| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788 |
- #!/bin/bash
- set -e
- # run dpkg-reconfigure unattended-upgrades and answer no unattended
- echo "Running dpkg-reconfigure unattended-upgrades..."
- echo "unattended-upgrades unattended-upgrades/enable_auto_updates boolean false" | sudo debconf-set-selections
- sudo dpkg-reconfigure -f noninteractive unattended-upgrades
- # mark linux-image-generic and linux-headers-generic as held back
- # echo "Marking linux-image-generic and linux-headers-generic as held back..."
- # sudo apt-mark hold linux-image-generic linux-headers-generic
- # upgrade the system
- echo "Upgrading the system..."
- sudo DEBIAN_FRONTEND=noninteractive apt upgrade -y
- # Update and install required packages for Active Directory
- sudo DEBIAN_FRONTEND=noninteractive apt update
- sudo DEBIAN_FRONTEND=noninteractive apt install -y realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
- # Load configuration file
- source config.sh
- # Set the username and password
- ADMINUSER=$ADMIN_USER
- #ADMINPASS=$ADMIN_PASSWORD
- # Set the hostname
- sudo hostnamectl set-hostname "$NEW_HOSTNAME"
- # Set /etc/host
- echo "127.0.0.1 localhost" | sudo tee /etc/hosts
- echo "$(hostname -I | cut -d' ' -f1) $HOST $NEW_HOSTNAME" | sudo tee -a /etc/hosts
- # Join the domain
- sudo -S realm join --user="$ADMINUSER" --computer-ou="$OU" "$DOMAIN"
- #work in progress - --computer-desc="$COMPUTER_DESC"
- # Configure PAM to create home directories for domain users on first login
- sudo bash -c "cat >> /usr/share/pam-configs/mkhomedir" << EOL
- Name: Activate mkhomedir
- Default: yes
- Priority: 900
- Session-Type: Additional
- Session:
- required pam_mkhomedir.so umask=0077 skel=/etc/skel
- EOL
- # Enable the mkhomedir PAM module
- sudo pam-auth-update --enable mkhomedir
- # Set permissions for the home directories
- sudo chmod 0700 /home/*
- # Configure SSSD
- sudo sed -i 's/use_fully_qualified_names = True/use_fully_qualified_names = False/g' /etc/sssd/sssd.conf
- # Deny login to all users
- sudo realm deny --all
- # Allow login to domain groups
- sudo realm permit -g "Domain Admins"
- sudo realm permit -g "AnsibleAdmins"
- # Set up sudoers file
- echo "%Domain\ Admins ALL=(ALL:ALL) ALL" | sudo tee /etc/sudoers.d/LocalAdmins > /dev/null
- echo "%AnisbleAdmins ALL=(ALL) ALL" | sudo tee -a /etc/sudoers.d/LocalAdmins > /dev/null
- echo "ansible ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/LocalAdmins > /dev/null
- # Remove packages that are not required
- sudo apt autoremove -y
- # Start Services
- sudo systemctl restart sssd
- # check the status of the services
- sudo systemctl | grep -E 'sssd.service'
- # Query user and print message
- id chagood && echo "Successfully queried Active Directory for user chagood"
- # Check if reboot is required
- if [ -f /var/run/reboot-required ]; then
- echo -e "\033[31mA reboot is required.\033[0m"
- else
- echo -e "\033[32mReboot not required.\033[0m"
- fi
|
