diff options
author | Sam Chudnick <sam@chudnick.com> | 2022-04-15 21:08:34 -0400 |
---|---|---|
committer | Sam Chudnick <sam@chudnick.com> | 2022-04-15 21:08:34 -0400 |
commit | 85c561f9a32f8f2b9ddf34e7d60ef4b7bf0d3680 (patch) | |
tree | 637c319270201555d66f9bf1cbcc63d893405e69 /ipaconf |
inital commit - various scripts
Diffstat (limited to 'ipaconf')
-rwxr-xr-x | ipaconf | 107 |
1 files changed, 107 insertions, 0 deletions
@@ -0,0 +1,107 @@ | |||
1 | #!/bin/sh | ||
2 | # | ||
3 | # configures a FreeIPA client system by: | ||
4 | # enrolling in a FreeIPA domain (includes ldap,kerberos,ntp | ||
5 | # setting up FreeIPA server as an nss target | ||
6 | # configuring as a kerberized NFSv4 client or server | ||
7 | # configuring for FreeIPA-managed automount | ||
8 | |||
9 | help() { | ||
10 | echo "usage: ipaconf --dns-server dns_server --ipa-domain ipa.domain"\ | ||
11 | "--ntp-server ntp_server [--nfs-server]" | ||
12 | echo "\n-d, --dns-server:\tIP of DNS server containing IPA records" | ||
13 | echo "-f, --nfs-server:\tConfigure client as an NFS server in the IPA domain" | ||
14 | echo "-i, --ipa-domain:\tIPA domain base (e.g. example.com)" | ||
15 | echo "-n, --ntp-server:\tIP or hostname of NTP server for the IPA domain" | ||
16 | exit 1 | ||
17 | } | ||
18 | |||
19 | [ $(id -u) -ne 0 ] && echo "error: must be run as root" && exit 1 | ||
20 | |||
21 | opts=$(getopt -o "d:,f:,h,i:,n:" -l "dns-server:,nfs-server,help,ipa-domain:,ntp-server:" -- "$@") | ||
22 | eval set -- "$opts" | ||
23 | dnssrv= | ||
24 | nfssrv=0 | ||
25 | ipadomain= | ||
26 | ntpsrv= | ||
27 | while true | ||
28 | do | ||
29 | case "$1" in | ||
30 | '-d' | '--dns-server') dnssrv="$2" shift 2; continue ;; | ||
31 | '-f' | '--nfs-server') nfssrv=1 shift; continue ;; | ||
32 | '-i' | '--ipa-domain') ipadomain="$2" shift 2; continue ;; | ||
33 | '-n' | '--ntp-server') ntpsrv="$2" shift 2; continue ;; | ||
34 | '-h' | '--help') help ;; | ||
35 | '--') shift; break ;; | ||
36 | esac | ||
37 | done | ||
38 | [ -z "$dnssrv" ] && help | ||
39 | [ -z "$ipadomain" ] && help | ||
40 | [ -z "$ntpsrv" ] && help | ||
41 | |||
42 | |||
43 | # FreeIPA client currently only in backports for Debian 11 | ||
44 | grep -q bullseye-backports /etc/apt/sources.list || echo "deb https://deb.debian.org/debian bullseye-backports main" >> /etc/apt/sources.list | ||
45 | |||
46 | # Install required packages | ||
47 | apt update | ||
48 | apt install freeipa-client nfs-common autofs autofs-ldap -y | ||
49 | [ $nfssrv -eq 1 ] && apt install nfs-kernel-server -y | ||
50 | |||
51 | # Change DNS | ||
52 | echo "domain $ipadomain\nsearch $ipadomain\nnameserver $dnssrv" > /etc/resolv.conf | ||
53 | |||
54 | # Move chrony conf so IPA installer can configure its own | ||
55 | mv /etc/chrony/chrony.conf /etc/chrony/chrony.conf.ipabk | ||
56 | |||
57 | # Configure and enroll client | ||
58 | ipa-client-install --mkhomedir --ntp-server=$ntpsrv | ||
59 | |||
60 | # Configure SSSD | ||
61 | # Do not specify services if using systemd as they will be socket activated | ||
62 | $(pgrep -x systemd >/dev/null) && sed -i "/^services =/d" /etc/sssd/sssd.conf | ||
63 | # Enable enumeration of domain if NFS server - for assigning permissions to shares | ||
64 | [ $nfssrv -eq 1 ] && sed -i "s/\[domain\/$ipadomain\]/[domain\/$ipadomain]\nenumerate = True/" /etc/sssd/sssd.conf | ||
65 | systemctl restart sssd | ||
66 | |||
67 | # Configure automount | ||
68 | dc1="$(echo $ipadomain | cut -d '.' -f 1)" | ||
69 | dc2="$(echo $ipadomain | cut -d '.' -f 2)" | ||
70 | echo "[ autofs ] | ||
71 | master_map_name = /etc/auto.master | ||
72 | timeout = 300 | ||
73 | browse_mode = no | ||
74 | ldap_uri = "ldap:///dc=$dc1,dc=$dc2" | ||
75 | map_object_class = automountMap | ||
76 | entry_object_class = automount | ||
77 | map_attribute = automountMapName | ||
78 | entry_attribute = automountKey | ||
79 | value_attribute= automountInformation | ||
80 | auth_conf_file = /etc/autofs_ldap_auth.conf | ||
81 | [ amd ] | ||
82 | dismount_interval = 300" > /etc/autofs.conf | ||
83 | |||
84 | echo "<?xml version="1.0" ?> | ||
85 | <autofs_ldap_sasl_conf | ||
86 | usetls="no" | ||
87 | tlsrequired="no" | ||
88 | authrequired="yes" | ||
89 | authtype="GSSAPI" | ||
90 | clientprinc="host/$(hostname)@$(echo $ipadomain | tr [:lower:] [:upper:])" | ||
91 | />" > /etc/autofs_ldap_auth.conf | ||
92 | chmod 600 /etc/autofs_ldap_auth.conf | ||
93 | |||
94 | # Restart autofs to apply existing automount configuration | ||
95 | systemctl restart autofs | ||
96 | |||
97 | # Configure NFS | ||
98 | sed -i "s/NEED_IDMAPD.*$/NEED_IDMAPD=yes" | ||
99 | sed -i "s/NEED_GSSD.*$/NEED_GSSD=yes" | ||
100 | [ $nfssrv -eq 1 ] && sed -i "s/NEED_SVCGSSD.*$/NEEDSVCGSSD=\"yes\"/" /etc/default/nfs-kernel-server | ||
101 | systemctl restart nfs-kernel-server | ||
102 | |||
103 | # Manaul steps for NFS server | ||
104 | ipasrv=$(grep "server =" /etc/ipa/default.conf | cut -d '=' -f 2 | tr -d ' ') | ||
105 | [ $nfssrv -eq 1 ] && echo -e "\n\nNEXT\n\nUse kinit to obtain a kerberos ticket (e.g. kinit admin) and run the following commands\nipa service-add nfs/$(hostname)\nipa-getkeytab -s $ipasrv -p nfs/$(hostname) -k /etc/krb5.keytab from this machine" | ||
106 | |||
107 | |||