Sunday, May 5, 2013

Active Directory Integration CentOS6.3

While learning how to join a linux machine to an Active Directory domain with the ability to use single sign-on I developed this script to automate the process. My environment is completely virtual utilizing XenServer 6.2 and my domain controllers are Windows Server 2008R2. This script will work for both CentOS servers as well as Desktop editions. This tutorial contains three scripts one for initial setup one for Active Directory integration and the other is to reset the system back to original should the adjoin.sh script should fail.

The adjoin.sh script assumes that you have set your hostname with a single name EX: mymachine, you have added DNS entries on your domain controller for the new machine, you have installed Identity Management for UNIX role to AD, and you have setup a static IP and set PermitRootLogin yes in sshd_config. Also make sure that you have setup a user in Active Directory and have added it to the proper administrative groups the user should have. Also create a group that will have admin privileges on the Linux machines. 

Once you have your initial system setup ssh into the machine as root and create the bin directory in /root.
I prefer to use mremoteng which you can grab from http://www.mremoteng.org/ or you can use putty or any other method that you like. In the /root/bin directory create two files netjoin.sh and reset.sh

If you are using these scripts to create a template only run setup.sh on the server before converting to template. You will only have to run setup.sh on the template after that all new VM's created will only need to run adjoin.sh. I usually make a directory /root/bin and then place the three scripts in that directory since it is in roots path. Also I change the permissions to 700. 






#!/bin/bash
## setup.sh
## Server setup script for preparing VMWare template for Active Directory integration
## Author: Glenn Weber
## Email: engineering@bngsupport.com
## Date: 05/04/2013

## This script is free to use and modify as needed I cannot guarantee that this script will work
## with your setup. If the script should fail simply run the accompanying reset.sh script
## You must also run the accompanying adjoin.sh to join to domain and spacewalk
## I have tested this script on both centOS 6.3 and centOS 6.4
## Only run this script if you are setting up a new machine or if you are creating a template to use
## If you are creating a template this portion will be done and you can just run the other scripts
domain_division=                                #ie: corp
domain_name=                
top_domain= #ie: com, net, org                              
workgrp=                                        # NETBIOS NAME of Domain
group=    # ie: linuxadmins
adm_server=                                     # This is only needed if you have an admin server that will be used for nagios


## Converts variables to uppercase
DOMAIN_DIVISION=$(echo "$domain_division" | tr '[a-z]' '[A-Z]')
DOMAIN_NAME=$(echo "$domain_name" | tr '[a-z]' '[A-Z]')
TOP_DOMAIN=$(echo "$top_domain"  | tr '[a-z]' '[A-Z]')
WORKGRP=$(echo "$workgrp" | tr '[a-z]' '[A-Z]')

## Turns off Firewall
service iptables save
service iptables stop
chkconfig iptables off

## Disables selinux
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux

##Comment this section out if this is the main nagios server or you do not want to use nagios
## Installs epel repository and installs nagios plugins
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum install nrpe nagios-plugins-all openssl -y

## Installs base software for Active directory Integration and a few other useful packages
yum install nano wget ntp krb5-libs krb5-workstation krb5-server samba samba-client samba-winbind sudo bc -y



## Starts ntpd service and sets services to start at boot
service ntpd start
chkconfig ntpd on

## Edits /etc/krb5.conf
cp /etc/krb5.conf /etc/krb5.conf.bkp
sed -i "s/EXAMPLE.COM/$DOMAIN_DIVISION.$DOMAIN_NAME.$TOP_DOMAIN/g" /etc/krb5.conf
sed -i 's/false/true/g' /etc/krb5.conf
sed -i "s/kerberos.example.com/$domain_division.$domain_name.$top_domain/g" /etc/krb5.conf
sed -i "s/example.com/$domain_division.$domain_name.$top_domain/g" /etc/krb5.conf
sed -i "s/.example.com/.$domain_division.$domain_name.$top_domain/g" /etc/krb5.conf

## Creates backup of /etc/pam.d directory and rewrites system-auth-ac
 cp -R /etc/pam.d /etc/pam.d.bkp
 cat > /etc/pam.d/system-auth-ac <<EOF
 auth        required      pam_env.so
          auth        sufficient    pam_unix.so nullok try_first_pass
          auth        requisite     pam_succeed_if.so uid >= 500 quiet
          auth        sufficient    pam_winbind.so use_first_pass
          auth        required      pam_deny.so

          account     required      pam_unix.so broken_shadow
          account     sufficient    pam_succeed_if.so uid < 500 quiet
          account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
          account     required      pam_permit.so

          password    requisite     pam_cracklib.so try_first_pass retry=3
          password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
          password    sufficient    pam_winbind.so use_authtok
          password    required      pam_deny.so

          session     optional      pam_keyinit.so revoke
          session     optional      pam_mkhomedir.so skel=/etc/skel/ umask=0077
          session     required      pam_limits.so
          session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
          session     required      pam_unix.so
EOF

## Creates Backup copy of smb.conf
cp /etc/samba/smb.conf /etc/samba/smb.conf.bkp

## Runs authconfig and adds entries to /etc/samba/smb.conf winbind section
authconfig --krb5realm=$DOMAIN_DIVISION.$DOMAIN_NAME.$TOP_DOMAIN \
--enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=$DOMAIN_DIVISION.$DOMAIN_NAME.$TOP_DOMAIN \
--smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" --winbindseparator="+" \
--winbindtemplateshell="/bin/bash" --enablewinbindusedefaultdomain --enablewinbindoffline \
--smbworkgroup=$WORKGRP \
--winbindtemplatehomedir="/home/%U" --enablemkhomedir --disablemd5 --updateall

## Creates backup of /etc/sudoers file and appends group to sudoers file
cp /etc/sudoers /etc/sudoers.bkp
echo "## Allows members of the $group group to run all commands" >> /etc/sudoers
echo  "   %$group  ALL=(ALL) ALL " >> /etc/sudoers

## Adds Spacewalk Repos and clients
## Comment the below section if you do not have a Spacewalk server
rpm -Uvh http://yum.spacewalkproject.org/2.0-client/RHEL/6/x86_64/spacewalk-client-repo-2.0-3.el6.noarch.rpm
yum install rhn-client-tools rhn-check rhn-setup rhnsd m2crypto yum-rhn-plugin osad -y

cd /usr/share/rhn
wget http://$adm_server.$domain_division.$domain_name.$top_domain/repo/RHN-ORG-TRUSTED-SSL-CERT

cd /tmp
wget http://$adm_server.$domain_division.$domain_name.$top_domain/repo/RPM-GPG-KEY-spacewalk-2012
rpm --import RPM-GPG-KEY-spacewalk-2012

cd /etc/sysconfig/rhn
mv osad.conf osad.conf.bkp
wget http://$adm_server.$domain_division. $domain_name.$top_domain/repo/osad.conf


yum clean all



#!/bin/bash
## Server Active Directory integration script
## adjoin.sh
## Author: Glenn Weber
## Email: engineering@bngsupport.com
## Date: 05/04/2013
domain_division=
domain_name=      
top_domain=                    
sw_server=                

## Joins machine to domain
net ads join -Uadministrator

## Restarts services
service winbind restart
chkconfig winbind on
service smb restart
chkconfig smb on

## Creates backup of /etc/sysconfig/network and sets long domain name
cp /etc/sysconfig/network /etc/sysconfig/network.bkp
## copies short hostname to reset.sh
cat >> /root/bin/reset.sh <<EOF
hostname $HOSTNAME
EOF
hostname $HOSTNAME.$domain_divsion.$domain_name.$top_domain
sed -i "s/HOSTNAME=$HOSTNAME/HOSTNAME=$HOSTNAME.$domain_division.$domain_name.$top_domain/g" /etc/sysconfig/network

service network restart
## Turns off Root ssh Login and restarts sshd service
sed -i "s/PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config
service sshd restart
wbinfo -u
sleep 5

## Registers machine with Spacewalk server
## Comment the below section if you do not have a Spacewalk server
rhnreg_ks --serverUrl=http://$sw_server.$domain_division.$domain_name.$top_domain/XMLRPC --activationkey=1-7eb473722e68584b94a75196c2c4330a && sleep 90

chkconfig osad on && service osad restart
rhn-actions-control --enable-all





#!/bin/bash
## reset.sh
## Reset script should be run only after adjoin.sh has been run and only if the machine
## fails to join the domain
## Author: Glenn Weber
## Email: engineering@bngsupport.com
## Date: 05/04/2013
## Resets all files back to original state if setup.sh and netjoin.sh scripts are unsuccessful
cp /etc/krb5.conf.bkp /etc/krb5.conf
rm -f /etc/krb5.conf.bkp
cp /etc/samba/smb.conf.bkp /etc/samba/smb.conf
rm -f /etc/samba/smb.conf.bkp
cp -R /etc/pam.d.bkp /etc/pam.d
rm -rf /etc/pam.d.bkp
cp /etc/sudoers.bkp /etc/sudoers
rm -f /etc/sudoers.bkp
cp /etc/sysconfig/network.bkp /etc/sysconfig/network
rm -f /etc/sysconfig/network.bkp
rm -f /etc/sysconfig/rhn/osad.conf
mv /etc/sysconfig/rhn/osad.conf.bkp /etc/sysconfig/rhn/osad.conf
rm -f /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
rm -f /etc/yum.repos.d/spacewalk-client-nightly.repo
rm -f /etc/yum.repos.d/spacewalk-client.repo
cp /etc/resolv.conf.bkp /etc/resolv.conf
rm -f /etc/resolv.conf.bkp









Please feel free to leave comments if you have questions or issues getting these scripts to work for you.