Atenção: Alterar as informações das variáveis abaixo conforme seu ambiente.
Copie e Cole o em seu terminal com acesso root
dc_user=administrator
dc_pass='password'
dc_ip=172.16.73.250
dc_host=DC-AD-01
dc_domain=DOMAIN.INTRA
dc_domain_realm=domain.intra
dc_grp_sudoers_ssh=grp-sudoers
domain=DOMAIN
dc_pass='password'
dc_ip=172.16.73.250
dc_host=DC-AD-01
dc_domain=DOMAIN.INTRA
dc_domain_realm=domain.intra
dc_grp_sudoers_ssh=grp-sudoers
domain=DOMAIN
## INSTALL ##
apt-get install -y sudo ntp
export DEBIAN_FRONTEND=noninteractive
sudo -E apt -y -qq install krb5-user winbind realmd samba libpam-krb5 libpam-winbind libnss-winbind adcli sssd sssd-tools oddjob oddjob-mkhomedir packagekit
apt-get install -y sudo ntp
export DEBIAN_FRONTEND=noninteractive
sudo -E apt -y -qq install krb5-user winbind realmd samba libpam-krb5 libpam-winbind libnss-winbind adcli sssd sssd-tools oddjob oddjob-mkhomedir packagekit
## HOST ##
mv /etc/hosts /etc/hosts.bkp
cat > /etc/hosts << EOL
127.0.0.1 $HOSTNAME.$dc_domain $HOSTNAME localhost
::1 localhost ip6-localhost ip6-loopback
$dc_ip $dc_host.$dc_domain
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
EOL
cat > /etc/hosts << EOL
127.0.0.1 $HOSTNAME.$dc_domain $HOSTNAME localhost
::1 localhost ip6-localhost ip6-loopback
$dc_ip $dc_host.$dc_domain
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
EOL
hostnamectl set-hostname $HOSTNAME.$dc_domain
## NTP ##
mv /etc/ntp.conf /etc/ntp.conf.bkp
cat > /etc/ntp.conf << EOL
driftfile /var/lib/ntp/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
server $dc_ip
restrict $dc_ip
pool pool.ntp.br iburst
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
restrict 127.0.0.1
restrict ::1
restrict source notrap nomodify noquery
EOL
mv /etc/ntp.conf /etc/ntp.conf.bkp
cat > /etc/ntp.conf << EOL
driftfile /var/lib/ntp/ntp.drift
leapfile /usr/share/zoneinfo/leap-seconds.list
statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
server $dc_ip
restrict $dc_ip
pool pool.ntp.br iburst
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
restrict 127.0.0.1
restrict ::1
restrict source notrap nomodify noquery
EOL
systemctl restart ntp
## RESOLV ##
cp /etc/resolv.conf /etc/resolv.conf.bkp
echo domain $dc_domain >> /etc/resolv.conf
echo search $dc_domain >> /etc/resolv.conf
echo nameserver $dc_ip >> /etc/resolv.conf
cp /etc/resolv.conf /etc/resolv.conf.bkp
echo domain $dc_domain >> /etc/resolv.conf
echo search $dc_domain >> /etc/resolv.conf
echo nameserver $dc_ip >> /etc/resolv.conf
## INTERFACES ##
cp /etc/network/interfaces /etc/network/interfaces.bkp
echo dns-search $dc_domain >> /etc/network/interfaces
cp /etc/network/interfaces /etc/network/interfaces.bkp
echo dns-search $dc_domain >> /etc/network/interfaces
## KRB5 ##
mv /etc/krb5.conf /etc/krb5.conf.bkp
cat > /etc/krb5.conf << EOL
[libdefaults]
default_realm = $dc_domain
[realms]
$dc_domain = {
kdc = $dc_host.$dc_domain
default_domain = $dc_domain
admin_server = $dc-host.$dc-domain
kpasswd_server = $dc-host.$dc-domain
}
[domain_realm]
.$dc_domain_realm = $dc_domain
$dc_domain_realm = $dc_domain
EOL
mv /etc/krb5.conf /etc/krb5.conf.bkp
cat > /etc/krb5.conf << EOL
[libdefaults]
default_realm = $dc_domain
[realms]
$dc_domain = {
kdc = $dc_host.$dc_domain
default_domain = $dc_domain
admin_server = $dc-host.$dc-domain
kpasswd_server = $dc-host.$dc-domain
}
[domain_realm]
.$dc_domain_realm = $dc_domain
$dc_domain_realm = $dc_domain
EOL
## SAMBA ##
mv /etc/samba/smb.conf /etc/samba/smb.conf.bkp
cat > /etc/samba/smb.conf << EOL
[global]
security = ads
realm = $dc_domain
workgroup = $domain
idmap uid = 10000-15000
idmap gid = 10000-15000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
winbind use default domain = yes
restrict anonymous = 2
winbind refresh tickets = yes
EOL
mv /etc/samba/smb.conf /etc/samba/smb.conf.bkp
cat > /etc/samba/smb.conf << EOL
[global]
security = ads
realm = $dc_domain
workgroup = $domain
idmap uid = 10000-15000
idmap gid = 10000-15000
winbind enum users = yes
winbind enum groups = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
client ntlmv2 auth = yes
winbind use default domain = yes
restrict anonymous = 2
winbind refresh tickets = yes
EOL
## NSSWITCH ##
mv /etc/nsswitch.conf /etc/nsswitch.conf.bkp
cat > /etc/nsswitch.conf << EOL
passwd: compat winbind
group: compat winbind
shadow: compat winbind
gshadow: files
hosts: files dns wins
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
automount: sss
EOL
mv /etc/nsswitch.conf /etc/nsswitch.conf.bkp
cat > /etc/nsswitch.conf << EOL
passwd: compat winbind
group: compat winbind
shadow: compat winbind
gshadow: files
hosts: files dns wins
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
automount: sss
EOL
## COMMON-SESSION ##
cp /etc/pam.d/common-session /etc/pam.d/common-session.bkp
echo session optional pam_mkhomedir.so skel=/etc/skel umask=077 >> /etc/pam.d/common-session
cp /etc/pam.d/common-session /etc/pam.d/common-session.bkp
echo session optional pam_mkhomedir.so skel=/etc/skel umask=077 >> /etc/pam.d/common-session
## COMMON-ACCOUNT ##
mv /etc/pam.d/common-account /etc/pam.d/common-account.bkp
cat > /etc/pam.d/common-account << EOL
account [success=2 new_authtok_reqd=done default=ignore] pam_winbind.so
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
EOL
mv /etc/pam.d/common-account /etc/pam.d/common-account.bkp
cat > /etc/pam.d/common-account << EOL
account [success=2 new_authtok_reqd=done default=ignore] pam_winbind.so
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
EOL
## RESTART SAMBA E WINBIND ##
systemctl restart sssd
systemctl restart smbd
systemctl restart ntp
systemctl restart sssd
systemctl restart smbd
systemctl restart ntp
sudo realm discover $dc_domain
sleep 5
## INGRESSAR AO DOMINIO ##
echo -n $dc_pass | net ads join -U $dc_user
echo -n $dc_pass | net ads join -U $dc_user
## RESTART SERVICES ##
systemctl restart winbind
systemctl restart sssd
systemctl restart smbd
systemctl restart ntp
systemctl restart sssd
systemctl restart smbd
systemctl restart ntp
## KINIT CHECK ##
# kinit user_domain | ## informe a senha do usuario
# kinit user_domain | ## informe a senha do usuario
## SE NÃO RETORNAR NADA, TESTE REALIZADO COM SUCESSO ##
# klist
# klist
## SSH ##
cat > /etc/ssh/sshd_config.d/grp-sudoers.conf << EOL
AllowGroups Domain $dc_grp_sudoers_ssh sudo $USER
EOL
AllowGroups Domain $dc_grp_sudoers_ssh sudo $USER
EOL
systemctl restart sshd
