summaryrefslogtreecommitdiff
path: root/ipaconf
diff options
context:
space:
mode:
authorSam Chudnick <sam@chudnick.com>2022-04-15 21:08:34 -0400
committerSam Chudnick <sam@chudnick.com>2022-04-15 21:08:34 -0400
commit85c561f9a32f8f2b9ddf34e7d60ef4b7bf0d3680 (patch)
tree637c319270201555d66f9bf1cbcc63d893405e69 /ipaconf
inital commit - various scripts
Diffstat (limited to 'ipaconf')
-rwxr-xr-xipaconf107
1 files changed, 107 insertions, 0 deletions
diff --git a/ipaconf b/ipaconf
new file mode 100755
index 0000000..7d653d2
--- /dev/null
+++ b/ipaconf
@@ -0,0 +1,107 @@
1#!/bin/sh
2#
3# configures a FreeIPA client system by:
4# enrolling in a FreeIPA domain (includes ldap,kerberos,ntp
5# setting up FreeIPA server as an nss target
6# configuring as a kerberized NFSv4 client or server
7# configuring for FreeIPA-managed automount
8
9help() {
10 echo "usage: ipaconf --dns-server dns_server --ipa-domain ipa.domain"\
11 "--ntp-server ntp_server [--nfs-server]"
12 echo "\n-d, --dns-server:\tIP of DNS server containing IPA records"
13 echo "-f, --nfs-server:\tConfigure client as an NFS server in the IPA domain"
14 echo "-i, --ipa-domain:\tIPA domain base (e.g. example.com)"
15 echo "-n, --ntp-server:\tIP or hostname of NTP server for the IPA domain"
16 exit 1
17}
18
19[ $(id -u) -ne 0 ] && echo "error: must be run as root" && exit 1
20
21opts=$(getopt -o "d:,f:,h,i:,n:" -l "dns-server:,nfs-server,help,ipa-domain:,ntp-server:" -- "$@")
22eval set -- "$opts"
23dnssrv=
24nfssrv=0
25ipadomain=
26ntpsrv=
27while true
28do
29 case "$1" in
30 '-d' | '--dns-server') dnssrv="$2" shift 2; continue ;;
31 '-f' | '--nfs-server') nfssrv=1 shift; continue ;;
32 '-i' | '--ipa-domain') ipadomain="$2" shift 2; continue ;;
33 '-n' | '--ntp-server') ntpsrv="$2" shift 2; continue ;;
34 '-h' | '--help') help ;;
35 '--') shift; break ;;
36 esac
37done
38[ -z "$dnssrv" ] && help
39[ -z "$ipadomain" ] && help
40[ -z "$ntpsrv" ] && help
41
42
43# FreeIPA client currently only in backports for Debian 11
44grep -q bullseye-backports /etc/apt/sources.list || echo "deb https://deb.debian.org/debian bullseye-backports main" >> /etc/apt/sources.list
45
46# Install required packages
47apt update
48apt install freeipa-client nfs-common autofs autofs-ldap -y
49[ $nfssrv -eq 1 ] && apt install nfs-kernel-server -y
50
51# Change DNS
52echo "domain $ipadomain\nsearch $ipadomain\nnameserver $dnssrv" > /etc/resolv.conf
53
54# Move chrony conf so IPA installer can configure its own
55mv /etc/chrony/chrony.conf /etc/chrony/chrony.conf.ipabk
56
57# Configure and enroll client
58ipa-client-install --mkhomedir --ntp-server=$ntpsrv
59
60# Configure SSSD
61# Do not specify services if using systemd as they will be socket activated
62$(pgrep -x systemd >/dev/null) && sed -i "/^services =/d" /etc/sssd/sssd.conf
63# Enable enumeration of domain if NFS server - for assigning permissions to shares
64[ $nfssrv -eq 1 ] && sed -i "s/\[domain\/$ipadomain\]/[domain\/$ipadomain]\nenumerate = True/" /etc/sssd/sssd.conf
65systemctl restart sssd
66
67# Configure automount
68dc1="$(echo $ipadomain | cut -d '.' -f 1)"
69dc2="$(echo $ipadomain | cut -d '.' -f 2)"
70echo "[ autofs ]
71master_map_name = /etc/auto.master
72timeout = 300
73browse_mode = no
74ldap_uri = "ldap:///dc=$dc1,dc=$dc2"
75map_object_class = automountMap
76entry_object_class = automount
77map_attribute = automountMapName
78entry_attribute = automountKey
79value_attribute= automountInformation
80auth_conf_file = /etc/autofs_ldap_auth.conf
81[ amd ]
82dismount_interval = 300" > /etc/autofs.conf
83
84echo "<?xml version="1.0" ?>
85<autofs_ldap_sasl_conf
86 usetls="no"
87 tlsrequired="no"
88 authrequired="yes"
89 authtype="GSSAPI"
90 clientprinc="host/$(hostname)@$(echo $ipadomain | tr [:lower:] [:upper:])"
91/>" > /etc/autofs_ldap_auth.conf
92chmod 600 /etc/autofs_ldap_auth.conf
93
94# Restart autofs to apply existing automount configuration
95systemctl restart autofs
96
97# Configure NFS
98sed -i "s/NEED_IDMAPD.*$/NEED_IDMAPD=yes"
99sed -i "s/NEED_GSSD.*$/NEED_GSSD=yes"
100[ $nfssrv -eq 1 ] && sed -i "s/NEED_SVCGSSD.*$/NEEDSVCGSSD=\"yes\"/" /etc/default/nfs-kernel-server
101systemctl restart nfs-kernel-server
102
103# Manaul steps for NFS server
104ipasrv=$(grep "server =" /etc/ipa/default.conf | cut -d '=' -f 2 | tr -d ' ')
105[ $nfssrv -eq 1 ] && echo -e "\n\nNEXT\n\nUse kinit to obtain a kerberos ticket (e.g. kinit admin) and run the following commands\nipa service-add nfs/$(hostname)\nipa-getkeytab -s $ipasrv -p nfs/$(hostname) -k /etc/krb5.keytab from this machine"
106
107