From 85c561f9a32f8f2b9ddf34e7d60ef4b7bf0d3680 Mon Sep 17 00:00:00 2001 From: Sam Chudnick Date: Fri, 15 Apr 2022 21:08:34 -0400 Subject: inital commit - various scripts --- ipaconf | 107 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 107 insertions(+) create mode 100755 ipaconf (limited to 'ipaconf') diff --git a/ipaconf b/ipaconf new file mode 100755 index 0000000..7d653d2 --- /dev/null +++ b/ipaconf @@ -0,0 +1,107 @@ +#!/bin/sh +# +# configures a FreeIPA client system by: +# enrolling in a FreeIPA domain (includes ldap,kerberos,ntp +# setting up FreeIPA server as an nss target +# configuring as a kerberized NFSv4 client or server +# configuring for FreeIPA-managed automount + +help() { + echo "usage: ipaconf --dns-server dns_server --ipa-domain ipa.domain"\ + "--ntp-server ntp_server [--nfs-server]" + echo "\n-d, --dns-server:\tIP of DNS server containing IPA records" + echo "-f, --nfs-server:\tConfigure client as an NFS server in the IPA domain" + echo "-i, --ipa-domain:\tIPA domain base (e.g. example.com)" + echo "-n, --ntp-server:\tIP or hostname of NTP server for the IPA domain" + exit 1 +} + +[ $(id -u) -ne 0 ] && echo "error: must be run as root" && exit 1 + +opts=$(getopt -o "d:,f:,h,i:,n:" -l "dns-server:,nfs-server,help,ipa-domain:,ntp-server:" -- "$@") +eval set -- "$opts" +dnssrv= +nfssrv=0 +ipadomain= +ntpsrv= +while true +do + case "$1" in + '-d' | '--dns-server') dnssrv="$2" shift 2; continue ;; + '-f' | '--nfs-server') nfssrv=1 shift; continue ;; + '-i' | '--ipa-domain') ipadomain="$2" shift 2; continue ;; + '-n' | '--ntp-server') ntpsrv="$2" shift 2; continue ;; + '-h' | '--help') help ;; + '--') shift; break ;; + esac +done +[ -z "$dnssrv" ] && help +[ -z "$ipadomain" ] && help +[ -z "$ntpsrv" ] && help + + +# FreeIPA client currently only in backports for Debian 11 +grep -q bullseye-backports /etc/apt/sources.list || echo "deb https://deb.debian.org/debian bullseye-backports main" >> /etc/apt/sources.list + +# Install required packages +apt update +apt install freeipa-client nfs-common autofs autofs-ldap -y +[ $nfssrv -eq 1 ] && apt install nfs-kernel-server -y + +# Change DNS +echo "domain $ipadomain\nsearch $ipadomain\nnameserver $dnssrv" > /etc/resolv.conf + +# Move chrony conf so IPA installer can configure its own +mv /etc/chrony/chrony.conf /etc/chrony/chrony.conf.ipabk + +# Configure and enroll client +ipa-client-install --mkhomedir --ntp-server=$ntpsrv + +# Configure SSSD +# Do not specify services if using systemd as they will be socket activated +$(pgrep -x systemd >/dev/null) && sed -i "/^services =/d" /etc/sssd/sssd.conf +# Enable enumeration of domain if NFS server - for assigning permissions to shares +[ $nfssrv -eq 1 ] && sed -i "s/\[domain\/$ipadomain\]/[domain\/$ipadomain]\nenumerate = True/" /etc/sssd/sssd.conf +systemctl restart sssd + +# Configure automount +dc1="$(echo $ipadomain | cut -d '.' -f 1)" +dc2="$(echo $ipadomain | cut -d '.' -f 2)" +echo "[ autofs ] +master_map_name = /etc/auto.master +timeout = 300 +browse_mode = no +ldap_uri = "ldap:///dc=$dc1,dc=$dc2" +map_object_class = automountMap +entry_object_class = automount +map_attribute = automountMapName +entry_attribute = automountKey +value_attribute= automountInformation +auth_conf_file = /etc/autofs_ldap_auth.conf +[ amd ] +dismount_interval = 300" > /etc/autofs.conf + +echo " +" > /etc/autofs_ldap_auth.conf +chmod 600 /etc/autofs_ldap_auth.conf + +# Restart autofs to apply existing automount configuration +systemctl restart autofs + +# Configure NFS +sed -i "s/NEED_IDMAPD.*$/NEED_IDMAPD=yes" +sed -i "s/NEED_GSSD.*$/NEED_GSSD=yes" +[ $nfssrv -eq 1 ] && sed -i "s/NEED_SVCGSSD.*$/NEEDSVCGSSD=\"yes\"/" /etc/default/nfs-kernel-server +systemctl restart nfs-kernel-server + +# Manaul steps for NFS server +ipasrv=$(grep "server =" /etc/ipa/default.conf | cut -d '=' -f 2 | tr -d ' ') +[ $nfssrv -eq 1 ] && echo -e "\n\nNEXT\n\nUse kinit to obtain a kerberos ticket (e.g. kinit admin) and run the following commands\nipa service-add nfs/$(hostname)\nipa-getkeytab -s $ipasrv -p nfs/$(hostname) -k /etc/krb5.keytab from this machine" + + -- cgit v1.2.3