Sunday, May 5, 2013

Active Directory Integration CentOS6.3

While learning how to join a linux machine to an Active Directory domain with the ability to use single sign-on I developed this script to automate the process. My environment is completely virtual utilizing XenServer 6.2 and my domain controllers are Windows Server 2008R2. This script will work for both CentOS servers as well as Desktop editions. This tutorial contains three scripts one for initial setup one for Active Directory integration and the other is to reset the system back to original should the script should fail.

The script assumes that you have set your hostname with a single name EX: mymachine, you have added DNS entries on your domain controller for the new machine, you have installed Identity Management for UNIX role to AD, and you have setup a static IP and set PermitRootLogin yes in sshd_config. Also make sure that you have setup a user in Active Directory and have added it to the proper administrative groups the user should have. Also create a group that will have admin privileges on the Linux machines. 

Once you have your initial system setup ssh into the machine as root and create the bin directory in /root.
I prefer to use mremoteng which you can grab from or you can use putty or any other method that you like. In the /root/bin directory create two files and

If you are using these scripts to create a template only run on the server before converting to template. You will only have to run on the template after that all new VM's created will only need to run I usually make a directory /root/bin and then place the three scripts in that directory since it is in roots path. Also I change the permissions to 700. 

## Server setup script for preparing VMWare template for Active Directory integration
## Author: Glenn Weber
## Email:
## Date: 05/04/2013

## This script is free to use and modify as needed I cannot guarantee that this script will work
## with your setup. If the script should fail simply run the accompanying script
## You must also run the accompanying to join to domain and spacewalk
## I have tested this script on both centOS 6.3 and centOS 6.4
## Only run this script if you are setting up a new machine or if you are creating a template to use
## If you are creating a template this portion will be done and you can just run the other scripts
domain_division=                                #ie: corp
top_domain= #ie: com, net, org                              
workgrp=                                        # NETBIOS NAME of Domain
group=    # ie: linuxadmins
adm_server=                                     # This is only needed if you have an admin server that will be used for nagios

## Converts variables to uppercase
DOMAIN_DIVISION=$(echo "$domain_division" | tr '[a-z]' '[A-Z]')
DOMAIN_NAME=$(echo "$domain_name" | tr '[a-z]' '[A-Z]')
TOP_DOMAIN=$(echo "$top_domain"  | tr '[a-z]' '[A-Z]')
WORKGRP=$(echo "$workgrp" | tr '[a-z]' '[A-Z]')

## Turns off Firewall
service iptables save
service iptables stop
chkconfig iptables off

## Disables selinux
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux

##Comment this section out if this is the main nagios server or you do not want to use nagios
## Installs epel repository and installs nagios plugins
rpm -ivh
yum install nrpe nagios-plugins-all openssl -y

## Installs base software for Active directory Integration and a few other useful packages
yum install nano wget ntp krb5-libs krb5-workstation krb5-server samba samba-client samba-winbind sudo bc -y

## Starts ntpd service and sets services to start at boot
service ntpd start
chkconfig ntpd on

## Edits /etc/krb5.conf
cp /etc/krb5.conf /etc/krb5.conf.bkp
sed -i 's/false/true/g' /etc/krb5.conf
sed -i "s/$domain_division.$domain_name.$top_domain/g" /etc/krb5.conf
sed -i "s/$domain_division.$domain_name.$top_domain/g" /etc/krb5.conf
sed -i "s/$domain_division.$domain_name.$top_domain/g" /etc/krb5.conf

## Creates backup of /etc/pam.d directory and rewrites system-auth-ac
 cp -R /etc/pam.d /etc/pam.d.bkp
 cat > /etc/pam.d/system-auth-ac <<EOF
 auth        required
          auth        sufficient nullok try_first_pass
          auth        requisite uid >= 500 quiet
          auth        sufficient use_first_pass
          auth        required

          account     required broken_shadow
          account     sufficient uid < 500 quiet
          account     [default=bad success=ok user_unknown=ignore]
          account     required

          password    requisite try_first_pass retry=3
          password    sufficient md5 shadow nullok try_first_pass
          password    sufficient use_authtok
          password    required

          session     optional revoke
          session     optional skel=/etc/skel/ umask=0077
          session     required
          session     [success=1 default=ignore] service in crond quiet
          session     required

## Creates Backup copy of smb.conf
cp /etc/samba/smb.conf /etc/samba/smb.conf.bkp

## Runs authconfig and adds entries to /etc/samba/smb.conf winbind section
authconfig --krb5realm=$DOMAIN_DIVISION.$DOMAIN_NAME.$TOP_DOMAIN \
--enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=$DOMAIN_DIVISION.$DOMAIN_NAME.$TOP_DOMAIN \
--smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" --winbindseparator="+" \
--winbindtemplateshell="/bin/bash" --enablewinbindusedefaultdomain --enablewinbindoffline \
--smbworkgroup=$WORKGRP \
--winbindtemplatehomedir="/home/%U" --enablemkhomedir --disablemd5 --updateall

## Creates backup of /etc/sudoers file and appends group to sudoers file
cp /etc/sudoers /etc/sudoers.bkp
echo "## Allows members of the $group group to run all commands" >> /etc/sudoers
echo  "   %$group  ALL=(ALL) ALL " >> /etc/sudoers

## Adds Spacewalk Repos and clients
## Comment the below section if you do not have a Spacewalk server
rpm -Uvh
yum install rhn-client-tools rhn-check rhn-setup rhnsd m2crypto yum-rhn-plugin osad -y

cd /usr/share/rhn
wget http://$adm_server.$domain_division.$domain_name.$top_domain/repo/RHN-ORG-TRUSTED-SSL-CERT

cd /tmp
wget http://$adm_server.$domain_division.$domain_name.$top_domain/repo/RPM-GPG-KEY-spacewalk-2012
rpm --import RPM-GPG-KEY-spacewalk-2012

cd /etc/sysconfig/rhn
mv osad.conf osad.conf.bkp
wget http://$adm_server.$domain_division. $domain_name.$top_domain/repo/osad.conf

yum clean all

## Server Active Directory integration script
## Author: Glenn Weber
## Email:
## Date: 05/04/2013

## Joins machine to domain
net ads join -Uadministrator

## Restarts services
service winbind restart
chkconfig winbind on
service smb restart
chkconfig smb on

## Creates backup of /etc/sysconfig/network and sets long domain name
cp /etc/sysconfig/network /etc/sysconfig/network.bkp
## copies short hostname to
cat >> /root/bin/ <<EOF
hostname $HOSTNAME
hostname $HOSTNAME.$domain_divsion.$domain_name.$top_domain
sed -i "s/HOSTNAME=$HOSTNAME/HOSTNAME=$HOSTNAME.$domain_division.$domain_name.$top_domain/g" /etc/sysconfig/network

service network restart
## Turns off Root ssh Login and restarts sshd service
sed -i "s/PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config
service sshd restart
wbinfo -u
sleep 5

## Registers machine with Spacewalk server
## Comment the below section if you do not have a Spacewalk server
rhnreg_ks --serverUrl=http://$sw_server.$domain_division.$domain_name.$top_domain/XMLRPC --activationkey=1-7eb473722e68584b94a75196c2c4330a && sleep 90

chkconfig osad on && service osad restart
rhn-actions-control --enable-all

## Reset script should be run only after has been run and only if the machine
## fails to join the domain
## Author: Glenn Weber
## Email:
## Date: 05/04/2013
## Resets all files back to original state if and scripts are unsuccessful
cp /etc/krb5.conf.bkp /etc/krb5.conf
rm -f /etc/krb5.conf.bkp
cp /etc/samba/smb.conf.bkp /etc/samba/smb.conf
rm -f /etc/samba/smb.conf.bkp
cp -R /etc/pam.d.bkp /etc/pam.d
rm -rf /etc/pam.d.bkp
cp /etc/sudoers.bkp /etc/sudoers
rm -f /etc/sudoers.bkp
cp /etc/sysconfig/network.bkp /etc/sysconfig/network
rm -f /etc/sysconfig/network.bkp
rm -f /etc/sysconfig/rhn/osad.conf
mv /etc/sysconfig/rhn/osad.conf.bkp /etc/sysconfig/rhn/osad.conf
rm -f /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
rm -f /etc/yum.repos.d/spacewalk-client-nightly.repo
rm -f /etc/yum.repos.d/spacewalk-client.repo
cp /etc/resolv.conf.bkp /etc/resolv.conf
rm -f /etc/resolv.conf.bkp

Please feel free to leave comments if you have questions or issues getting these scripts to work for you.