The adjoin.sh script assumes that you have set your hostname with a single name EX: mymachine, you have added DNS entries on your domain controller for the new machine, you have installed Identity Management for UNIX role to AD, and you have setup a static IP and set PermitRootLogin yes in sshd_config. Also make sure that you have setup a user in Active Directory and have added it to the proper administrative groups the user should have. Also create a group that will have admin privileges on the Linux machines.
Once you have your initial system setup ssh into the machine as root and create the bin directory in /root.
I prefer to use mremoteng which you can grab from http://www.mremoteng.org/ or you can use putty or any other method that you like. In the /root/bin directory create two files netjoin.sh and reset.sh
If you are using these scripts to create a template only run setup.sh on the server before converting to template. You will only have to run setup.sh on the template after that all new VM's created will only need to run adjoin.sh. I usually make a directory /root/bin and then place the three scripts in that directory since it is in roots path. Also I change the permissions to 700.
If you are using these scripts to create a template only run setup.sh on the server before converting to template. You will only have to run setup.sh on the template after that all new VM's created will only need to run adjoin.sh. I usually make a directory /root/bin and then place the three scripts in that directory since it is in roots path. Also I change the permissions to 700.
#!/bin/bash
## setup.sh
## Server setup script for preparing VMWare template for Active Directory integration
## Author: Glenn Weber
## Email: engineering@bngsupport.com
## Date: 05/04/2013
## This script is free to use and modify as needed I cannot guarantee that this script will work
## with your setup. If the script should fail simply run the accompanying reset.sh script
## You must also run the accompanying adjoin.sh to join to domain and spacewalk
## I have tested this script on both centOS 6.3 and centOS 6.4
## Only run this script if you are setting up a new machine or if you are creating a template to use
## If you are creating a template this portion will be done and you can just run the other scripts
domain_division= #ie: corp
domain_name=
top_domain= #ie: com, net, org
workgrp= # NETBIOS NAME of Domain
group= # ie: linuxadmins
adm_server= # This is only needed if you have an admin server that will be used for nagios
## Converts variables to uppercase
DOMAIN_DIVISION=$(echo "$domain_division" | tr '[a-z]' '[A-Z]')
DOMAIN_NAME=$(echo "$domain_name" | tr '[a-z]' '[A-Z]')
TOP_DOMAIN=$(echo "$top_domain" | tr '[a-z]' '[A-Z]')
WORKGRP=$(echo "$workgrp" | tr '[a-z]' '[A-Z]')
## Turns off Firewall
service iptables save
service iptables stop
chkconfig iptables off
## Disables selinux
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux
##Comment this section out if this is the main nagios server or you do not want to use nagios
## Installs epel repository and installs nagios plugins
rpm -ivh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
yum install nrpe nagios-plugins-all openssl -y
## Installs base software for Active directory Integration and a few other useful packages
yum install nano wget ntp krb5-libs krb5-workstation krb5-server samba samba-client samba-winbind sudo bc -y
## Starts ntpd service and sets services to start at boot
service ntpd start
chkconfig ntpd on
## Edits /etc/krb5.conf
cp /etc/krb5.conf /etc/krb5.conf.bkp
sed -i "s/EXAMPLE.COM/$DOMAIN_DIVISION.$DOMAIN_NAME.$TOP_DOMAIN/g" /etc/krb5.conf
sed -i 's/false/true/g' /etc/krb5.conf
sed -i "s/kerberos.example.com/$domain_division.$domain_name.$top_domain/g" /etc/krb5.conf
sed -i "s/example.com/$domain_division.$domain_name.$top_domain/g" /etc/krb5.conf
sed -i "s/.example.com/.$domain_division.$domain_name.$top_domain/g" /etc/krb5.conf
## Creates backup of /etc/pam.d directory and rewrites system-auth-ac
cp -R /etc/pam.d /etc/pam.d.bkp
cat > /etc/pam.d/system-auth-ac <<EOF
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0077
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
EOF
## Creates Backup copy of smb.conf
cp /etc/samba/smb.conf /etc/samba/smb.conf.bkp
## Runs authconfig and adds entries to /etc/samba/smb.conf winbind section
authconfig --krb5realm=$DOMAIN_DIVISION.$DOMAIN_NAME.$TOP_DOMAIN \
--enablewinbind --enablewinbindauth --smbsecurity=ads --smbrealm=$DOMAIN_DIVISION.$DOMAIN_NAME.$TOP_DOMAIN \
--smbidmapuid="16777216-33554431" --smbidmapgid="16777216-33554431" --winbindseparator="+" \
--winbindtemplateshell="/bin/bash" --enablewinbindusedefaultdomain --enablewinbindoffline \
--smbworkgroup=$WORKGRP \
--winbindtemplatehomedir="/home/%U" --enablemkhomedir --disablemd5 --updateall
## Creates backup of /etc/sudoers file and appends group to sudoers file
cp /etc/sudoers /etc/sudoers.bkp
echo "## Allows members of the $group group to run all commands" >> /etc/sudoers
echo " %$group ALL=(ALL) ALL " >> /etc/sudoers
## Adds Spacewalk Repos and clients
## Comment the below section if you do not have a Spacewalk server
rpm -Uvh http://yum.spacewalkproject.org/2.0-client/RHEL/6/x86_64/spacewalk-client-repo-2.0-3.el6.noarch.rpm
yum install rhn-client-tools rhn-check rhn-setup rhnsd m2crypto yum-rhn-plugin osad -y
cd /usr/share/rhn
wget http://$adm_server.$domain_division.$domain_name.$top_domain/repo/RHN-ORG-TRUSTED-SSL-CERT
cd /tmp
wget http://$adm_server.$domain_division.$domain_name.$top_domain/repo/RPM-GPG-KEY-spacewalk-2012
rpm --import RPM-GPG-KEY-spacewalk-2012
cd /etc/sysconfig/rhn
mv osad.conf osad.conf.bkp
wget http://$adm_server.$domain_division. $domain_name.$top_domain/repo/osad.conf
yum clean all
#!/bin/bash
## Server Active Directory integration script
## adjoin.sh
## Author: Glenn Weber
## Email: engineering@bngsupport.com
## Date: 05/04/2013
domain_division=
domain_name=
top_domain=
sw_server=
## Joins machine to domain
net ads join -Uadministrator
## Restarts services
service winbind restart
chkconfig winbind on
service smb restart
chkconfig smb on
## Creates backup of /etc/sysconfig/network and sets long domain name
cp /etc/sysconfig/network /etc/sysconfig/network.bkp
## copies short hostname to reset.sh
cat >> /root/bin/reset.sh <<EOF
hostname $HOSTNAME
EOF
hostname $HOSTNAME.$domain_divsion.$domain_name.$top_domain
sed -i "s/HOSTNAME=$HOSTNAME/HOSTNAME=$HOSTNAME.$domain_division.$domain_name.$top_domain/g" /etc/sysconfig/network
service network restart
## Turns off Root ssh Login and restarts sshd service
sed -i "s/PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config
service sshd restart
wbinfo -u
sleep 5
## Registers machine with Spacewalk server
## Comment the below section if you do not have a Spacewalk server
rhnreg_ks --serverUrl=http://$sw_server.$domain_division.$domain_name.$top_domain/XMLRPC --activationkey=1-7eb473722e68584b94a75196c2c4330a && sleep 90
chkconfig osad on && service osad restart
rhn-actions-control --enable-all
#!/bin/bash
## reset.sh
## Reset script should be run only after adjoin.sh has been run and only if the machine
## fails to join the domain
## Author: Glenn Weber
## Email: engineering@bngsupport.com
## Date: 05/04/2013
## Resets all files back to original state if setup.sh and netjoin.sh scripts are unsuccessful
cp /etc/krb5.conf.bkp /etc/krb5.conf
rm -f /etc/krb5.conf.bkp
cp /etc/samba/smb.conf.bkp /etc/samba/smb.conf
rm -f /etc/samba/smb.conf.bkp
cp -R /etc/pam.d.bkp /etc/pam.d
rm -rf /etc/pam.d.bkp
cp /etc/sudoers.bkp /etc/sudoers
rm -f /etc/sudoers.bkp
cp /etc/sysconfig/network.bkp /etc/sysconfig/network
rm -f /etc/sysconfig/network.bkp
rm -f /etc/sysconfig/rhn/osad.conf
mv /etc/sysconfig/rhn/osad.conf.bkp /etc/sysconfig/rhn/osad.conf
rm -f /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
rm -f /etc/yum.repos.d/spacewalk-client-nightly.repo
rm -f /etc/yum.repos.d/spacewalk-client.repo
cp /etc/resolv.conf.bkp /etc/resolv.conf
rm -f /etc/resolv.conf.bkp
Please feel free to leave comments if you have questions or issues getting these scripts to work for you.