1 files changed, 107 insertions, 0 deletions
diff --git a/ipaconf b/ipaconf
new file mode 100755
index 0000000..7d653d2
--- /dev/null
+++ b/ipaconf
@@ -0,0 +1,107 @@
+#!/bin/sh
+#
+# configures a FreeIPA client system by:
+# enrolling in a FreeIPA domain (includes ldap,kerberos,ntp
+# setting up FreeIPA server as an nss target
+# configuring as a kerberized NFSv4 client or server
+# configuring for FreeIPA-managed automount
+help() {
+        echo "usage: ipaconf --dns-server dns_server --ipa-domain ipa.domain"\
+                        "--ntp-server ntp_server [--nfs-server]"
+        echo "\n-d, --dns-server:\tIP of DNS server containing IPA records"
+        echo "-f, --nfs-server:\tConfigure client as an NFS server in the IPA domain"
+        echo "-i, --ipa-domain:\tIPA domain base (e.g. example.com)"
+        echo "-n, --ntp-server:\tIP or hostname of NTP server for the IPA domain"
+        exit 1
+}
+[ $(id -u) -ne 0 ] && echo "error: must be run as root" && exit 1
+opts=$(getopt -o "d:,f:,h,i:,n:" -l "dns-server:,nfs-server,help,ipa-domain:,ntp-server:" -- "$@")
+eval set -- "$opts"
+dnssrv=
+nfssrv=0
+ipadomain=
+ntpsrv=
+while true
+do
+                case "$1" in
+                                '-d' | '--dns-server') dnssrv="$2" shift 2; continue ;;
+                                '-f' | '--nfs-server') nfssrv=1 shift; continue ;;
+                                '-i' | '--ipa-domain') ipadomain="$2" shift 2; continue ;;
+                                '-n' | '--ntp-server') ntpsrv="$2" shift 2; continue ;;
+                                '-h' | '--help') help ;;
+                                '--') shift; break ;;
+                esac
+done
+[ -z "$dnssrv" ] && help
+[ -z "$ipadomain" ] && help
+[ -z "$ntpsrv" ] && help
+# FreeIPA client currently only in backports for Debian 11
+grep -q bullseye-backports /etc/apt/sources.list || echo "deb https://deb.debian.org/debian bullseye-backports main" >> /etc/apt/sources.list
+# Install required packages
+apt update
+apt install freeipa-client nfs-common autofs autofs-ldap -y
+[ $nfssrv -eq 1 ] && apt install nfs-kernel-server -y
+# Change DNS
+echo "domain $ipadomain\nsearch $ipadomain\nnameserver $dnssrv" > /etc/resolv.conf
+# Move chrony conf so IPA installer can configure its own
+mv /etc/chrony/chrony.conf /etc/chrony/chrony.conf.ipabk
+# Configure and enroll client
+ipa-client-install --mkhomedir --ntp-server=$ntpsrv
+# Configure SSSD
+# Do not specify services if using systemd as they will be socket activated
+$(pgrep -x systemd >/dev/null) && sed -i "/^services =/d" /etc/sssd/sssd.conf
+# Enable enumeration of domain if NFS server - for assigning permissions to shares
+[ $nfssrv -eq 1 ] && sed -i "s/\[domain\/$ipadomain\]/[domain\/$ipadomain]\nenumerate = True/" /etc/sssd/sssd.conf
+systemctl restart sssd
+# Configure automount
+dc1="$(echo $ipadomain | cut -d '.' -f 1)"
+dc2="$(echo $ipadomain | cut -d '.' -f 2)"
+echo "[ autofs ]
+master_map_name = /etc/auto.master
+timeout = 300
+browse_mode = no
+ldap_uri = "ldap:///dc=$dc1,dc=$dc2"
+map_object_class = automountMap
+entry_object_class = automount
+map_attribute = automountMapName
+entry_attribute = automountKey
+value_attribute= automountInformation
+auth_conf_file = /etc/autofs_ldap_auth.conf
+[ amd ]
+dismount_interval = 300" > /etc/autofs.conf
+echo "<?xml version="1.0" ?>
+<autofs_ldap_sasl_conf
+        usetls="no"
+        tlsrequired="no"
+        authrequired="yes"
+        authtype="GSSAPI"
+        clientprinc="host/$(hostname)@$(echo $ipadomain | tr [:lower:] [:upper:])"
+/>" > /etc/autofs_ldap_auth.conf
+chmod 600 /etc/autofs_ldap_auth.conf
+# Restart autofs to apply existing automount configuration
+systemctl restart autofs
+# Configure NFS
+sed -i "s/NEED_IDMAPD.*$/NEED_IDMAPD=yes"
+sed -i "s/NEED_GSSD.*$/NEED_GSSD=yes"
+[ $nfssrv -eq 1 ] && sed -i "s/NEED_SVCGSSD.*$/NEEDSVCGSSD=\"yes\"/" /etc/default/nfs-kernel-server
+systemctl restart nfs-kernel-server
+# Manaul steps for NFS server
+ipasrv=$(grep "server =" /etc/ipa/default.conf | cut -d '=' -f 2 | tr -d ' ')
+[ $nfssrv -eq 1 ] && echo -e "\n\nNEXT\n\nUse kinit to obtain a kerberos ticket (e.g. kinit admin) and run the following commands\nipa service-add nfs/$(hostname)\nipa-getkeytab -s $ipasrv -p nfs/$(hostname) -k /etc/krb5.keytab from this machine"

diff --git a/ipaconf b/ipaconf new file mode 100755 index 0000000..7d653d2 --- /dev/null +++ b/ipaconf
@@ -0,0 +1,107 @@
	1	#!/bin/sh
	2	#
	3	# configures a FreeIPA client system by:
	4	# enrolling in a FreeIPA domain (includes ldap,kerberos,ntp
	5	# setting up FreeIPA server as an nss target
	6	# configuring as a kerberized NFSv4 client or server
	7	# configuring for FreeIPA-managed automount
	8
	9	help() {
	10	echo "usage: ipaconf --dns-server dns_server --ipa-domain ipa.domain"\
	11	"--ntp-server ntp_server [--nfs-server]"
	12	echo "\n-d, --dns-server:\tIP of DNS server containing IPA records"
	13	echo "-f, --nfs-server:\tConfigure client as an NFS server in the IPA domain"
	14	echo "-i, --ipa-domain:\tIPA domain base (e.g. example.com)"
	15	echo "-n, --ntp-server:\tIP or hostname of NTP server for the IPA domain"
	16	exit 1
	17	}
	18
	19	[ $(id -u) -ne 0 ] && echo "error: must be run as root" && exit 1
	20
	21	opts=$(getopt -o "d:,f:,h,i:,n:" -l "dns-server:,nfs-server,help,ipa-domain:,ntp-server:" -- "$@")
	22	eval set -- "$opts"
	23	dnssrv=
	24	nfssrv=0
	25	ipadomain=
	26	ntpsrv=
	27	while true
	28	do
	29	case "$1" in
	30	'-d' \| '--dns-server') dnssrv="$2" shift 2; continue ;;
	31	'-f' \| '--nfs-server') nfssrv=1 shift; continue ;;
	32	'-i' \| '--ipa-domain') ipadomain="$2" shift 2; continue ;;
	33	'-n' \| '--ntp-server') ntpsrv="$2" shift 2; continue ;;
	34	'-h' \| '--help') help ;;
	35	'--') shift; break ;;
	36	esac
	37	done
	38	[ -z "$dnssrv" ] && help
	39	[ -z "$ipadomain" ] && help
	40	[ -z "$ntpsrv" ] && help
	41
	42
	43	# FreeIPA client currently only in backports for Debian 11
	44	grep -q bullseye-backports /etc/apt/sources.list \|\| echo "deb https://deb.debian.org/debian bullseye-backports main" >> /etc/apt/sources.list
	45
	46	# Install required packages
	47	apt update
	48	apt install freeipa-client nfs-common autofs autofs-ldap -y
	49	[ $nfssrv -eq 1 ] && apt install nfs-kernel-server -y
	50
	51	# Change DNS
	52	echo "domain $ipadomain\nsearch $ipadomain\nnameserver $dnssrv" > /etc/resolv.conf
	53
	54	# Move chrony conf so IPA installer can configure its own
	55	mv /etc/chrony/chrony.conf /etc/chrony/chrony.conf.ipabk
	56
	57	# Configure and enroll client
	58	ipa-client-install --mkhomedir --ntp-server=$ntpsrv
	59
	60	# Configure SSSD
	61	# Do not specify services if using systemd as they will be socket activated
	62	$(pgrep -x systemd >/dev/null) && sed -i "/^services =/d" /etc/sssd/sssd.conf
	63	# Enable enumeration of domain if NFS server - for assigning permissions to shares
	64	[ $nfssrv -eq 1 ] && sed -i "s/\[domain\/$ipadomain\]/[domain\/$ipadomain]\nenumerate = True/" /etc/sssd/sssd.conf
	65	systemctl restart sssd
	66
	67	# Configure automount
	68	dc1="$(echo $ipadomain \| cut -d '.' -f 1)"
	69	dc2="$(echo $ipadomain \| cut -d '.' -f 2)"
	70	echo "[ autofs ]
	71	master_map_name = /etc/auto.master
	72	timeout = 300
	73	browse_mode = no
	74	ldap_uri = "ldap:///dc=$dc1,dc=$dc2"
	75	map_object_class = automountMap
	76	entry_object_class = automount
	77	map_attribute = automountMapName
	78	entry_attribute = automountKey
	79	value_attribute= automountInformation
	80	auth_conf_file = /etc/autofs_ldap_auth.conf
	81	[ amd ]
	82	dismount_interval = 300" > /etc/autofs.conf
	83
	84	echo "<?xml version="1.0" ?>
	85	<autofs_ldap_sasl_conf
	86	usetls="no"
	87	tlsrequired="no"
	88	authrequired="yes"
	89	authtype="GSSAPI"
	90	clientprinc="host/$(hostname)@$(echo $ipadomain \| tr [:lower:] [:upper:])"
	91	/>" > /etc/autofs_ldap_auth.conf
	92	chmod 600 /etc/autofs_ldap_auth.conf
	93
	94	# Restart autofs to apply existing automount configuration
	95	systemctl restart autofs
	96
	97	# Configure NFS
	98	sed -i "s/NEED_IDMAPD.*$/NEED_IDMAPD=yes"
	99	sed -i "s/NEED_GSSD.*$/NEED_GSSD=yes"
	100	[ $nfssrv -eq 1 ] && sed -i "s/NEED_SVCGSSD.*$/NEEDSVCGSSD=\"yes\"/" /etc/default/nfs-kernel-server
	101	systemctl restart nfs-kernel-server
	102
	103	# Manaul steps for NFS server
	104	ipasrv=$(grep "server =" /etc/ipa/default.conf \| cut -d '=' -f 2 \| tr -d ' ')
	105	[ $nfssrv -eq 1 ] && echo -e "\n\nNEXT\n\nUse kinit to obtain a kerberos ticket (e.g. kinit admin) and run the following commands\nipa service-add nfs/$(hostname)\nipa-getkeytab -s $ipasrv -p nfs/$(hostname) -k /etc/krb5.keytab from this machine"
	106
	107