk '{print $1}' ) 634 | if [ "$tlsca" = "ldap_tls_cacert" ] 635 | then 636 | echo "ldap_tls_cacert already in file" 637 | exit 1 638 | else 639 | sed -i "/krb5_realm = /a ldap_uri = $sasl" /etc/sssd/sssd.conf 640 | sed -i "/krb5_realm = /a ldap_tls_cacert = $cacer" /etc/sssd/sssd.conf 641 | #sed -i -e 's/id_provider = ad/id_provider = ldap/g' /etc/sssd/sssd.conf # failing line: giving no on configured: and user is unable to update password. 642 | sudo service sssd restart 643 | fi;; 644 | [Nn]* )echo "";; 645 | * ) echo "Please answer yes or no.";; 646 | esac 647 | else 648 | echo "No certificate found" 649 | fi;; 650 | [Nn]* )echo "";; 651 | * ) echo "Please answer yes or no.";; 652 | esac 653 | fi 654 | fi 655 | ####################### Check ######################### 656 | if ! sudo service sssd restart 657 | then 658 | echo "SSSD failed relading, please see journalctl -xe" 659 | fi 660 | if ! realm discover 661 | then 662 | echo "no realm found" 663 | else 664 | therealm=$(realm discover "$DOMAIN" | grep -i configured: | cut -d ':' -f2 | sed -e 's/^[[:space:]]*//') 665 | if [ "$therealm" = "no" ] 666 | then 667 | echo "Realm configured?.. NO" 668 | else 669 | echo "Realm configured?.. YES" 670 | fi 671 | fi 672 | if [ "$states" = "12" ] 673 | then 674 | echo "Sudoers not configured... skipping" 675 | else 676 | if [ -f /etc/sudoers.d/sudoers ] < /dev/null > /dev/null 2>&1 677 | then 678 | echo "Checking sudoers file.. OK" 679 | else 680 | echo "Checking sudoers file.. FAIL" 681 | fi 682 | grouPs=$(grep -i "$myhost" /etc/sudoers.d/sudoers | cut -d '%' -f2 | awk '{print $1}' | head -1) 683 | if [ "$grouPs" = "$myhost""sudoers" ] 684 | then 685 | echo "Checking sudoers user groups.. OK" 686 | else 687 | echo "Checking sudoers user groups.. FAIL" 688 | fi 689 | homedir=$( grep homedir /etc/pam.d/common-session | grep 0077 | cut -d '=' -f3 | head -1 ) 690 | if [ "$homedir" = "0077" ] < /dev/null > /dev/null 2>&1 691 | then 692 | echo "Checking PAM configuration.. OK" 693 | else 694 | echo "Checking PAM configuration.. FAIL" 695 | fi 696 | if [ "$states1" = "12" ] 697 | then 698 | echo "Disabled SSH login.group.allowed" 699 | else 700 | cauth=$( grep required /etc/pam.d/sshd | grep onerr | grep allow | cut -d '=' -f4 | awk '{print $1}' | head -1 ) 701 | if [ $cauth = "allow" ] < /dev/null > /dev/null 2>&1 702 | then 703 | echo "Checking PAM auth configuration.. OK" 704 | else 705 | echo "Checking PAM auth configuration.. FAIL" 706 | fi 707 | fi 708 | #realm discover $DOMAIN 709 | if ! realm discover 710 | then 711 | echo "realm not found" 712 | else 713 | if [ "$therealm" = "no" ] 714 | then 715 | echo "Join has Failed" 716 | else 717 | lastverify=$( realm discover "$DOMAIN" | grep -m 1 "$DOMAIN" ) 718 | echo "" 719 | echo "joined to $lastverify" 720 | echo "" 721 | notify-send ADconnection "Joined $lastverify" 722 | fi 723 | fi 724 | echo "Please reboot your machine and wait 3 min for Active Directory to sync before login" 725 | exit 726 | fi 727 | echo "Please reboot your machine and wait 3 min for Active Directory to sync before login" 728 | exit 729 | } 730 | 731 | 732 | ####################### Setup for Ubuntu 14,16 and 17 clients ####################################### 733 | #Runs ADjoin in debug mode. meaning it opens terminals following logs 734 | linuxclientdebug(){ 735 | desktop=$(sudo apt list --installed | grep -i desktop | grep -i ubuntu | cut -d '-' -f1 | grep -i desktop | head -1 | awk '{print$1}') 736 | gnome-terminal --geometry=130x20 -e "bash -c \"journalctl -fxe; exec bash\"" 737 | gnome-terminal --geometry=130x20 -e "bash -c \"journalctl -fxe | grep -i -e closed -e Successfully -e 'Preauthentication failed' -e 'authenticate' -e 'Failed to join the domain'; exec bash\"" 738 | linuxclient 739 | } 740 | 741 | ################################## Join for linux clients ########################################## 742 | linuxclient(){ 743 | TheOS=$( hostnamectl | grep -i Operating | awk '{print $3}' ) < /dev/null > /dev/null 2>&1 744 | MintOS=$( hostnamectl | grep -i Operating | awk '{print $4}' ) < /dev/null > /dev/null 2>&1 745 | rasp=$( lsb_release -a | grep -i Distributor | awk '{print $3}' ) < /dev/null > /dev/null 2>&1 746 | kalilinux=$( lsb_release -a | grep -i Distributor | awk '{print $3}' ) < /dev/null > /dev/null 2>&1 747 | elementary=$( hostnamectl | grep -i Operating | awk '{print $3}' ) < /dev/null > /dev/null 2>&1 748 | SUSE=$( hostnamectl | grep -i Operating | awk '{print $3}' ) < /dev/null > /dev/null 2>&1 749 | clear 750 | #### OS detection #### 751 | if [ "$TheOS" = "Zorin" ] < /dev/null > /dev/null 2>&1 752 | then 753 | Zorin_os 754 | else 755 | if [ "$TheOS" = "Fedora" ] < /dev/null > /dev/null 2>&1 756 | then 757 | echo "Fedora detected" 758 | Fedora_fn 759 | else 760 | if [ "$TheOS" = "CentOS" ] < /dev/null > /dev/null 2>&1 761 | then 762 | echo "Cent OS detected" 763 | CentOS 764 | else 765 | if [ "$TheOS" = "Debian" ] < /dev/null > /dev/null 2>&1 766 | then 767 | echo "Debian detected" 768 | debianclient 769 | else 770 | if [ "$TheOS" = "SUSE" ] < /dev/null > /dev/null 2>&1 771 | then 772 | echo "SUSE detected" 773 | SUSEclient 774 | else 775 | if [ "$TheOS" = "Ubuntu" ] < /dev/null > /dev/null 2>&1 776 | then 777 | echo "Ubuntu detected" 778 | echo "" 779 | echo "Checking if it is a Desktop or server" 780 | desktop=$( sudo apt list --installed | grep -i desktop | grep -i ubuntu | cut -d '-' -f1 | grep -i desktop | head -1 | awk '{print$1}' ) < /dev/null > /dev/null 2>&1 781 | if [ "$desktop" = "desktop" ] < /dev/null > /dev/null 2>&1 782 | then 783 | echo "Ubuntu Desktop detected" 784 | UbuntU 785 | else 786 | echo " this seems to be a server, swithching to server mode" 787 | ubuntuserver14 788 | fi 789 | else 790 | if [ "$rasp" = "Raspbian" ] < /dev/null > /dev/null 2>&1 791 | then 792 | echo "${INTRO_TEXT}Detecting Raspberry Pi${END}" 793 | raspberry 794 | else 795 | if [ "$kalilinux" = "Kali" ] < /dev/null > /dev/null 2>&1 796 | then 797 | echo "${INTRO_TEXT}Detecting Kali linux${END}" 798 | kalijoin 799 | else 800 | if [ "$elementary" = "elementary" ] 801 | then 802 | echo "${INTRO_TEXT}Detected Elementary${END}" 803 | sleep 1 804 | elemntary_fn 805 | else 806 | if [ "$MintOS" = Mint ] 807 | then 808 | echo "Detecting Linux Mint" 809 | LinuxMint 810 | else 811 | echo "No compatible System found" 812 | exit 813 | fi 814 | fi 815 | fi 816 | fi 817 | fi 818 | fi 819 | fi 820 | fi 821 | fi 822 | fi 823 | } 824 | 825 | ################################ Ubuntu 14-25 ########################################### 826 | UbuntU(){ 827 | export HOSTNAME 828 | myhost=$( hostname | cut -d '.' -f1 ) 829 | clear 830 | sudo apt install adcli -y 831 | sudo echo "${NUMBER}Installing packages do no abort!.......${END}" 832 | 833 | if ! sudo apt-get -qq install realmd adcli sssd ntp krb5-user curl -y && sudo apt-get -qq install -f -y 834 | then 835 | echo "${RED_TEXT}Failed installing packages, please resolve dpkg and try again ${END}" 836 | exit 1 837 | fi 838 | clear 839 | if ! sudo dpkg -l | grep realmd 840 | then 841 | clear 842 | sudo echo "${RED_TEXT}Installing packages failed.. please check connection ,dpkg and apt-get update then try again.${END}" 843 | else 844 | clear 845 | sudo echo "${INTRO_TEXT}packages installed${END}" 846 | fi 847 | pointtoou=$( sudo grep OUSPECIFIED readfile | awk '{print $3}' ) 848 | if [ "$pointtoou" = "null" ] 849 | then 850 | pointtoou=$(echo="" ) 851 | fi 852 | echo "hostname is $myhost" 853 | echo "Looking for Realms.. please wait" 854 | REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' ) 855 | if [ "$REALM" = "null" ] 856 | then 857 | DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}') 858 | if ! ping -c 2 "$DOMAIN" < /dev/null > /dev/null 2>&1 859 | then 860 | clear 861 | echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}" 862 | echo "Please enter the domain you wish to join:" 863 | read -r DOMAIN 864 | else 865 | clear 866 | echo "${NUMBER}I searched for an available domain and found ${MENU}>>> $DOMAIN <<<${END}${END}" 867 | read -r -p "Do you wish to use it (y/n)?" yn 868 | case $yn in 869 | [Yy]* ) echo "";; 870 | 871 | [Nn]* ) echo "Please enter the domain you wish to join:" 872 | read -r DOMAIN;; 873 | * ) echo 'Please answer yes or no.';; 874 | esac 875 | fi 876 | else 877 | REALM=$( realm discover | grep domain | awk '{print $2}' ) 878 | echo "Using Domain: $REALM" 879 | DOMAIN=$(echo "$REALM") 880 | fi 881 | NetBios=$(echo "$DOMAIN" | cut -d '.' -f1) 882 | clear 883 | var=$(lsb_release -a | grep -i release | awk '{print $2}' | cut -d '.' -f1) 884 | if [ "$var" -eq "14" ] 885 | then 886 | echo "Installing additional dependencies" 887 | sudo apt-get -qq install -y realmd sssd curl sssd-tools samba-common krb5-user 888 | sudo apt-get -qq install -f -y 889 | clear 890 | echo "${INTRO_TEXT}Detecting Ubuntu $var${END}" 891 | sudo echo "${INTRO_TEXT}Realm=$DOMAIN${END}" 892 | echo "${INTRO_TEXT}Joining Ubuntu $var${END}" 893 | echo "" 894 | if [ -f readfile ] 895 | then 896 | admin=$( sudo grep ADADMIN readfile | awk '{print $3}' ) 897 | if [ "$admin" = "null" ] 898 | then 899 | echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}" 900 | echo "${INTRO_TEXT}Please type Admin user:${END}" 901 | read -r ADMIN 902 | else 903 | ADMIN=$( echo $admin ) 904 | echo "Admin is $ADMIN" 905 | fi 906 | else 907 | echo "${INTRO_TEXT}Please type Admin user:${END}" 908 | read -r ADMIN 909 | fi 910 | encrypt=$( sudo grep ENCRYPTEDPASSWD readfile | awk '{print $3}' ) 911 | if [ "$encrypt" = "null" ] || [ "$encrypt" = "no" ] 912 | then 913 | if ! sudo realm join --verbose --user="$ADMIN" "$DOMAIN" "$OUSPECIFIED" --install=/ 914 | then 915 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 916 | exit 917 | fi 918 | else 919 | if [ "$encrypt" = "yes" ] 920 | then 921 | if [ -f private_key.pem ] && [ -f public_key.pem ] 922 | then 923 | enc=$(sudo openssl pkeyutl -decrypt -inkey private_key.pem -in encrypted.dat ) 924 | if ! echo $enc | sudo realm join -v -U "$ADMIN" "$DOMAIN" "$OUSPECIFIED" --install=/ 925 | then 926 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 927 | enc=$(null) 928 | exit 929 | fi 930 | else 931 | echo "No files found, please try again" 932 | enc=$(null) 933 | exit 934 | fi 935 | else 936 | echo "No readfile" 937 | if ! sudo realm join --verbose --user="$ADMIN" "$DOMAIN" "$OUSPECIFIED" --install=/ 938 | then 939 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 940 | exit 941 | fi 942 | fi 943 | fi 944 | else 945 | if [ "$var" -eq "16" ] 946 | then 947 | echo "${INTRO_TEXT}Detected Ubuntu $var${END}" 948 | clear 949 | sudo echo "${INTRO_TEXT}Realm=$DOMAIN${END}" 950 | echo "${INTRO_TEXT}Joining Ubuntu $var${END}" 951 | echo "" 952 | if [ -f readfile ] 953 | then 954 | admin=$( sudo grep ADADMIN readfile | awk '{print $3}' ) 955 | if [ "$admin" = "null" ] 956 | then 957 | echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}" 958 | echo "${INTRO_TEXT}Please type Admin user:${END}" 959 | read -r ADMIN 960 | else 961 | ADMIN=$( echo $admin ) 962 | fi 963 | else 964 | echo "${INTRO_TEXT}Please type Admin user:${END}" 965 | read -r ADMIN 966 | fi 967 | encrypt=$( sudo grep ENCRYPTEDPASSWD readfile | awk '{print $3}' ) 968 | if [ "$encrypt" = "null" ] || [ "$encrypt" = "no" ] 969 | then 970 | if ! sudo realm join --verbose --user="$ADMIN" "$DOMAIN" "$OUSPECIFIED"--install=/ 971 | then 972 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 973 | exit 974 | fi 975 | else 976 | if [ "$encrypt" = "yes" ] 977 | then 978 | if [ -f private_key.pem ] && [ -f public_key.pem ] 979 | then 980 | enc=$(sudo openssl pkeyutl -decrypt -inkey private_key.pem -in encrypted.dat ) 981 | if ! echo $enc | sudo realm join -v -U "$ADMIN" "$DOMAIN" "$OUSPECIFIED"--install=/ 982 | then 983 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 984 | enc=$(null) 985 | exit 986 | fi 987 | else 988 | echo "No files found, please try again" 989 | enc=$(null) 990 | exit 991 | fi 992 | else 993 | if ! sudo realm join --verbose --user="$ADMIN" "$DOMAIN" "$OUSPECIFIED" --install=/ 994 | then 995 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 996 | exit 997 | fi 998 | exit 999 | fi 1000 | fi 1001 | else 1002 | if [ "$var" -eq "17" ] || [ "$var" -eq "18" ] || [ "$var" -eq "19" ] || [ "$var" -eq "20" ] || [ "$var" -eq "21" ] || [ "$var" -eq "22" ] || [ "$var" -eq "24" ] || [ "$var" -eq "25" ] 1003 | then 1004 | echo "${INTRO_TEXT}Detected Ubuntu $var${END}" 1005 | sleep 1 1006 | clear 1007 | if [ "$var" -eq "19" ] || [ "$var" -eq "20" ] || [ "$var" -eq "21" ] || [ "$var" -eq "22" ] || [ "$var" -eq "24" ] || [ "$var" -eq "25" ] 1008 | then 1009 | if [ -f /etc/apt/sources.list.d/aroth-ubuntu-ppa-eoan.list ] 1010 | then 1011 | sudo apt-get update 1012 | #sudo apt-get --only-upgrade install adcli 1013 | #sudo apt install adcli -y 1014 | else 1015 | echo"" 1016 | #sudo add-apt-repository ppa:aroth/ppa 1017 | sudo apt-get update 1018 | #sudo apt-get --only-upgrade install adcli 1019 | sudo apt install adcli -y 1020 | echo "" 1021 | fi 1022 | fi 1023 | clear 1024 | sudo echo "${INTRO_TEXT}Realm=$DOMAIN${END}" 1025 | echo "${INTRO_TEXT}Joining Ubuntu $var${END}" 1026 | echo "" 1027 | if [ -f readfile ] 1028 | then 1029 | admin=$( sudo grep ADADMIN readfile | awk '{print $3}' ) 1030 | if [ "$admin" = "null" ] 1031 | then 1032 | echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}" 1033 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1034 | read -r ADMIN 1035 | else 1036 | ADMIN=$( echo $admin ) 1037 | fi 1038 | else 1039 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1040 | read -r ADMIN 1041 | fi 1042 | encrypt=$( sudo grep ENCRYPTEDPASSWD readfile | awk '{print $3}' ) 1043 | if [ "$encrypt" = "null" ] || [ "$encrypt" = "no" ] 1044 | then 1045 | if ! sudo realm join --verbose --user="$ADMIN" "$DOMAIN" "$OUSPECIFIED"--install=/ 1046 | then 1047 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 1048 | exit 1049 | fi 1050 | else 1051 | if [ "$encrypt" = "yes" ] 1052 | then 1053 | if [ -f private_key.pem ] && [ -f public_key.pem ] 1054 | then 1055 | enc=$(sudo openssl pkeyutl -decrypt -inkey private_key.pem -in encrypted.dat ) 1056 | if ! echo $enc | sudo realm join -v -U "$ADMIN" "$DOMAIN" "$OUSPECIFIED"--install=/ 1057 | then 1058 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 1059 | enc=$(null) 1060 | exit 1061 | fi 1062 | else 1063 | echo "No files found, please try again" 1064 | enc=$(null) 1065 | exit 1066 | fi 1067 | else 1068 | if ! sudo realm join --verbose --user="$ADMIN" "$DOMAIN" "$OUSPECIFIED"--install=/ 1069 | then 1070 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 1071 | exit 1072 | fi 1073 | exit 1074 | fi 1075 | fi 1076 | else 1077 | clear 1078 | sudo echo "${RED_TEXT}I am having issues to detect your Ubuntu version${END}" 1079 | exit 1080 | fi 1081 | fi 1082 | fi 1083 | fi_auth 1084 | } 1085 | 1086 | ################################ Zorin ########################################### 1087 | Zorin_os(){ 1088 | export HOSTNAME 1089 | myhost=$( hostname | cut -d '.' -f1 ) 1090 | clear 1091 | sudo apt install adcli -y 1092 | sudo echo "${NUMBER}Installing packages do no abort!.......${END}" 1093 | if ! sudo apt-get -qq install realmd adcli sssd ntp krb5-user curl -y && sudo apt-get -qq install -f -y 1094 | then 1095 | echo "${RED_TEXT}Failed installing packages, please resolve dpkg and try again ${END}" 1096 | exit 1 1097 | fi 1098 | clear 1099 | if ! sudo dpkg -l | grep realmd 1100 | then 1101 | clear 1102 | sudo echo "${RED_TEXT}Installing packages failed.. please check connection ,dpkg and apt-get update then try again.${END}" 1103 | else 1104 | clear 1105 | sudo echo "${INTRO_TEXT}packages installed${END}" 1106 | fi 1107 | echo "hostname is $myhost" 1108 | echo "Looking for Realms.. please wait" 1109 | REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' ) 1110 | if [ "$REALM" = "null" ] 1111 | then 1112 | DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}') 1113 | if ! ping -c 2 "$DOMAIN" < /dev/null > /dev/null 2>&1 1114 | then 1115 | clear 1116 | echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}" 1117 | echo "Please enter the domain you wish to join:" 1118 | read -r DOMAIN 1119 | else 1120 | clear 1121 | echo "${NUMBER}I searched for an available domain and found ${MENU}>>> $DOMAIN <<<${END}${END}" 1122 | read -r -p "Do you wish to use it (y/n)?" yn 1123 | case $yn in 1124 | [Yy]* ) echo "";; 1125 | 1126 | [Nn]* ) echo "Please enter the domain you wish to join:" 1127 | read -r DOMAIN;; 1128 | * ) echo 'Please answer yes or no.';; 1129 | esac 1130 | fi 1131 | else 1132 | REALM=$( realm discover | grep domain | awk '{print $2}' ) 1133 | echo "Using Domain: $REALM" 1134 | DOMAIN=$(echo "$REALM") 1135 | fi 1136 | NetBios=$(echo "$DOMAIN" | cut -d '.' -f1) 1137 | clear 1138 | var=$(lsb_release -a | grep -i release | awk '{print $2}' | cut -d '.' -f1) 1139 | if [ "$var" -eq "14" ] 1140 | then 1141 | echo "Installing additional dependencies" 1142 | sudo apt-get -qq install -y realmd sssd curl sssd-tools samba-common krb5-user 1143 | sudo apt-get -qq install -f -y 1144 | clear 1145 | echo "${INTRO_TEXT}Detecting Ubuntu $var${END}" 1146 | sudo echo "${INTRO_TEXT}Realm=$DOMAIN${END}" 1147 | echo "${INTRO_TEXT}Joining Ubuntu $var${END}" 1148 | echo "" 1149 | if [ -f readfile ] 1150 | then 1151 | admin=$( sudo grep ADADMIN readfile | awk '{print $3}' ) 1152 | if [ "$admin" = "null" ] 1153 | then 1154 | echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}" 1155 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1156 | read -r ADMIN 1157 | else 1158 | ADMIN=$( echo $admin ) 1159 | echo "Admin is $ADMIN" 1160 | fi 1161 | else 1162 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1163 | read -r ADMIN 1164 | fi 1165 | encrypt=$( sudo grep ENCRYPTEDPASSWD readfile | awk '{print $3}' ) 1166 | if [ "$encrypt" = "null" ] || [ "$encrypt" = "no" ] 1167 | then 1168 | if ! sudo realm join --verbose --user="$ADMIN" "$DOMAIN" --install=/ 1169 | then 1170 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 1171 | exit 1172 | fi 1173 | else 1174 | if [ "$encrypt" = "yes" ] 1175 | then 1176 | if [ -f private_key.pem ] && [ -f public_key.pem ] 1177 | then 1178 | enc=$(sudo openssl pkeyutl -decrypt -inkey private_key.pem -in encrypted.dat ) 1179 | if ! echo $enc | sudo realm join -v -U "$ADMIN" "$DOMAIN" --install=/ 1180 | then 1181 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 1182 | enc=$(null) 1183 | exit 1184 | fi 1185 | else 1186 | echo "No files found, please try again" 1187 | enc=$(null) 1188 | exit 1189 | fi 1190 | else 1191 | echo "No readfile" 1192 | if ! sudo realm join --verbose --user="$ADMIN" "$DOMAIN" --install=/ 1193 | then 1194 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 1195 | exit 1196 | fi 1197 | fi 1198 | fi 1199 | else 1200 | if [ "$var" -eq "16" ] 1201 | then 1202 | echo "${INTRO_TEXT}Detected Ubuntu $var${END}" 1203 | clear 1204 | sudo echo "${INTRO_TEXT}Realm=$DOMAIN${END}" 1205 | echo "${INTRO_TEXT}Joining Ubuntu $var${END}" 1206 | echo "" 1207 | if [ -f readfile ] 1208 | then 1209 | admin=$( sudo grep ADADMIN readfile | awk '{print $3}' ) 1210 | if [ "$admin" = "null" ] 1211 | then 1212 | echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}" 1213 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1214 | read -r ADMIN 1215 | else 1216 | ADMIN=$( echo $admin ) 1217 | fi 1218 | else 1219 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1220 | read -r ADMIN 1221 | fi 1222 | encrypt=$( sudo grep ENCRYPTEDPASSWD readfile | awk '{print $3}' ) 1223 | if [ "$encrypt" = "null" ] || [ "$encrypt" = "no" ] 1224 | then 1225 | if ! sudo realm join --verbose --user="$ADMIN" "$DOMAIN" --install=/ 1226 | then 1227 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 1228 | exit 1229 | fi 1230 | else 1231 | if [ "$encrypt" = "yes" ] 1232 | then 1233 | if [ -f private_key.pem ] && [ -f public_key.pem ] 1234 | then 1235 | enc=$(sudo openssl pkeyutl -decrypt -inkey private_key.pem -in encrypted.dat ) 1236 | if ! echo $enc | sudo realm join -v -U "$ADMIN" "$DOMAIN" --install=/ 1237 | then 1238 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 1239 | enc=$(null) 1240 | exit 1241 | fi 1242 | else 1243 | echo "No files found, please try again" 1244 | enc=$(null) 1245 | exit 1246 | fi 1247 | else 1248 | if ! sudo realm join --verbose --user="$ADMIN" "$DOMAIN" --install=/ 1249 | then 1250 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 1251 | exit 1252 | fi 1253 | exit 1254 | fi 1255 | fi 1256 | else 1257 | if [ "$var" -eq "14" ] || [ "$var" -eq "15" ] || [ "$var" -eq "16" ] || [ "$var" -eq "17" ] 1258 | then 1259 | echo "${INTRO_TEXT}Detected Zorin ${END}" 1260 | sleep 1 1261 | clear 1262 | if [ "$var" -eq "15" ] || [ "$var" -eq "16" ] 1263 | then 1264 | if [ -f /etc/apt/sources.list.d/aroth-ubuntu-ppa-eoan.list ] 1265 | then 1266 | sudo apt-get update 1267 | #sudo apt-get --only-upgrade install adcli 1268 | sudo apt install adcli -y 1269 | else 1270 | echo"" 1271 | echo "" 1272 | echo "To avoid encryption error with adcli please accept PPA below for an adcli update" 1273 | echo "" 1274 | sudo add-apt-repository ppa:aroth/ppa 1275 | sudo apt-get update 1276 | #sudo apt-get --only-upgrade install adcli 1277 | sudo apt install adcli -y 1278 | echo "" 1279 | fi 1280 | fi 1281 | clear 1282 | sudo echo "${INTRO_TEXT}Realm=$DOMAIN${END}" 1283 | echo "${INTRO_TEXT}Joining Ubuntu $var${END}" 1284 | echo "" 1285 | if [ -f readfile ] 1286 | then 1287 | admin=$( sudo grep ADADMIN readfile | awk '{print $3}' ) 1288 | if [ "$admin" = "null" ] 1289 | then 1290 | echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}" 1291 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1292 | read -r ADMIN 1293 | else 1294 | ADMIN=$( echo $admin ) 1295 | fi 1296 | else 1297 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1298 | read -r ADMIN 1299 | fi 1300 | encrypt=$( sudo grep ENCRYPTEDPASSWD readfile | awk '{print $3}' ) 1301 | if [ "$encrypt" = "null" ] || [ "$encrypt" = "no" ] 1302 | then 1303 | if ! sudo realm join --verbose --user="$ADMIN" "$DOMAIN" --install=/ 1304 | then 1305 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 1306 | exit 1307 | fi 1308 | else 1309 | if [ "$encrypt" = "yes" ] 1310 | then 1311 | if [ -f private_key.pem ] && [ -f public_key.pem ] 1312 | then 1313 | enc=$(sudo openssl pkeyutl -decrypt -inkey private_key.pem -in encrypted.dat ) 1314 | if ! echo $enc | sudo realm join -v -U "$ADMIN" "$DOMAIN" --install=/ 1315 | then 1316 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 1317 | enc=$(null) 1318 | exit 1319 | fi 1320 | else 1321 | echo "No files found, please try again" 1322 | enc=$(null) 1323 | exit 1324 | fi 1325 | else 1326 | if ! sudo realm join --verbose --user="$ADMIN" "$DOMAIN" --install=/ 1327 | then 1328 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 1329 | exit 1330 | fi 1331 | exit 1332 | fi 1333 | fi 1334 | else 1335 | clear 1336 | sudo echo "${RED_TEXT}I am having issues to detect your Zorin version${END}" 1337 | exit 1338 | fi 1339 | fi 1340 | fi 1341 | fi_auth 1342 | } 1343 | 1344 | ####################### Setup for Ubuntu server ubuntu 14-20 ####################################### 1345 | ubuntuserver14(){ 1346 | export HOSTNAME 1347 | myhost=$( hostname | cut -d '.' -f1 ) 1348 | clear 1349 | sudo echo "${RED_TEXT}Installing packages do no abort!.......${END}" 1350 | sudo apt install adcli -y 1351 | sudo apt-get -qq install realmd adcli sssd -y 1352 | sudo apt-get -qq install ntp -y 1353 | sudo apt-get -qq install -y sssd-tools samba-common krb5-user curl 1354 | sudo apt-get -qq install -f -y 1355 | clear 1356 | if ! sudo dpkg -l | grep realmd 1357 | then 1358 | clear 1359 | sudo echo "${RED_TEXT}Installing packages failed.. please check connection and dpkg and try again.${END}" 1360 | exit 1361 | else 1362 | clear 1363 | sudo echo "${INTRO_TEXT}packages installed${END}" 1364 | fi 1365 | sleep 1 1366 | REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' ) 1367 | if [ "$REALM" = "null" ] 1368 | then 1369 | DOMAIN=$(realm discover| grep -i realm.name | awk '{print $2}') 1370 | if ! ping -c 2 "$DOMAIN" < /dev/null > /dev/null 2>&1 1371 | then 1372 | clear 1373 | echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}" 1374 | echo "Please enter the domain you wish to join:" 1375 | read -r DOMAIN 1376 | else 1377 | clear 1378 | echo "${NUMBER}I searched for an available domain and found ${MENU}>>> $DOMAIN <<<${END}${END}" 1379 | read -r -p "Do you wish to use it (y/n)?" yn 1380 | case $yn in 1381 | [Yy]* ) echo "";; 1382 | 1383 | [Nn]* ) echo "Please enter the domain you wish to join:" 1384 | read -r DOMAIN;; 1385 | * ) echo 'Please answer yes or no.';; 1386 | esac 1387 | fi 1388 | else 1389 | echo "Using Domain: $REALM" 1390 | DOMAIN=$(echo "$REALM") 1391 | fi 1392 | sudo echo "${INTRO_TEXT}Realm= $DOMAIN${END}" 1393 | sudo echo "${NORMAL}${NORMAL}" 1394 | admin=$( sudo grep ADADMIN readfile | awk '{print $3}' ) 1395 | if [ "$admin" = "null" ] 1396 | then 1397 | echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}" 1398 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1399 | read -r DomainADMIN 1400 | else 1401 | DomainADMIN=$( echo $admin ) 1402 | fi 1403 | encrypt=$( sudo grep ENCRYPTEDPASSWD readfile | awk '{print $3}' ) 1404 | if [ "$encrypt" = "null" ] || [ "$encrypt" = "no" ] 1405 | then 1406 | if ! sudo realm join --verbose --user="$DomainADMIN" "$DOMAIN" --install=/ 1407 | then 1408 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 1409 | exit 1410 | fi 1411 | else 1412 | if [ "$encrypt" = "yes" ] 1413 | then 1414 | if [ -f private_key.pem ] && [ -f public_key.pem ] 1415 | then 1416 | enc=$(sudo openssl pkeyutl -decrypt -inkey private_key.pem -in encrypted.dat ) 1417 | if ! echo $enc | sudo realm join -v -U "$DomainADMIN" "$DOMAIN" --install=/ 1418 | then 1419 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 1420 | enc=$(null) < /dev/null > /dev/null 2>&1 1421 | exit 1422 | fi 1423 | else 1424 | echo "No files found, please try again" 1425 | enc=$(null) 1426 | exit 1427 | fi 1428 | else 1429 | if ! sudo realm join --verbose --user="$DomainADMIN" "$DOMAIN" --install=/ 1430 | then 1431 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 1432 | exit 1433 | fi 1434 | exit 1435 | fi 1436 | fi 1437 | echo "${NUMBER}Please type group name in AD for admins${END}" 1438 | read -r Mysrvgroup 1439 | sudo echo "############################" 1440 | sudo echo "Configuratig files.." 1441 | sudo echo "Verifying the setup" 1442 | sudo systemctl enable sssd 1443 | sudo systemctl start sssd 1444 | states="null" 1445 | states1="null" 1446 | grouPs="null" 1447 | therealm="null" 1448 | cauth="null" 1449 | clear 1450 | read -r -p "${RED_TEXT}Do you wish to enable SSH login.group.allowed${END}${NUMBER}(y/n)?${END}" yn 1451 | case $yn in 1452 | [Yy]* ) sudo echo "Checking if there is any previous configuration" 1453 | if [ -f /etc/ssh/login.group.allowed ] < /dev/null > /dev/null 2>&1 1454 | then 1455 | echo "Files seems already to be modified, skipping..." 1456 | else 1457 | echo "NOTICE! /etc/ssh/login.group.allowed will be created. make sure yor local user is in it you you could be banned from login" 1458 | echo "auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/ssh/login.group.allowed" | sudo tee -a /etc/pam.d/common-auth 1459 | sudo touch /etc/ssh/login.group.allowed 1460 | admins=$( grep home /etc/passwd | grep bash | cut -d ':' -f1 ) 1461 | echo "" 1462 | echo "" 1463 | read -r -p "Is your current administrator = $admins ? (y/n)?" yn 1464 | case $yn in 1465 | [Yy]* ) sudo echo "$admins" | sudo tee -a /etc/ssh/login.group.allowed;; 1466 | [Nn]* ) echo "please type name of current administrator" 1467 | read -r -p MYADMIN 1468 | sudo echo "$MYADMIN" | sudo tee -a /etc/ssh/login.group.allowed;; 1469 | * ) echo "Please answer yes or no.";; 1470 | esac 1471 | sudo echo "$Mysrvgroup" | sudo tee -a /etc/ssh/login.group.allowed 1472 | sudo echo "$NetBios\\$myhost""sudoers""" | sudo tee -a /etc/ssh/login.group.allowed 1473 | sudo echo "$NetBios\\domain^admins" | sudo tee -a /etc/ssh/login.group.allowed 1474 | sudo echo "root" | sudo tee -a /etc/ssh/login.group.allowed 1475 | echo "enabled SSH-allow" 1476 | fi;; 1477 | [Nn]* ) echo "Disabled SSH login.group.allowed" 1478 | states1="12";; 1479 | * ) echo "Please answer yes or no.";; 1480 | esac 1481 | echo "" 1482 | echo "-------------------------------------------------------------------------------------------" 1483 | echo "" 1484 | read -r -p "${RED_TEXT}Do you wish to give users on this machine sudo rights?${END}${NUMBER}(y/n)?${END}" yn 1485 | case $yn in 1486 | [Yy]* ) sudo echo "Checking if there is any previous configuration" 1487 | if [ -f /etc/sudoers.d/sudoers ] < /dev/null > /dev/null 2>&1 1488 | then 1489 | echo "" 1490 | echo "Sudoers file seems already to be modified, skipping..." 1491 | echo "" 1492 | else 1493 | sudo echo "administrator ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers 1494 | sudo echo "%$Mysrvgroup""sudoers ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers 1495 | sudo echo "%$myhost""sudoers ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers 1496 | sudo echo "%domain\ users ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers 1497 | sudo echo "%DOMAIN\ admins ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/domain_admins 1498 | #sudo realm permit --groups "$myhost""sudoers" 1499 | fi;; 1500 | [Nn]* ) echo "Disabled sudo rights for users on this machine" 1501 | echo "" 1502 | echo "" 1503 | states="12";; 1504 | * ) echo 'Please answer yes or no.';; 1505 | esac 1506 | echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0077" | sudo tee -a /etc/pam.d/common-session 1507 | sudo sh -c "echo 'greeter-show-manual-login=true' | sudo tee -a /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf" 1508 | sudo sh -c "echo 'allow-guest=false' | sudo tee -a /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf" 1509 | if ! realm discover 1510 | then 1511 | echo "Realm not found" 1512 | else 1513 | therealm=$( realm discover | grep -i realm-name | awk '{print $2}') 1514 | if [ "$therealm" = "no" ] 1515 | then 1516 | echo Realm configured?.. "${NUMBER}NO${END}" 1517 | else 1518 | echo Realm configured?.. "${INTRO_TEXT}YES${END}" 1519 | fi 1520 | fi 1521 | if [ -f /etc/sudoers.d/sudoers ] < /dev/null > /dev/null 2>&1 1522 | then 1523 | echo Checking sudoers file.. "${INTRO_TEXT}OK${END}" 1524 | else 1525 | echo checking sudoers file.. "${RED_TEXT}FAIL not configured${END}" 1526 | fi 1527 | grouPs=$(grep -i "$myhost" /etc/sudoers.d/sudoers | cut -d '%' -f2 | awk '{print $1}' | head -1) 1528 | if [ "$grouPs" = "$myhost""sudoers" ] 1529 | then 1530 | echo "Checking sudoers users.. ${INTRO_TEXT}OK${END}" 1531 | else 1532 | echo "Checking sudoers users.. ${RED_TEXT}FAIL${END}" 1533 | fi 1534 | homedir=$( grep homedir /etc/pam.d/common-session | grep 0077 | cut -d '=' -f3 | head -1 ) 1535 | if [ "$homedir" = "0077" ] < /dev/null > /dev/null 2>&1 1536 | then 1537 | echo "Checking PAM configuration.. ${INTRO_TEXT}OK${END}" 1538 | else 1539 | echo "Checking PAM configuration.. ${RED_TEXT}FAIL${END}" 1540 | fi 1541 | cauth=$( grep required /etc/pam.d/common-auth | grep onerr | grep allow | cut -d '=' -f4 | cut -d 'f' -f1 | head -1 ) 1542 | if [ $cauth = "allow" ] < /dev/null > /dev/null 2>&1 1543 | then 1544 | echo "Checking PAM auth configuration..${INTRO_TEXT}OK${END}" 1545 | else 1546 | echo "Checking PAM auth configuration..${RED_TEXT}SSH security not configured${END}" 1547 | fi 1548 | sed -i -e 's/fallback_homedir = \/home\/%u@%d/#fallback_homedir = \/home\/%u@%d/g' /etc/sssd/sssd.conf 1549 | sed -i -e 's/use_fully_qualified_names = True/use_fully_qualified_names = False/g' /etc/sssd/sssd.conf 1550 | sed -i -e 's/access_provider = ad/access_provider = simple/g' /etc/sssd/sssd.conf 1551 | sed -i -e 's/sudoers: files sss/sudoers: files/g' /etc/nsswitch.conf 1552 | echo "override_homedir = /home/%u" | sudo tee -a /etc/sssd/sssd.conf 1553 | sudo grep -i override /etc/sssd/sssd.conf 1554 | #sudo echo "[nss] 1555 | #filter_groups = root 1556 | #filter_users = root 1557 | #reconnection_retries = 3 1558 | #entry_cache_timeout = 600 1559 | #entry_cache_user_timeout = 5400 1560 | #entry_cache_group_timeout = 5400 1561 | #cache_credentials = TRUE 1562 | #entry_cache_nowait_percentage = 75" | sudo tee -a /etc/sssd/sssd.conf 1563 | sudo service sssd restart 1564 | realm discover "$DOMAIN" 1565 | echo "${INTRO_TEXT}Please reboot your machine and wait 3 min for Active Directory to sync before login${END}" 1566 | exit 1567 | } 1568 | 1569 | ####################################### Kali ############################################ 1570 | kalijoin(){ 1571 | export HOSTNAME 1572 | myhost=$( hostname | cut -d '.' -f1 ) 1573 | export whoami 1574 | whoamis=$( whoami ) 1575 | admins=$( grep home /etc/passwd | grep bash | cut -d ':' -f1 ) 1576 | sudo echo "${RED_TEXT}Installing packages do no abort!.......${END}" 1577 | sudo apt install adcli -y 1578 | sudo apt-get -qq update 1579 | sudo apt-get -qq install libsss-sudo -y 1580 | sudo apt-get -qq install adcli -y 1581 | sudo apt-get -qq install realmd adcli krb5-user sssd -y 1582 | sudo apt-get -qq install ntp curl -y 1583 | sudo apt-get -qq install policykit-1 -y 1584 | sudo mkdir -p /var/lib/samba/private 1585 | sudo apt-get -qq install -f -y 1586 | clear 1587 | if ! sudo dpkg -l | grep realmd 1588 | then 1589 | clear 1590 | sudo echo "${RED_TEXT}Installing packages failed.. please check connection ,dpkg and apt-get update then try again.${END}" 1591 | exit 1592 | else 1593 | clear 1594 | sudo echo "${INTRO_TEXT}packages installed${END}" 1595 | fi 1596 | echo "hostname is $myhost" 1597 | REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' ) 1598 | if [ "$REALM" = "null" ] 1599 | then 1600 | DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}') 1601 | if ! ping -c 2 "$DOMAIN" < /dev/null > /dev/null 2>&1 1602 | then 1603 | clear 1604 | echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}" 1605 | echo "Please enter the domain you wish to join:" 1606 | read -r DOMAIN 1607 | else 1608 | clear 1609 | echo "${NUMBER}I searched for an available domain and found ${MENU}>>> $DOMAIN <<<${END}${END}" 1610 | read -r -p "Do you wish to use it (y/n)?" yn 1611 | case $yn in 1612 | [Yy]* ) echo "";; 1613 | 1614 | [Nn]* ) echo "Please enter the domain you wish to join:" 1615 | read -r DOMAIN;; 1616 | * ) echo 'Please answer yes or no.';; 1617 | esac 1618 | fi 1619 | else 1620 | DOMAIN=$( realm discover | grep -i realm.name | awk '{print $2}' ) 1621 | echo "Using Domain: $DOMAIN" 1622 | #DOMAIN=$(echo "$REALM") 1623 | fi 1624 | NetBios=$(echo "$DOMAIN" | cut -d '.' -f1) 1625 | echo "" 1626 | if [ -f readfile ] 1627 | then 1628 | admin=$( sudo grep ADADMIN readfile | awk '{print $3}' ) 1629 | if [ "$admin" = "null" ] 1630 | then 1631 | echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}" 1632 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1633 | read -r ADMIN 1634 | else 1635 | ADMIN=$( echo $admin ) 1636 | fi 1637 | else 1638 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1639 | read -r ADMIN 1640 | fi 1641 | clear 1642 | sudo echo "${INTRO_TEXT}Realm= $DOMAIN${END}" 1643 | sudo echo "${NORMAL}${NORMAL}" 1644 | if ! sudo realm join --verbose --user="$ADMIN" "$DOMAIN" --install=/ 1645 | then 1646 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 1647 | exit 1648 | fi 1649 | fi_auth 1650 | } 1651 | 1652 | ####################################### SUSE ########################################## 1653 | SUSEclient(){ 1654 | export HOSTNAME 1655 | myhost=$( hostname | cut -d '.' -f1 ) 1656 | clear 1657 | sudo echo "${RED_TEXT}Installing packages do no abort!.......${END}" 1658 | sudo zypper -n install realmd adcli sssd curl krb5-client 1659 | sudo zypper -n in sssd-ad 1660 | clear 1661 | echo "hostname is $myhost" 1662 | sleep 1 1663 | REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' ) 1664 | if [ "$REALM" = "null" ] 1665 | then 1666 | DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}') 1667 | if ! ping -c 2 "$DOMAIN" < /dev/null > /dev/null 2>&1 1668 | then 1669 | clear 1670 | echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}" 1671 | echo "Please enter the domain you wish to join:" 1672 | read -r DOMAIN 1673 | else 1674 | clear 1675 | echo "${NUMBER}I searched for an available domain and found ${MENU}>>> $DOMAIN <<<${END}${END}" 1676 | read -r -p "Do you wish to use it (y/n)?" yn 1677 | case $yn in 1678 | [Yy]* ) echo "";; 1679 | 1680 | [Nn]* ) echo "Please enter the domain you wish to join:" 1681 | read -r DOMAIN;; 1682 | * ) echo 'Please answer yes or no.';; 1683 | esac 1684 | fi 1685 | else 1686 | DOMAIN=$( realm discover | grep -i realm.name | awk '{print $2}' ) 1687 | echo "Using Domain: $DOMAIN" 1688 | #DOMAIN=$(echo "$REALM") 1689 | fi 1690 | NetBios=$(echo "$DOMAIN" | cut -d '.' -f1) 1691 | echo "" 1692 | if [ -f readfile ] 1693 | then 1694 | admin=$( sudo grep ADADMIN readfile | awk '{print $3}' ) 1695 | if [ "$admin" = "null" ] 1696 | then 1697 | echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}" 1698 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1699 | read -r ADMIN 1700 | else 1701 | ADMIN=$( echo $admin ) 1702 | fi 1703 | else 1704 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1705 | read -r ADMIN 1706 | fi 1707 | clear 1708 | sudo echo "${INTRO_TEXT}Realm= $DOMAIN${END}" 1709 | sudo echo "${NORMAL}${NORMAL}" 1710 | sudo echo "" | sudo tee /etc/sssd/sssd.conf 1711 | if ! sudo realm join --verbose --user="$ADMIN" "$DOMAIN" --install=/ 1712 | then 1713 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 1714 | exit 1715 | fi 1716 | fi_auth 1717 | } 1718 | 1719 | ####################################### Debian ########################################## 1720 | debianclient(){ 1721 | export HOSTNAME 1722 | myhost=$( hostname | cut -d '.' -f1 ) 1723 | if ! dkpg -l | grep sudo 1724 | then 1725 | apt get install sudo -y 1726 | else 1727 | echo "" 1728 | export whoami 1729 | whoamis=$( whoami ) 1730 | echo "$whoamis" 1731 | admins=$( grep home /etc/passwd | grep bash | cut -d ':' -f1 ) 1732 | echo "$admins ALL=(ALL:ALL) ALL | tee -a /etc/sudoers.d/admin" 1733 | fi 1734 | clear 1735 | sudo echo "${RED_TEXT}Installing packages do no abort!.......${END}" 1736 | sudo apt install adcli -y 1737 | sudo apt-get -qq update 1738 | sudo apt-get -qq install libsss-sudo -y 1739 | sudo apt-get -qq install realmd adcli krb5-user sssd curl -y 1740 | sudo apt-get -qq install ntp -y 1741 | sudo apt-get -qq install policykit-1 -y 1742 | sudo mkdir -p /var/lib/samba/private 1743 | sudo apt-get -qq install realmd adcli sssd -y 1744 | sudo apt-get -qq install ntp -y 1745 | sudo apt-get -qq install -f 1746 | clear 1747 | if ! sudo dpkg -l | grep realmd 1748 | then 1749 | clear 1750 | sudo echo "${RED_TEXT}Installing packages failed.. please check connection ,dpkg and apt-get update then try again.${END}" 1751 | exit 1752 | else 1753 | clear 1754 | sudo echo "${INTRO_TEXT}packages installed${END}" 1755 | fi 1756 | echo "hostname is $myhost" 1757 | sleep 1 1758 | REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' ) 1759 | if [ "$REALM" = "null" ] 1760 | then 1761 | DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}') 1762 | if ! ping -c 2 "$DOMAIN" < /dev/null > /dev/null 2>&1 1763 | then 1764 | clear 1765 | echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}" 1766 | echo "Please enter the domain you wish to join:" 1767 | read -r DOMAIN 1768 | else 1769 | clear 1770 | echo "${NUMBER}I searched for an available domain and found ${MENU}>>> $DOMAIN <<<${END}${END}" 1771 | read -r -p "Do you wish to use it (y/n)?" yn 1772 | case $yn in 1773 | [Yy]* ) echo "";; 1774 | 1775 | [Nn]* ) echo "Please enter the domain you wish to join:" 1776 | read -r DOMAIN;; 1777 | * ) echo 'Please answer yes or no.';; 1778 | esac 1779 | fi 1780 | else 1781 | DOMAIN=$( realm discover | grep -i realm.name | awk '{print $2}' ) 1782 | echo "Using Domain: $DOMAIN" 1783 | #DOMAIN=$(echo "$REALM") 1784 | fi 1785 | NetBios=$(echo "$DOMAIN" | cut -d '.' -f1) 1786 | echo "" 1787 | if [ -f readfile ] 1788 | then 1789 | admin=$( sudo grep ADADMIN readfile | awk '{print $3}' ) 1790 | if [ "$admin" = "null" ] 1791 | then 1792 | echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}" 1793 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1794 | read -r ADMIN 1795 | else 1796 | ADMIN=$( echo $admin ) 1797 | fi 1798 | else 1799 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1800 | read -r ADMIN 1801 | fi 1802 | clear 1803 | sudo echo "${INTRO_TEXT}Realm= $DOMAIN${END}" 1804 | sudo echo "${NORMAL}${NORMAL}" 1805 | if ! sudo realm join --verbose --user="$ADMIN" "$DOMAIN" --install=/ 1806 | then 1807 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 1808 | exit 1809 | fi 1810 | fi_auth 1811 | } 1812 | 1813 | ####################################### Cent OS ######################################### 1814 | CentOS(){ 1815 | export HOSTNAME 1816 | myhost=$( hostname | cut -d '.' -f1 ) 1817 | yum -y install realmd sssd oddjob oddjob-mkhomedir adcli krb5-user samba-common-tools samba-common heimdal-clients msktutil 1818 | yum -y install adcli=0.8.2-1 -y 1819 | yum -y install ipa-client 1820 | echo "Looking for domains..." 1821 | DOMAIN=$(realm discover | grep -i realm-name | awk '{print $2}') 1822 | if [ -n "$DOMAIN" ] 1823 | then 1824 | if ! ping -c 1 "$DOMAIN" 1825 | then 1826 | clear 1827 | echo "I searched for an available domain and found $DOMAIN but it is not responding to ping, please type your domain manually below... " 1828 | echo "Please enter the domain you wish to join:" 1829 | read -r DOMAIN 1830 | if [ -f readfile ] 1831 | then 1832 | admin=$( sudo grep ADADMIN readfile | awk '{print $3}' ) 1833 | if [ "$admin" = "null" ] 1834 | then 1835 | echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}" 1836 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1837 | read -r ADMIN 1838 | else 1839 | ADMIN=$( echo $admin ) 1840 | fi 1841 | else 1842 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1843 | read -r ADMIN 1844 | fi 1845 | else 1846 | clear 1847 | echo "I searched for an available domain and found >>> $DOMAIN <<<" 1848 | read -r -p "Do you wish to use it (y/n)?" yn 1849 | case $yn in 1850 | [Yy]* ) echo "Please log in with domain admin to $DOMAIN to connect" 1851 | sudo echo "Please enter AD admin user:" 1852 | read -r ADMIN 1853 | ;; 1854 | [Nn]* ) echo "Please enter the domain you wish to join:" 1855 | read -r DOMAIN 1856 | if [ -f readfile ] 1857 | then 1858 | admin=$( sudo grep ADADMIN readfile | awk '{print $3}' ) 1859 | if [ "$admin" = "null" ] 1860 | then 1861 | echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}" 1862 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1863 | read -r ADMIN 1864 | else 1865 | ADMIN=$( echo $admin ) 1866 | fi 1867 | else 1868 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1869 | read -r ADMIN 1870 | fi 1871 | ;; 1872 | * ) echo 'Please answer yes or no.';; 1873 | esac 1874 | fi 1875 | else 1876 | clear 1877 | echo "I searched for an available domain and found nothing, please type your domain manually below... " 1878 | echo "Please enter the domain you wish to join:" 1879 | read -r DOMAIN 1880 | if [ -f readfile ] 1881 | then 1882 | admin=$( sudo grep ADADMIN readfile | awk '{print $3}' ) 1883 | if [ "$admin" = "null" ] 1884 | then 1885 | echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}" 1886 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1887 | read -r ADMIN 1888 | else 1889 | ADMIN=$( echo $admin ) 1890 | fi 1891 | else 1892 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1893 | read -r ADMIN 1894 | fi 1895 | fi 1896 | sudo echo "Realm= $DOMAIN" 1897 | sudo echo "" 1898 | if ! sudo realm join -v -U "$ADMIN" "$DOMAIN" --install=/ 1899 | then 1900 | echo "AD join failed.please check your errors with journalctl -xe" 1901 | exit 1902 | fi 1903 | echo "session required pam_unix.so" | sudo tee -a /etc/pam.d/common-session 1904 | fi_auth_yum 1905 | exit 1906 | } 1907 | 1908 | ############################### Raspberry Pi ################################### 1909 | raspberry(){ 1910 | export HOSTNAME 1911 | myhost=$( hostname | cut -d '.' -f1 ) 1912 | sudo aptitude install ntp adcli sssd krb5-user 1913 | sudo mkdir -p /var/lib/samba/private 1914 | sudo aptitude install libsss-sudo 1915 | sudo systemctl enable sssd 1916 | clear 1917 | DOMAIN=$( realm discover | grep -i realm-name | awk '{print $2}') 1918 | echo "" 1919 | admin=$( sudo grep ADADMIN readfile | awk '{print $3}' ) 1920 | if [ "$admin" = "null" ] 1921 | then 1922 | echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}" 1923 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1924 | read -r ADMIN 1925 | else 1926 | ADMIN=$( echo $admin ) 1927 | fi 1928 | if ! sudo realm join -v -U "$ADMIN" "$DOMAIN" --install=/ 1929 | then 1930 | echo "AD join failed.please check your errors with journalctl -xe" 1931 | exit 1932 | fi 1933 | sudo systemctl start sssd 1934 | echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0077" | sudo tee -a /etc/pam.d/common-session 1935 | sudo echo "pi ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers 1936 | sudo echo "%$myhost""sudoers ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/sudoers 1937 | sed -i -e 's/fallback_homedir = \/home\/%u@%d/#fallback_homedir = \/home\/%u@%d/g' /etc/sssd/sssd.conf 1938 | sed -i -e 's/use_fully_qualified_names = True/use_fully_qualified_names = False/g' /etc/sssd/sssd.conf 1939 | sed -i -e 's/access_provider = ad/access_provider = simple/g' /etc/sssd/sssd.conf 1940 | sed -i -e 's/sudoers: files sss/sudoers: files/g' /etc/nsswitch.conf 1941 | echo "override_homedir = /home/%u" | sudo tee -a /etc/sssd/sssd.conf 1942 | sudo grep -i override /etc/sssd/sssd.conf 1943 | sudo echo "[nss] 1944 | filter_groups = root 1945 | filter_users = root 1946 | reconnection_retries = 3 1947 | entry_cache_timeout = 600 1948 | #entry_cache_user_timeout = 5400 1949 | #entry_cache_group_timeout = 5400 1950 | #cache_credentials = TRUE 1951 | entry_cache_nowait_percentage = 75" | sudo tee -a /etc/sssd/sssd.conf 1952 | sudo service sssd restart 1953 | exit 1954 | } 1955 | 1956 | ############################### Fedora ######################################### 1957 | Fedora_fn(){ 1958 | export HOSTNAME 1959 | myhost=$( hostname | cut -d '.' -f1 ) 1960 | yum -y install realmd sssd oddjob oddjob-mkhomedir adcli krb5-user samba-common-tools samba-common 1961 | DOMAIN=$(realm discover | grep -i realm-name | awk '{print $2}') 1962 | if ! ping -c 1 "$DOMAIN" 1963 | then 1964 | clear 1965 | echo "I searched for an available domain and found nothing, please type your domain manually below... " 1966 | echo "Please enter the domain you wish to join:" 1967 | read -r DOMAIN 1968 | if [ -f readfile ] 1969 | then 1970 | admin=$( sudo grep ADADMIN readfile | awk '{print $3}' ) 1971 | if [ "$admin" = "null" ] 1972 | then 1973 | echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}" 1974 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1975 | read -r ADMIN 1976 | else 1977 | ADMIN=$( echo $admin ) 1978 | fi 1979 | else 1980 | echo "${INTRO_TEXT}Please type Admin user:${END}" 1981 | read -r ADMIN 1982 | fi 1983 | else 1984 | clear 1985 | echo "I searched for an available domain and found >>> $DOMAIN <<<" 1986 | read -r -p "Do you wish to use it (y/n)?" yn 1987 | case $yn in 1988 | [Yy]* ) echo "Please log in with domain admin to $DOMAIN to connect";; 1989 | 1990 | [Nn]* ) echo "Please enter the domain you wish to join:" 1991 | read -r DOMAIN;; 1992 | * ) echo 'Please answer yes or no.';; 1993 | esac 1994 | fi 1995 | clear 1996 | if [ -f readfile ] 1997 | then 1998 | admin=$( sudo grep ADADMIN readfile | awk '{print $3}' ) 1999 | if [ "$admin" = "null" ] 2000 | then 2001 | echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}" 2002 | echo "${INTRO_TEXT}Please type Admin user:${END}" 2003 | read -r ADMIN 2004 | else 2005 | ADMIN=$( echo $admin ) 2006 | fi 2007 | else 2008 | echo "${INTRO_TEXT}Please type Admin user:${END}" 2009 | read -r ADMIN 2010 | fi 2011 | sudo echo "Realm= $DOMAIN" 2012 | sudo echo "" 2013 | if ! sudo realm join -v -U "$ADMIN" "$DOMAIN" --install=/ 2014 | then 2015 | echo "AD join failed.please check your errors with journalctl -xe" 2016 | exit 2017 | fi 2018 | fi_auth_yum 2019 | exit 2020 | } 2021 | 2022 | ############################# Elemntary ##################################### 2023 | elemntary_fn(){ 2024 | export HOSTNAME 2025 | myhost=$( hostname | cut -d '.' -f1 ) 2026 | sudo apt-get -qq install -y realmd curl sssd sssd-tools samba-common krb5-user 2027 | sudo apt-get -qq install -f -y 2028 | echo "hostname is $myhost" 2029 | echo "Looking for Realms.. please wait" 2030 | REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' ) 2031 | if [ "$REALM" = "null" ] 2032 | then 2033 | DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}') 2034 | if ! ping -c 2 "$DOMAIN" < /dev/null > /dev/null 2>&1 2035 | then 2036 | clear 2037 | echo "I searched for an available domain and found nothing, please type your domain manually below..." 2038 | echo "Please enter the domain you wish to join:" 2039 | read -r DOMAIN 2040 | else 2041 | clear 2042 | echo "I searched for an available domain and found>>> $DOMAIN <<<" 2043 | read -r -p "Do you wish to use it (y/n)?" yn 2044 | case $yn in 2045 | [Yy]* ) echo "";; 2046 | 2047 | [Nn]* ) echo "Please enter the domain you wish to join:" 2048 | read -r DOMAIN;; 2049 | * ) echo 'Please answer yes or no.';; 2050 | esac 2051 | fi 2052 | else 2053 | DOMAIN=$( realm discover | grep -i realm.name | awk '{print $2}' ) 2054 | echo "Using Domain: $DOMAIN" 2055 | #DOMAIN=$(echo "$REALM") 2056 | fi 2057 | clear 2058 | if [ -f readfile ] 2059 | then 2060 | admin=$( sudo grep ADADMIN readfile | awk '{print $3}' ) 2061 | if [ "$admin" = "null" ] 2062 | then 2063 | echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}" 2064 | echo "${INTRO_TEXT}Please type Admin user:${END}" 2065 | read -r ADMIN 2066 | else 2067 | ADMIN=$( echo $admin ) 2068 | fi 2069 | else 2070 | echo "${INTRO_TEXT}Please type Admin user:${END}" 2071 | read -r ADMIN 2072 | fi 2073 | NetBios=$(echo "$DOMAIN" | cut -d '.' -f1) 2074 | clear 2075 | if ! sudo realm join --verbose --user="$ADMIN" "$DOMAIN" 2076 | then 2077 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 2078 | exit 2079 | fi 2080 | allowguest=$( sudo grep manual /usr/share/lightdm/lightdm.conf.d/50-disable-guest.conf | grep true | cut -d '=' -f2 | head -1 ) 2081 | if [ "$allowguest" = "true" ] 2082 | then 2083 | echo "Lightdm is already configured.. skipping.." 2084 | else 2085 | sudo echo "greeter-show-manual-login=true" | sudo tee -a /usr/share/lightdm/lightdm.conf.d/40-io.elementary.greeter.conf 2086 | fi 2087 | fi_auth 2088 | exit 2089 | } 2090 | 2091 | ############################# Linux Mint ##################################### 2092 | LinuxMint(){ 2093 | export HOSTNAME 2094 | myhost=$( hostname | cut -d '.' -f1 ) 2095 | sudo apt-get -qq install -y realmd curl sssd sssd-tools samba-common krb5-user 2096 | sudo apt-get -qq install -f -y 2097 | sudo apt install adcli -y 2098 | echo "hostname is $myhost" 2099 | echo "Looking for Realms.. please wait" 2100 | REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' ) 2101 | if [ "$REALM" = "null" ] 2102 | then 2103 | DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}') 2104 | if ! ping -c 2 "$DOMAIN" < /dev/null > /dev/null 2>&1 2105 | then 2106 | clear 2107 | echo "I searched for an available domain and found nothing, please type your domain manually below..." 2108 | echo "Please enter the domain you wish to join:" 2109 | read -r DOMAIN 2110 | else 2111 | clear 2112 | echo "I searched for an available domain and found>>> $DOMAIN <<<" 2113 | read -r -p "Do you wish to use it (y/n)?" yn 2114 | case $yn in 2115 | [Yy]* ) echo "";; 2116 | 2117 | [Nn]* ) echo "Please enter the domain you wish to join:" 2118 | read -r DOMAIN;; 2119 | * ) echo 'Please answer yes or no.';; 2120 | esac 2121 | fi 2122 | else 2123 | DOMAIN=$( realm discover | grep -i realm.name | awk '{print $2}' ) 2124 | echo "Using Domain: $DOMAIN" 2125 | #DOMAIN=$(echo "$REALM") 2126 | fi 2127 | clear 2128 | if [ -f readfile ] 2129 | then 2130 | admin=$( sudo grep ADADMIN readfile | awk '{print $3}' ) 2131 | if [ "$admin" = "null" ] 2132 | then 2133 | echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}" 2134 | echo "${INTRO_TEXT}Please type Admin user:${END}" 2135 | read -r ADMIN 2136 | else 2137 | ADMIN=$( echo $admin ) 2138 | fi 2139 | else 2140 | echo "${INTRO_TEXT}Please type Admin user:${END}" 2141 | read -r ADMIN 2142 | fi 2143 | NetBios=$(echo "$DOMAIN" | cut -d '.' -f1) 2144 | clear 2145 | if ! sudo realm join --verbose --user="$ADMIN" "$DOMAIN" 2146 | then 2147 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 2148 | exit 2149 | fi 2150 | allowguest=$( sudo grep manual /usr/share/lightdm/lightdm.conf.d/50-disable-guest.conf | grep true | cut -d '=' -f2 | head -1 ) 2151 | if [ "$allowguest" = "true" ] 2152 | then 2153 | echo "Lightdm is already configured.. skipping.." 2154 | else 2155 | sudo echo "greeter-show-manual-login=true" | sudo tee -a /usr/share/lightdm/lightdm.conf.d/50-disable-guest.conf 2156 | fi 2157 | fi_auth 2158 | exit 2159 | } 2160 | 2161 | ############################### Update to Realmd from likewise ################## 2162 | Realmdupdate(){ 2163 | clear 2164 | echo "" 2165 | echo "this section has been deprecated, If you are still using likewise please see code" 2166 | echo "leave likewise with sudo domainjoin-cli leave" 2167 | exit 2168 | } 2169 | 2170 | ############################### Fail check #################################### 2171 | failcheck(){ 2172 | clear 2173 | export HOSTNAME 2174 | myhost=$( hostname | cut -d '.' -f1 ) 2175 | if ! hostname | cut -d '.' -f1 < /dev/null > /dev/null 2>&1 2176 | then 2177 | echo "Sorry I am having issues finding your domain.. please type it" 2178 | read -r DOMAIN 2179 | else 2180 | echo "" 2181 | fi 2182 | echo "" 2183 | echo "-------------------------------------------------------------------------------------" 2184 | echo "" 2185 | if ! realm discover < /dev/null > /dev/null 2>&1 2186 | then 2187 | echo "Realm not found" 2188 | else 2189 | echo "" 2190 | therealm=$( realm discover | grep -i configured | awk '{print $2}') 2191 | if [ "$therealm" = "no" ] 2192 | then 2193 | echo Realm configured?.. "${RED_TEXT}NO${END}" 2194 | else 2195 | echo Realm configured?.. "${INTRO_TEXT}YES${END}" 2196 | fi 2197 | if [ -f /etc/sudoers.d/sudoers ] < /dev/null > /dev/null 2>&1 2198 | then 2199 | echo Checking sudoers file.. "${INTRO_TEXT}OK${END}" 2200 | grouPs=$(grep -i "$myhost" /etc/sudoers.d/sudoers | cut -d '%' -f2 | awk '{print $1}' | head -1 | sed -e 's/sudoers//g' ) 2201 | if [ "$grouPs" = "$myhost" ] 2202 | then 2203 | echo Checking sudoers users.. "${INTRO_TEXT}OK${END}" 2204 | else 2205 | echo Checking sudoers users.. "${RED_TEXT}FAIL${END}" 2206 | fi 2207 | else 2208 | echo Checking sudoers file.. "${RED_TEXT}FAIL${END}" 2209 | fi 2210 | homedir=$( grep homedir /etc/pam.d/common-session | grep 0077 | cut -d '=' -f3 | head -1 ) 2211 | if [ "$homedir" -eq "0077" ] < /dev/null > /dev/null 2>&1 2212 | then 2213 | echo Checking PAM configuration.. "${INTRO_TEXT}OK${END}" 2214 | else 2215 | echo Checking PAM configuration.. "${RED_TEXT}FAIL${END}" 2216 | fi 2217 | cauth=$( grep required /etc/pam.d/common-auth | grep onerr | grep allow | cut -d '=' -f4 | cut -d 'f' -f1 | head -1 ) 2218 | if [ $cauth = "allow" ] < /dev/null > /dev/null 2>&1 2219 | then 2220 | echo Checking PAM auth configuration.. "${INTRO_TEXT}OK${END}" 2221 | else 2222 | echo Checking PAM auth configuration.. "${RED_TEXT}SSH security not configured${END}" 2223 | fi 2224 | fi 2225 | echo "" 2226 | echo "-------------------------------------------------------------------------------------" 2227 | exit 2228 | } 2229 | 2230 | ############################### Fail check Yum #################################### 2231 | ###Fixes 2019/12### 2232 | failcheck_yum(){ 2233 | clear 2234 | export HOSTNAME 2235 | myhost=$( hostname | cut -d '.' -f1 ) 2236 | therealm=$( realm discover | grep -i realm-name | awk '{print $2}') 2237 | if ! hostname | cut -d '.' -f1 < /dev/null > /dev/null 2>&1 2238 | then 2239 | echo "Sorry I am having issues finding your domain.. please type it" 2240 | read -r DOMAIN 2241 | else 2242 | echo "" 2243 | fi 2244 | echo "-------------------------------------------------------------------------------------" 2245 | echo "" 2246 | if ! realm discover "$therealm" 2247 | then 2248 | echo "realm not found" 2249 | else 2250 | echo "" 2251 | therealm=$( realm discover | grep -i realm-name | awk '{print $2}') 2252 | if [ "$therealm" = "no" ] 2253 | then 2254 | echo "Realm configured?.. NO" 2255 | else 2256 | echo "Realm configured?.. YES" 2257 | fi 2258 | if [ -f /etc/sudoers.d/admins ] < /dev/null > /dev/null 2>&1 2259 | then 2260 | echo "Checking sudoers file.. OK" 2261 | grouPs=$(grep -i "$myhost" /etc/sudoers.d/admins | cut -d '%' -f2 | cut -d '=' -f1 | sed -e 's/\//g') 2262 | if [ "$grouPs" = "$myhost""sudoers" ] 2263 | then 2264 | echo "Checking sudoers users.. OK" 2265 | else 2266 | echo "Checking sudoers users.. FAIL" 2267 | fi 2268 | else 2269 | if [ -f /etc/sudoers.d/sudoers ] < /dev/null > /dev/null 2>&1 2270 | then 2271 | echo "Checking sudoers file.. OK" 2272 | grouPs1=$(grep -i "$myhost" /etc/sudoers.d/sudoers | cut -d '%' -f2 | awk '{print $1}' | head -1 | head -1) 2273 | if [ "$grouPs1" = "$myhost""sudoers" ] 2274 | then 2275 | echo "Checking sudoers user groups.. OK" 2276 | else 2277 | echo "Checking sudoers user groups.. FAIL" 2278 | fi 2279 | else 2280 | echo "Checking sudoers file.. FAIL not configured" 2281 | fi 2282 | fi 2283 | homedir=$( grep homedir /etc/pam.d/common-session | grep 0077 | cut -d '=' -f3 | head -1 ) 2284 | if [ "$homedir" = "0077" ] < /dev/null > /dev/null 2>&1 2285 | then 2286 | echo "Checking PAM configuration.. OK" 2287 | else 2288 | echo "Checking PAM configuration.. FAIL" 2289 | fi 2290 | if [ -f /etc/ssh/login.group.allowed ] 2291 | then 2292 | echo "Checking login.group.allowed configuration.. OK" 2293 | else 2294 | echo "Checking login.group.allowed.. SSH security not configured" 2295 | fi 2296 | fi 2297 | echo "" 2298 | echo "-------------------------------------------------------------------------------------" 2299 | exit 2300 | } 2301 | 2302 | #################################### ldapsearch ##################################################### 2303 | ldaplook(){ 2304 | export HOSTNAME 2305 | myhost=$( hostname | cut -d '.' -f1 ) 2306 | ldaptools=$( sudo dpkg -l | grep -i ldap-utils | cut -d 's' -f1 | cut -d 'l' -f2 ) 2307 | echo "${NUMBER}Remember!you must be logged in with AD admin on the client/server to use this funktion${END}" 2308 | echo "${NUMBER}Remember!please edit in ldap.conf the lines BASE and URI in /etc/ldap/ldap.conf ${END}" 2309 | echo "${NUMBER}your BASE will be the area you will search in${END}" 2310 | sleep 3 2311 | if [ "$ldaptools" = dap-uti ] 2312 | then 2313 | clear 2314 | echo "ldap tool installed.. trying to find this host" 2315 | sudo ldapsearch -x cn="$myhost" 2316 | echo "Please type what you are looking for" 2317 | read -r own 2318 | sudo ldapsearch -x | grep -i "$own" 2319 | exit 2320 | else 2321 | clear 2322 | if ! sudo apt-get install ldap-utils curl -y 2323 | then 2324 | echo "install failed" 2325 | exit 2326 | else 2327 | echo "${NUMBER}please edit in ldap.conf the lines BASE and URI ${END}" 2328 | sleep 3 2329 | sudo nano /etc/ldap/ldap.conf 2330 | sudo ldapsearch -x | grep -i "$myhost" 2331 | exit 2332 | fi 2333 | fi 2334 | } 2335 | 2336 | #################################### ldapsearchyum ##################################################### 2337 | ldaplookyum(){ 2338 | export HOSTNAME 2339 | myhost=$( hostname | cut -d '.' -f1 ) 2340 | ldaptools=$( sudo dpkg -l | grep -i ldap-utils | cut -d 's' -f1 | cut -d 'l' -f2 ) 2341 | echo "${NUMBER}Remember!you must be logged in with AD admin on the client/server to use this funktion${END}" 2342 | echo "${NUMBER}Remember!please edit in ldap.conf the lines BASE and URI in /etc/ldap/ldap.conf ${END}" 2343 | echo "${NUMBER}your BASE will be the area you will search in${END}" 2344 | sleep 3 2345 | if [ "$ldaptools" = dap-uti ] 2346 | then 2347 | clear 2348 | echo "ldap tool installed.. trying to find this host" 2349 | sudo ldapsearch -x cn="$myhost" 2350 | echo "Please type what you are looking for" 2351 | read -r own 2352 | sudo ldapsearch -x | grep -i "$own" 2353 | exit 2354 | else 2355 | clear 2356 | if ! sudo yum install ldap-utils -y 2357 | then 2358 | echo "install failed" 2359 | exit 2360 | else 2361 | echo "${NUMBER}please edit in ldap.conf the lines BASE and URI ${END}" 2362 | sleep 3 2363 | sudo nano /etc/ldap/ldap.conf 2364 | sudo ldapsearch -x | grep -i "$myhost" 2365 | exit 2366 | fi 2367 | fi 2368 | } 2369 | ############################### Reauth ########################################## 2370 | Reauthenticate(){ 2371 | export HOSTNAME 2372 | myhost=$( hostname | cut -d '.' -f1 ) 2373 | sudo apt-get -qq install -y realmd curl sssd sssd-tools samba-common krb5-user 2374 | clear 2375 | SSSD=$( sudo cat /etc/sssd/sssd.conf | grep domain | awk '{print $3}' | head -1 ) < /dev/null > /dev/null 2>&1 2376 | DOMAINlower=$( echo "$DOMAIN" | tr '[:upper:]' '[:lower:]' ) < /dev/null > /dev/null 2>&1 2377 | if [ -f /etc/sssd/sssd.conf ] 2378 | then 2379 | read -r -p "Do you really want to leave the domain: $SSSD (y/n)?" yn 2380 | case $yn in 2381 | [Yy]* ) echo "Listing domain" 2382 | sudo realm discover "$SSSD" | grep realm | head -1 2383 | if ! sudo realm leave "$SSSD" --remove 2384 | then 2385 | echo "failed Nothing to leave" 2386 | exit 0 2387 | else 2388 | LEFT=$(sudo realm discover | grep configured | awk '{print $2}') 2389 | if [ "$LEFT" = "no" ] 2390 | then 2391 | echo "" 2392 | sudo echo "" | sudo tee /etc/sssd/sssd.conf 2393 | echo "has left $SSSD" 2394 | linuxclient 2395 | echo "" 2396 | notify-send ADconnection "Left $SSSD " 2397 | else 2398 | echo "something went wrong, try to leave manually" 2399 | echo "" 2400 | echo "Please type domain you wish to leave" 2401 | read -r DOMAIN 2402 | sudo realm leave "$DOMAIN" --remove 2403 | left=$(sudo realm discover | grep configured | awk '{print $2}') 2404 | if [ "$left" = "no" ] 2405 | then 2406 | echo "" 2407 | sudo echo "" | sudo tee /etc/sssd/sssd.conf 2408 | echo "$DOMAIN has been left" 2409 | echo "" 2410 | notify-send ADconnection "Left $SSSD " 2411 | linuxclient 2412 | else 2413 | echo "something went wrong" 2414 | fi 2415 | fi 2416 | fi 2417 | ;; 2418 | [Nn]* ) echo "Not leaving $SSSD" 2419 | exit 2420 | ;; 2421 | * ) echo 'Please answer yes or no.';; 2422 | esac 2423 | exit 2424 | fi 2425 | exit 2426 | } 2427 | 2428 | ######################### Leave Realm ################################ 2429 | leaves(){ 2430 | export HOSTNAME 2431 | myhost=$( hostname | cut -d '.' -f1 ) 2432 | clear 2433 | SSSD=$( sudo cat /etc/sssd/sssd.conf | grep domain | awk '{print $3}' | head -1 ) < /dev/null > /dev/null 2>&1 2434 | DOMAINlower=$( echo "$DOMAIN" | tr '[:upper:]' '[:lower:]' ) < /dev/null > /dev/null 2>&1 2435 | if [ -f /etc/sssd/sssd.conf ] 2436 | then 2437 | read -r -p "Do you really want to leave the domain: $SSSD (y/n)?" yn 2438 | case $yn in 2439 | [Yy]* ) echo "Listing domain" 2440 | sudo realm discover "$SSSD" | grep realm | head -1 2441 | if ! sudo realm leave "$SSSD" --remove 2442 | then 2443 | echo "failed Nothing to leave" 2444 | exit 0 2445 | else 2446 | LEFT=$(sudo realm discover | grep configured | awk '{print $2}') 2447 | if [ "$LEFT" = "no" ] 2448 | then 2449 | echo "" 2450 | sudo echo "" | sudo tee /etc/sssd/sssd.conf 2451 | echo "has left $SSSD" 2452 | echo "" 2453 | notify-send ADconnection "Left $SSSD " 2454 | else 2455 | echo "something went wrong, try to leave manually" 2456 | echo "" 2457 | echo "Please type domain you wish to leave" 2458 | read -r DOMAIN 2459 | sudo realm leave "$DOMAIN" --remove 2460 | left=$(sudo realm discover | grep configured | awk '{print $2}') 2461 | if [ "$left" = "no" ] 2462 | then 2463 | echo "" 2464 | sudo echo "" | sudo tee /etc/sssd/sssd.conf 2465 | echo "$DOMAIN has been left" 2466 | echo "" 2467 | notify-send ADconnection "Left $DOMAIN " 2468 | else 2469 | echo "something went wrong" 2470 | fi 2471 | fi 2472 | fi 2473 | ;; 2474 | [Nn]* ) echo "Not leaving $SSSD" 2475 | exit 2476 | ;; 2477 | * ) echo 'Please answer yes or no.';; 2478 | esac 2479 | exit 2480 | fi 2481 | exit 2482 | } 2483 | ################################## encrypt pwd ############################### 2484 | encrypt(){ 2485 | echo "This will create 3 files: public key, private key, and encrypted file." 2486 | echo "Make sure to store the private key file securely." 2487 | sudo openssl genrsa -out private_key.pem 2048 2488 | sudo openssl rsa -in private_key.pem -out public_key.pem -outform PEM -pubout 2489 | 2490 | echo "Please type the password to encrypt:" 2491 | stty -echo 2492 | read pass 2493 | stty echo 2494 | if [ -z "$pass" ]; then 2495 | echo "Password is empty" 2496 | exit 1 2497 | else 2498 | echo -n "$pass" | sudo openssl pkeyutl -encrypt -inkey public_key.pem -pubin -out encrypted.dat 2499 | pass="" 2500 | echo "Encryption complete. Files created:" 2501 | ls 2502 | fi 2503 | exit 2504 | } 2505 | 2506 | ################################## info ################################## 2507 | readmes(){ 2508 | clear 2509 | echo "Usage: sh ADconnection.sh [--help] " 2510 | echo " [-d (ubuntu debug mode)]" 2511 | echo " [-j admin domain (Simple direct join) ADconnection -j ADadmin domain" 2512 | echo " [-l (script output to log file)]" 2513 | echo " [-s (Discover domain)]" 2514 | echo " [-o (assign OU for computer object (-o OU=Clients,OU=Computers))" 2515 | echo " [-u (sh ADconnection -u (autodetect) or -u user (looks up if computer can get user from AD))" 2516 | echo "" 2517 | echo "" 2518 | echo "${INTRO_TEXT} Active directory connection tool, written by Pierre Gode https://github.com/PierreGode ${END}" 2519 | echo "${INTRO_TEXT} Examples ${END}" 2520 | echo "${INTRO_TEXT} Domain to join:${RED_TEXT}Example:${RED_TEXT}${NUMBER}mydomain.intra${NUMBER}${END}" 2521 | echo "${INTRO_TEXT} ${END}" 2522 | echo "${INTRO_TEXT} Domain’s NetBios name:${RED_TEXT}Example:${RED_TEXT}${NUMBER}mydomain${NUMBER}${END}" 2523 | echo "${INTRO_TEXT} ${END}" 2524 | echo "${INTRO_TEXT} Domain username:${RED_TEXT}Example:${RED_TEXT}${NUMBER}ADadmin${NUMBER}${END}" 2525 | echo "${INTRO_TEXT} ${END}" 2526 | echo "${INTRO_TEXT} AD Group to put users in:${RED_TEXT}Example:${RED_TEXT}${NUMBER}Sudoers.global${NUMBER}${END}" 2527 | echo "${RED_TEXT} group should be created in AD with the group name being the HOSTNAMEsudores ${END}" 2528 | echo "${INTRO_TEXT} ${END}" 2529 | echo "${INTRO_TEXT} Script will use hostname and add sudoer to it to sudoers ${RED_TEXT}Example:${RED_TEXT}${NUMBER} myhostsudoer${NUMBER}${END}" 2530 | echo "${INTRO_TEXT} It is important that the computerobject ${RED_TEXT}Ex:${RED_TEXT} myhost gets created in AD pre or post running the script ( the join will create an computer object by it self ${END}" 2531 | echo "${INTRO_TEXT} and that the group ${RED_TEXT}Ex:${RED_TEXT} myhostsuoers exists, sudoers must be added or edit this script to remove sudoers from name${END}" 2532 | echo "${INTRO_TEXT} Script will also add domain admin group to suoers ${END}" 2533 | echo "${NUMBER} Remember to Check Hostname and add it to AD${END}" 2534 | echo "${INTRO_TEXT} Reauthenticate is a fix for Ubuntu 14 likewise issues when client looses user (who am I?)${END}" 2535 | echo "${INTRO_TEXT} ${END}" 2536 | echo "${INTRO_TEXT} Ubuntu 16 and 14 has the setting not to show domain name in name or home folder due it can give${END}" 2537 | echo "${INTRO_TEXT} coding issues when building.. to change this configure /et/sssd/sssd.conf ${END}" 2538 | echo "" 2539 | exit 2540 | } 2541 | 2542 | ############################### Menu ############################### 2543 | MENU_FN(){ 2544 | clear 2545 | echo "${INTRO_TEXT} Active directory connection tool ${END}" 2546 | echo "${INTRO_TEXT} Created by Pierre gode ${END}" 2547 | echo "${INTRO_TEXT} This script will edit several critical files.. ${END}" 2548 | echo "${INTRO_TEXT} DO NOT attempt this without expert knowledge ${END}" 2549 | echo "${NORMAL} ${END}" 2550 | echo "${MENU}*${NUMBER} 1)${MENU} Join to AD on Linux (Ubuntu/Rasbian/Kali/Fedora/Debian/Elementary OS/) ${END}" 2551 | echo "${MENU}*${NUMBER} 2)${MENU} Check for errors ${END}" 2552 | echo "${MENU}*${NUMBER} 3)${MENU} Search with ldap ${END}" 2553 | echo "${MENU}*${NUMBER} 4)${MENU} Reauthenticate ${END}" 2554 | echo "${MENU}*${NUMBER} 5)${MENU} Leave Domain ${END}" 2555 | echo "${NORMAL} ${END}" 2556 | echo "${ENTER_LINE}Please enter a menu option and enter or ${RED_TEXT}ctrl + c to exit. ${END}" 2557 | read -r opt 2558 | while [ "$opt" != '' ] 2559 | do 2560 | if [ "$opt" = "" ]; then 2561 | exit; 2562 | else 2563 | case $opt in 2564 | 1) clear; 2565 | echo "Installing on Linux Client/Server"; 2566 | linuxclient 2567 | ;; 2568 | 2569 | 2) clear; 2570 | echo "Check for errors" 2571 | failcheck 2572 | ;; 2573 | 3) clear; 2574 | echo "Check in Ldap" 2575 | ldaplookyum 2576 | ;; 2577 | 4) clear; 2578 | echo "Rejoin to AD" 2579 | Reauthenticate 2580 | ;; 2581 | 5) clear; 2582 | echo "Leave domain" 2583 | leaves 2584 | ;; 2585 | x)exit; 2586 | ;; 2587 | '\n')exit; 2588 | ;; 2589 | *)clear; 2590 | opt "Pick an option from the menu"; 2591 | MENU_FN; 2592 | ;; 2593 | esac 2594 | fi 2595 | done 2596 | } 2597 | 2598 | ############################### Menu YUM ############################### 2599 | YUM_MENU(){ 2600 | clear 2601 | echo " Active directory connection tool " 2602 | echo " Created by Pierre gode " 2603 | echo " This script will edit several critical files.. " 2604 | echo " DO NOT attempt this without expert knowledge " 2605 | echo "" 2606 | echo "1) Join to AD on Linux" 2607 | echo "2) Check for errors" 2608 | echo "3) Search with ldap" 2609 | echo "4) Reauthenticate" 2610 | echo "5) Leave Domain" 2611 | echo "" 2612 | echo "Please enter a menu option and enter or enter to exit." 2613 | read -r opt 2614 | while [ "$opt" != '' ] 2615 | do 2616 | if [ "$opt" = "" ]; then 2617 | exit; 2618 | else 2619 | case $opt in 2620 | 1) clear; 2621 | echo "Installing on Linux Client/Server"; 2622 | linuxclient 2623 | ;; 2624 | 2) clear; 2625 | echo "Check for errors" 2626 | failcheck_yum 2627 | ;; 2628 | 3) clear; 2629 | echo "Check in Ldap" 2630 | ;; 2631 | 4) clear; 2632 | echo "Rejoin to AD" 2633 | Reauthenticate 2634 | ;; 2635 | 5) clear; 2636 | echo "Leave domain" 2637 | leaves 2638 | ;; 2639 | x)exit; 2640 | ;; 2641 | '\n')exit; 2642 | ;; 2643 | *)clear; 2644 | opt "Pick an option from the menu"; 2645 | MENU_FN; 2646 | ;; 2647 | esac 2648 | fi 2649 | done 2650 | } 2651 | 2652 | ################# Precheck for YUM based OS ################# 2653 | PRECHECK_FN(){ 2654 | ## curl your private key in this line 2655 | ## Precheck sends yum based OS to an own menu ## 2656 | TheOS=$( hostnamectl | grep -i Operating | awk '{print $3}' ) < /dev/null > /dev/null 2>&1 2657 | if [ "$TheOS" = "Fedora" ] 2658 | then 2659 | YUM_MENU 2660 | else 2661 | if [ "$TheOS" = "CentOS" ] 2662 | then 2663 | YUM_MENU 2664 | else 2665 | MENU_FN 2666 | fi 2667 | fi 2668 | } 2669 | ############################## Flags ############################### 2670 | clear 2671 | #Versi0n=$( echo "7" ) 2672 | #update=$( curl -s https://github.com/PierreGode/Linux-Active-Directory-join-script/blob/master/ADconnection.sh | grep -i Versi0n | awk '{print $10}' ) 2673 | #if [ "$update" -gt "$Version" ] 2674 | #then 2675 | #echo "Updating ADconnection" 2676 | #git pull 2677 | #else 2678 | #echo "ADconnection is up to date" 2679 | #fi 2680 | while test $# -gt 0; do 2681 | case "$1" in 2682 | -help|--help) 2683 | readmes 2684 | ;; 2685 | -d|--d) 2686 | if test $# -gt 0; then 2687 | linuxclientdebug 2688 | else 2689 | echo "" 2690 | exit 1 2691 | fi 2692 | ;; 2693 | -p|--p) 2694 | if test $# -gt 0; then 2695 | encrypt 2696 | else 2697 | echo "" 2698 | exit 1 2699 | fi 2700 | ;; 2701 | -l|--l) 2702 | if test $? -gt 0; then 2703 | DATE=$(date +%H:%M) 2704 | echo "$DATE" 2705 | MENU_FN 2>&1 | sudo tee adconnection.log 2706 | else 2707 | echo "" 2708 | exit 1 2709 | fi 2710 | ;; 2711 | -f|--f) 2712 | if test $? -gt 0; then 2713 | answerfile 2714 | else 2715 | echo "" 2716 | exit 1 2717 | fi 2718 | ;; 2719 | -j|--j) 2720 | if test $# -gt 0; then 2721 | if ! sudo realm join -v -U "$2" "$3" --install=/ 2722 | then 2723 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 2724 | exit 2725 | fi 2726 | exit 2727 | else 2728 | echo "" 2729 | exit 1 2730 | fi 2731 | ;; 2732 | -s|--s) 2733 | if test $# -gt 0; then 2734 | if ! realm discover < /dev/null > /dev/null 2>&1 2735 | then 2736 | clear 2737 | echo "" 2738 | echo "realmd is not installed" 2739 | echo "" 2740 | exit 2741 | else 2742 | sudo realm discover 2743 | exit 2744 | fi 2745 | else 2746 | echo "" 2747 | exit 1 2748 | fi 2749 | ;; 2750 | -u|--u) 2751 | if test $# -gt 0; then 2752 | clear 2753 | export HOSTNAME 2754 | myhost=$( hostname | cut -d '.' -f1 ) 2755 | DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}' | tr "[:upper:]" "[:lower:]") 2756 | if [ -z "$2" ] 2757 | then 2758 | if [ -d /home/"$DOMAIN" ] 2759 | then 2760 | ls /home/"$DOMAIN"/ | while read -r user 2761 | do 2762 | id "$user" 2763 | echo "___________________________________________________________________________" 2764 | echo "" 2765 | done 2766 | else 2767 | echo "no user found on this system. try typing the user:" 2768 | read -r user 2769 | id "$user" | grep "$myhost" 2770 | fi 2771 | else 2772 | id "$2" 2773 | fi 2774 | exit 2775 | fi 2776 | ;; 2777 | -o|--o) 2778 | if test $# -gt 0; then 2779 | desktop=$( sudo apt list --installed | grep -i desktop | grep -i ubuntu | cut -d '-' -f1 | grep -i desktop ) 2780 | rasp=$( lsb_release -a | grep -i Distributor | awk '{print $3}' ) 2781 | kalilinux=$( lsb_release -a | grep -i Distributor | awk '{print $3}' ) 2782 | if [ "$desktop" = "desktop" ] 2783 | then 2784 | if [ "$rasp" = "Raspbian" ] 2785 | then 2786 | echo "${INTRO_TEXT}Detecting Raspberry Pi${END}" 2787 | raspberry 2788 | else 2789 | if [ "$kalilinux" = "Kali" ] 2790 | then 2791 | echo "${INTRO_TEXT}Detecting Kali linux${END}" 2792 | kalijoin 2793 | else 2794 | echo "" 2795 | fi 2796 | fi 2797 | else 2798 | echo "This seems to be a server, Switching to server mode" 2799 | ubuntuserver14 2800 | fi 2801 | export HOSTNAME 2802 | myhost=$( hostname | cut -d '.' -f1 ) 2803 | clear 2804 | sudo echo "${RED_TEXT}Installing packages do no abort!.......${END}" 2805 | sudo apt-get -qq install realmd curl adcli sssd -y 2806 | sudo apt-get -qq install ntp -y 2807 | sudo apt install adcli -y 2808 | sudo apt-get install -f -y 2809 | clear 2810 | if ! sudo dpkg -l | grep realmd 2811 | then 2812 | clear 2813 | sudo echo "${RED_TEXT}Installing packages failed.. please check connection ,dpkg and apt-get update then try again.${END}" 2814 | exit 2815 | else 2816 | clear 2817 | sudo echo "${INTRO_TEXT}Packages installed${END}" 2818 | fi 2819 | echo "hostname is $myhost" 2820 | echo "Looking for Realms.. please wait" 2821 | REALM=$( sudo grep DOMAIN readfile | awk '{print $3}' ) 2822 | if [ "$REALM" = "null" ] 2823 | then 2824 | DOMAIN=$(realm discover | grep -i realm.name | awk '{print $2}') 2825 | if ! ping -c 2 "$DOMAIN" < /dev/null > /dev/null 2>&1 2826 | then 2827 | clear 2828 | echo "${NUMBER}I searched for an available domain and found nothing, please type your domain manually below... ${END}" 2829 | echo "Please enter the domain you wish to join:" 2830 | read -r DOMAIN 2831 | else 2832 | clear 2833 | echo "${NUMBER}I searched for an available domain and found ${MENU}>>> $DOMAIN <<<${END}${END}" 2834 | read -r -p "Do you wish to use it (y/n)?" yn 2835 | case $yn in 2836 | [Yy]* ) echo "";; 2837 | 2838 | [Nn]* ) echo "Please enter the domain you wish to join:" 2839 | read -r DOMAIN;; 2840 | * ) echo 'Please answer yes or no.';; 2841 | esac 2842 | fi 2843 | else 2844 | DOMAIN=$( realm discover | grep -i realm.name | awk '{print $2}' ) 2845 | echo "Using Domain: $DOMAIN" 2846 | #DOMAIN=$(echo "$REALM") 2847 | fi 2848 | NetBios=$(echo "$DOMAIN" | cut -d '.' -f1) 2849 | clear 2850 | var=$(lsb_release -a | grep -i release | awk '{print $2}' | cut -d '.' -f1) 2851 | if [ "$var" -eq "14" ] 2852 | then 2853 | echo "Installing additional dependencies" 2854 | sudo apt-get -qq install -y realmd curl sssd sssd-tools samba-common krb5-user 2855 | sudo apt install adcli -y 2856 | sudo apt-get install -f -y 2857 | clear 2858 | echo "${INTRO_TEXT}Detecting Ubuntu $var${END}" 2859 | sudo echo "${INTRO_TEXT}Realm=$DOMAIN${END}" 2860 | echo "${INTRO_TEXT}Joining Ubuntu $var${END}" 2861 | echo "" 2862 | echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}" 2863 | echo "${INTRO_TEXT}Please type Admin user:${END}" 2864 | read -r ADMIN 2865 | if ! realm join -v --user="$ADMIN" --computer-ou="$2" "$DOMAIN" --install=/ 2866 | then 2867 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 2868 | exit 2869 | fi 2870 | else 2871 | if [ "$var" -eq "16" ] 2872 | then 2873 | echo "${INTRO_TEXT}Detected Ubuntu $var${END}" 2874 | clear 2875 | sudo echo "${INTRO_TEXT}Realm=$DOMAIN${END}" 2876 | echo "${INTRO_TEXT}Joining Ubuntu $var${END}" 2877 | echo "" 2878 | echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}" 2879 | echo "${INTRO_TEXT}Please type Admin user:${END}" 2880 | read -r ADMIN 2881 | if ! realm join -v --user="$ADMIN" --computer-ou="$2" "$DOMAIN" 2882 | then 2883 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 2884 | exit 2885 | fi 2886 | else 2887 | if [ "$var" -eq "17" ] || [ "$var" -eq "18" ] || [ "$var" -eq "19" ] 2888 | then 2889 | echo "${INTRO_TEXT}Detected Ubuntu $var${END}" 2890 | sleep 1 2891 | clear 2892 | if [ "$var" -eq "19" ] 2893 | then 2894 | if [ -f /etc/apt/sources.list.d/aroth-ubuntu-ppa-eoan.list ] 2895 | then 2896 | sudo apt-get update 2897 | sudo apt install adcli -y --allow-downgrades 2898 | else 2899 | echo"" 2900 | echo "Fixing krb5.keytab: Bad encryption type for ubuntu 19.10" 2901 | echo "" 2902 | echo "To avoid encryption error with adcli please accept PPA below for an adcli update" 2903 | echo "" 2904 | sudo add-apt-repository ppa:aroth/ppa 2905 | sudo apt-get update 2906 | echo "" 2907 | fi 2908 | fi 2909 | clear 2910 | sudo echo "${INTRO_TEXT}Realm=$DOMAIN${END}" 2911 | echo "${INTRO_TEXT}Joining Ubuntu $var${END}" 2912 | echo "" 2913 | echo "${INTRO_TEXT}Please log in with domain admin to $DOMAIN to connect${END}" 2914 | echo "${INTRO_TEXT}Please type Admin user:${END}" 2915 | read -r ADMIN 2916 | if ! realm join -v --user="$ADMIN" --computer-ou="$2" "$DOMAIN" --install=/ 2917 | then 2918 | echo "${RED_TEXT}AD join failed.please check your errors with journalctl -xe${END}" 2919 | exit 2920 | fi 2921 | else 2922 | clear 2923 | sudo echo "${RED_TEXT}I am having issues to detect your Ubuntu version${END}" 2924 | exit 2925 | fi 2926 | fi 2927 | fi 2928 | fi_auth 2929 | else 2930 | echo "" 2931 | exit 1 2932 | fi 2933 | ;; 2934 | *) 2935 | break 2936 | ;; 2937 | esac 2938 | done 2939 | # This script is written by Pierre Gode https://github.com/PierreGode # 2940 | PRECHECK_FN 2941 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | Contributing 2 | ============ 3 | 4 | Contributions are welcome! 5 | 6 | **Please carefully read this page to make the code review process go as smoothly as possible and to maximize the likelihood of your contribution being merged.** 7 | 8 | ## Bug Reports 9 | 10 | For bug reports or requests [submit an issue](https://github.com/PierreGode/Linux-Active-Directory-join-script/issues). 11 | 12 | ## Pull Requests 13 | 14 | The preferred way to contribute is to fork the 15 | [main repository](https://github.com/PierreGode/Linux-Active-Directory-join-script) on GitHub. 16 | 17 | 1. Fork the [main repository](https://github.com/PierreGode/Linux-Active-Directory-join-script). Click on the 'Fork' button near the top of the page. This creates a copy of the code under your account on the GitHub server. 18 | 19 | 2. Clone this copy to your local disk: 20 | 21 | $ git clone git@github.com:YourLogin/Linux-Active-Directory-join-script 22 | $ cd Linux-Active-Directory-join-script 23 | 24 | 3. Create a branch to hold your changes and start making changes. Don't work in the `master` branch! 25 | 26 | $ git checkout -b my-feature 27 | 28 | 4. Work on this copy on your computer using Git to do the version control. When you're done editing, run the following to record your changes in Git: 29 | 30 | $ git add modified_files 31 | $ git commit 32 | 33 | 5. Push your changes to GitHub with: 34 | 35 | $ git push -u origin my-feature 36 | 37 | 6. Finally, go to the web page of your fork of the `Linux-Active-Directory-join-script` repo and click 'Pull Request' to send your changes for review. 38 | 39 | ### GitHub Pull Requests Docs 40 | 41 | If you are not familiar with pull requests, review the [pull request docs](https://help.github.com/articles/using-pull-requests/). 42 | 43 | ## Translations 44 | 45 | We'd like for the guide to be available in many languages. 46 | 47 | * This original version and content of the guide is maintained in English. 48 | -------------------------------------------------------------------------------- /MacOS.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Set variables 4 | DOMAIN="test.com" # Active Directory domain name 5 | ADMIN="admin" # AD admin username 6 | PASS="password" # AD admin password (not encrypted, use with caution) 7 | ADGROUP="whatevergroup" # AD group to add computer to (e.g. MacAdmins) 8 | ADCOMPUTER="MACagent01" # Name of the computer object in Active Directory 9 | OU="OU=Computers Mac,DC=domain,DC=com" # OU where the computer object will be created 10 | 11 | # Prompt user for input 12 | read -p "Enter Active Directory domain name: " DOMAIN 13 | read -p "Enter AD admin username: " ADMIN 14 | read -s -p "Enter AD admin password: " PASS 15 | echo 16 | read -p "Enter AD group to add computer to: " ADGROUP 17 | read -p "Enter name of the computer object in Active Directory: " ADCOMPUTER 18 | read -p "Enter OU where the computer object will be created: " OU 19 | 20 | # Join computer to Active Directory 21 | sudo dsconfigad -add "$DOMAIN" \ 22 | -mobile enable \ 23 | -mobileconfirm disable \ 24 | -localhome enable \ 25 | -protocol smb \ 26 | -shell '/bin/bash' \ 27 | -username "$ADMIN" \ 28 | -password "$PASS" \ 29 | -groups "$ADGROUP" \ 30 | -computer "$ADCOMPUTER" \ 31 | -ou "$OU" 32 | if [ $? -ne 0 ]; then 33 | echo "Error joining computer to Active Directory" 34 | exit 1 35 | fi 36 | 37 | # Show Active Directory configuration 38 | sudo dsconfig -show 39 | if [ $? -ne 0 ]; then 40 | echo "Error displaying Active Directory configuration" 41 | exit 1 42 | fi 43 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Linux-Active-Directory-join-script By Pierre Gode 2017-2025 2 | 3 | [![GitHub stars](https://img.shields.io/github/stars/PierreGode/Linux-Active-Directory-join-script)](https://github.com/PierreGode/Linux-Active-Directory-join-script/stargazers) [![Commits per Month](https://img.shields.io/github/commit-activity/m/PierreGode/Linux-Active-Directory-join-script)](https://github.com/PierreGode/Linux-Active-Directory-join-script/commits/main) ![Tech Stack](https://img.shields.io/badge/stack-Bash%20%7C%20Python%20%7C%20Shell-brightgreen) [![Platform](https://img.shields.io/badge/platform-Linux-blue.svg)](https://shields.io/) ![GitHub Workflow Status](https://github.com/PierreGode/Linux-Active-Directory-join-script/actions/workflows/review.yml/badge.svg) ![Visitor Count](https://hits.seeyoufarm.com/api/count/incr/badge.svg?url=https://github.com/PierreGode/Linux-Active-Directory-join-script&title=Visitors) 4 | 5 | 6 | 7 | 8 | 9 | [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/J3J2EARPK) 10 |

11 | If you like this project please star it, that will also encourage me with updates. 12 |

13 | New: Added support for readfile for Ubuntu. 14 | 15 | 16 | Supported OS's:

17 |

  • Ubuntu 14-25 + mate
    • 18 |
  • Debian 8-12
    • 19 |
  • Cent OS
    • 20 |
  • Rasbian
    • 21 |
  • Fedora
    • 22 |
  • Linux Mint
    • 23 |
  • Kali
    • 24 |
  • Zorin
    • 25 |
  • Elemantary OS
    • 26 |

    27 | 28 | 29 | Added support to Perform a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind with request signing (integrity verification) on-SSL-encrypted) LDAP connection. see more in wiki. 30 | 31 | This is a script for Active Directory join with realmd. 32 | and is a result of a lot of small upgrades according as needs has emerged. 33 | 34 |

    Also see Wiki

    35 | 36 | ### But why a script? 37 | 38 |

    Joining a domain can be a simple process, but configuring everything to function properly can be quite challenging. This includes tasks such as:

    39 | 46 |

    Fortunately, this script simplifies the process by allowing you to easily join a domain with just a few questions. Some key features of the script include:

    47 | 53 |

    With this script, joining a domain and customizing your settings to meet your needs has never been easier!

    54 | 55 |

    What is the setup then?

    56 | computer objct = HOSTNAME . 57 | sudo group = HOSTNAMEsudoers = ADgroup 58 | 59 | update: Added flag options no minimize the menu and add logging: see sudo sh ADconnection.sh --help 60 | Usage: 61 | 62 | sh ADconnection.sh [--help] [-d (ubuntu debug mode)] 63 | [-j admin domain (Simple direct join 64 | [-l (script output to log file)] 65 | [-s (Discover domain)] 66 | 67 | 68 | Usage of the script: 69 | 70 | sudo sh ADconnection.sh or sudo ./ADconnection.sh 71 | for ./ADconnection.sh do a 72 | 73 | sudo chmod +x ADconnection.sh 74 | 75 | 76 | # Complete steps 77 | 78 | #### 1. Config 79 | remember to set a hostname on the client or server, the AD will set computer object itself named after the hostname of the machine = "linuxcomputer" as example 80 | 81 | #### 2. Permissions 82 | At this point you have 2 options. you already have a Group i AD example:"ADMINS" here you have your users with sudo rights. then you need to edit /etc/sudoers.d/sudoers 83 | and add %ADMINS ALL(ALL:ALL) ALL if you want to give this group sudo rights. 84 | In this script there is a magic word added for groups in AD and it is sudoers, it always adds sudoers after hostname, like linuxcomputersudoers 85 | administrator will always be added to sudoers as a failsafe for sysadmins. 86 | 87 | and also /etc/ssh/login.allow if you have selected this option for security. 88 | 89 | Or if you want to manage sudo users by a new group then create a group name LINUXCOMPUTERsudoers and LINUXCOMPUTER as hostname, they are not related, but Computer object in AD will be created and named after hostname and naming the ADgroup simmilar makes search easier in the future, therefore the script by defaut will add "LINUXCOMPUTERsudoers" as default in sudoers.d/sudoers, in this step you don't need to edit files, the script will allow you to choose if you want users to be sudoers or not and if yes the script will autogenerate "LINUXCOMPUTERsudoers" in sudoers 90 | . 91 | #### 3. Hostname 92 | set hostname on you computer to "linuxcomputer" (hostname and hosts files) and reboot 93 | ( in/etc/hosts it should look like 127.0.1.1 LINUXCOMPUTER01 LINUXCOMPUTER01.domain.com also in resolv.conf you should have search domain.com) 94 | 95 | #### 4. git clone 96 | git clone this script and run 97 | Execute the script with sudo sh ADconnection.sh, It will detect if it is a client or a server, it will also detect if client is running ubuntu 14,16,17, 18, 19,20, mate,Debian ,Cent OS,Rasbian ,Fedora, Linux Mint or Kali 98 | the script will find your domain name if existing, and your networkconfig is correct.. if not a promt will let you type the domain name. "domain.com" 99 | If there are issues finding the domain please dubblecheck your dns configuration on the domain controller. 100 | 101 | after that authorise with a admin user. 102 | make sure to read the questions carefully and also read built in help in the script. 103 | 104 | For security this script creates an ssh allow file so users that are not in the correct AD group can't login, 105 | this also "blocks" users from creating local accounts ( they can create them if the are sudoers, but will never be able to login) 106 | NOTICE! if your local user is not administrator you MUST edit and add current local user in the (/etc/ssh/login.group.allowed) file. 107 | If you current local user is not in the SSH-ALLOW file it will be BANNED from the computer! 108 | 109 | Updated. :Added the ability to choose if you want to dissable SSH-allow, 110 | note: if ssh is disabled users in other groups will be able to ssh to the client, but will not have sudo rights if they are not members in the group LINUXCOMPUTERsudoers 111 | 112 | ### Updated. : 113 | also the ability to choose if clients should have sudo rights or not. 114 | if you seclect no on this option there is no need for an AD group "LINUXCOMPUTERsudoers" in active directory, all domain users 115 | will have nonsudo access. "notice this option can NOT be combined with the option YES on ssh-allow" 116 | 117 | ### Updates: 118 | added join to ubuntu clients with debug mode. 119 | debugmode will open 2 terminals and will post information while you run the script. 120 | (does not work over SSH) 121 | 122 | Comming updates: the option to paste a path for a correct OU were the machine will me setup. ( the defoult OU is CN=Computers,DC=domain,DC=com ) (still in progress) 123 | Comming updates: Option to rejoin ( leave realm and join realm and keep all configuration ) 124 | 125 | 126 | This will make the cleanest setup possible. no @ in names or in home folder 127 | home folder will be /home/domain.com/user 128 | User name will be only set as "user" without /myad/you or you@domain.com... just clean!. this is to prevent complications for developers when building code 129 | After reboot just login with you AD account "user" and password... again.. no @ or domain.com/user is needed, just "user" 130 | to test access and permissions of a user execute in terminal from administrator account: id user or id user | grep -i groupname (LINUXCOMPUTERsudoers) 131 | 132 | For best security. I restricted ssh to only domainadmins and local administrator, also clients will be allowed to login from assigned group ( "LINUXCOMPUTERsudoers" ) (with option YES on SSH-allow) (with option YES on sudo rights ) 133 | 134 | 135 | ### How do i update my password? 136 | ( changed password but Linux is still on old password ) 137 | This should read new info from AD when you are on "AD" network 138 | First time you login your "user" caches on the computer ( means that you can login beeing disconected to "office network" 139 | If you are having problems with the computer not fetching the new password. On office network.. open a terminal and execute sudo service sssd restart, this will reload information, logout and login with the new password. 140 | 141 | ### I have issues! 142 | 143 | 1. After reboot I cant login at all. (local or AD) 144 | "This is problably caused by failed SSH-allow configuration, make sure to have correct users in the configuration or disable SSH-allow when running the script" 145 | 146 | 2. I rebooted the computer but i still can not login with the AD user! 147 | "did you wait 5 min for AD to sync? 148 | check that the computer object is created in the AD 149 | Login with your local account and execute in terminal " sudo sssd service restart and the try to see if you can see the user by executing id yourADusername, if you can see the user and all the groups the user is member of in AD then it works. if you have it set up with an ADgroup then you can execute: 150 | id yourADusername | grep -i LINUXCOMPUTERsudoers (the groupname or hostname depending on you setup) 151 | 152 | 3. Damn i got the wrong hostname and its not created as a computerobject in AD 153 | "Login with local admin and change your hostname to this files so it matches groupobject in AD /etc/sudoers.d/sudoes (if configured) /etc/ssh/login.group.allowed (if configured) /etc/hostname and /etc/hosts 154 | then run sudo realm leave domain.com reboot and rejoin running the script again, the script will not override files if they have been configured before. 155 | If the computerobject is existing in AD but you wish to replace it, just delete the computerobject and join/rejoin with computer/server with the same hostname as the computerobject. 156 | reboot and wait 5 min before login 157 | 158 | If you have issues with slow replies from the domain controller i have added lines to nsswitch an sssd to prevent hangs, slow logins and slow repy from sudo commands in a teminal. this was added 2017/11 so if you have and older "join" than 2017/11 you should do a rejoin. 159 | 160 | 4. I am a member of sudores but programs require administrator to login.. 161 | you are sudo user if added to sudoes file, but the account is a standard account. to give full administration priviligies 162 | run in terminal: sudo usermod -a -G sudo user 163 | 164 | 165 |

    Encrypted Password?:

    166 | I have added the option for readfie and also a way to encrypt ADadmin password for those that don´t want to use one-time passwords. 167 | sudo sh ADconnection.sh -p will promt you for a password that will be encrypted. pubic key, privat.key and a encrypted.dat files will be generated. find a way to store your private key and only place them in Linux-Active-Directory-join-script folder during join. 168 | 169 |

    170 | Note. Make sure dns works so it can properly find ldap server 171 | If you are using multiple domain servers or have a backup domain server, see example below 172 | [sssd] 173 | services = nss, pam 174 | config_file_version = 2 175 | domains = ad.example.com 176 | 177 | [domain/ad.example.com] 178 | id_provider = ad 179 | auth_provider = ad 180 | access_provider = ad 181 | chpass_provider = ad 182 | ad_server = dc1.ad.example.com 183 | ad_backup_server = dc2.ad.example.com 184 | filter_users = root at ad.example.com 185 | filter_groups = root at ad.example.com 186 | ldap_id_mapping = false 187 | dyndns_update = true 188 | dyndns_update_ptr = false 189 | enumerate = true 190 | subdomain_enumerate = all 191 | cache_credentials = true 192 | 193 | How to change AD password in linux (ubuntu example): open settings, users click on password field, set new password. 194 | 195 | How to git? 196 | 197 | On linux client install git = sudo apt-get install git -y (or) sudo yum install git 198 | 199 | Clone this repo = sudo git clone https://github.com/PierreGode/Linux-Active-Directory-join-script.git 200 | 201 | To update repo to latest version = in the folder Linux-Active-Directory-join-script/ run: sudo git pull 202 | -------------------------------------------------------------------------------- /readfile: -------------------------------------------------------------------------------- 1 | # "null" is for manual setup and will result in promts. misconfuguration will result in skipping that config and giving promts. 2 | ################ Config #################### 3 | DOMAIN = null # Insert domain name ex:domain.com leave null for autodiscover ( promt ) 4 | OUSPECIFIED = null # Insert OU to join object to like: --computer-ou=OU=Clients,OU=Computers,DC=domain,DC=com 5 | ################ ldaps config #################### 6 | USESASL = null # yes or no to use SASL 7 | LDAPS = null # Address of domaincontroller 8 | CACERT = null # Full path and file to CAroot like: /usr/share/ca-certificates/root/myCA.cer 9 | ################ auth config #################### 10 | ADADMIN = null # Set the name of domain admin of service user for authenticating the domain join 11 | LOCALADMIN = null # Name of the user for the local account # like :administrator #null sets administrator as default user 12 | SUDOERS = null # yes or no for adding group in sudoers #null for manual setup 13 | SSHSECURE = null # yes or no for for Blocking anyone but aprooved users #null for manual setup 14 | DISSPROMT = null # yes or no for disable sudo promt in terminal 15 | ############### read encrypted passwd ############ 16 | ENCRYPTEDPASSWD = null #yes or no # Use sh ADconnection.sh -p to generate encrypted passwd and store Private key in a safe place. 17 | --------------------------------------------------------------------------------