1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
#!/bin/sh
#
# configures a FreeIPA client system by:
# enrolling in a FreeIPA domain (includes ldap,kerberos,ntp
# setting up FreeIPA server as an nss target
# configuring as a kerberized NFSv4 client or server
# configuring for FreeIPA-managed automount
help() {
echo "usage: ipaconf --dns-server dns_server --ipa-domain ipa.domain"\
"--ntp-server ntp_server [--nfs-server]"
echo "\n-d, --dns-server:\tIP of DNS server containing IPA records"
echo "-f, --nfs-server:\tConfigure client as an NFS server in the IPA domain"
echo "-i, --ipa-domain:\tIPA domain base (e.g. example.com)"
echo "-n, --ntp-server:\tIP or hostname of NTP server for the IPA domain"
exit 1
}
[ $(id -u) -ne 0 ] && echo "error: must be run as root" && exit 1
opts=$(getopt -o "d:,f:,h,i:,n:" -l "dns-server:,nfs-server,help,ipa-domain:,ntp-server:" -- "$@")
eval set -- "$opts"
dnssrv=
nfssrv=0
ipadomain=
ntpsrv=
while true
do
case "$1" in
'-d' | '--dns-server') dnssrv="$2" shift 2; continue ;;
'-f' | '--nfs-server') nfssrv=1 shift; continue ;;
'-i' | '--ipa-domain') ipadomain="$2" shift 2; continue ;;
'-n' | '--ntp-server') ntpsrv="$2" shift 2; continue ;;
'-h' | '--help') help ;;
'--') shift; break ;;
esac
done
[ -z "$dnssrv" ] && help
[ -z "$ipadomain" ] && help
[ -z "$ntpsrv" ] && help
# FreeIPA client currently only in backports for Debian 11
grep -q bullseye-backports /etc/apt/sources.list || echo "deb https://deb.debian.org/debian bullseye-backports main" >> /etc/apt/sources.list
# Install required packages
apt update
apt install freeipa-client nfs-common autofs autofs-ldap -y
[ $nfssrv -eq 1 ] && apt install nfs-kernel-server -y
# Change DNS
echo "domain $ipadomain\nsearch $ipadomain\nnameserver $dnssrv" > /etc/resolv.conf
# Move chrony conf so IPA installer can configure its own
mv /etc/chrony/chrony.conf /etc/chrony/chrony.conf.ipabk
# Configure and enroll client
ipa-client-install --mkhomedir --ntp-server=$ntpsrv
# Configure SSSD
# Do not specify services if using systemd as they will be socket activated
$(pgrep -x systemd >/dev/null) && sed -i "/^services =/d" /etc/sssd/sssd.conf
# Enable enumeration of domain if NFS server - for assigning permissions to shares
[ $nfssrv -eq 1 ] && sed -i "s/\[domain\/$ipadomain\]/[domain\/$ipadomain]\nenumerate = True/" /etc/sssd/sssd.conf
systemctl restart sssd
# Configure automount
dc1="$(echo $ipadomain | cut -d '.' -f 1)"
dc2="$(echo $ipadomain | cut -d '.' -f 2)"
echo "[ autofs ]
master_map_name = /etc/auto.master
timeout = 300
browse_mode = no
ldap_uri = "ldap:///dc=$dc1,dc=$dc2"
map_object_class = automountMap
entry_object_class = automount
map_attribute = automountMapName
entry_attribute = automountKey
value_attribute= automountInformation
auth_conf_file = /etc/autofs_ldap_auth.conf
[ amd ]
dismount_interval = 300" > /etc/autofs.conf
echo "<?xml version="1.0" ?>
<autofs_ldap_sasl_conf
usetls="no"
tlsrequired="no"
authrequired="yes"
authtype="GSSAPI"
clientprinc="host/$(hostname)@$(echo $ipadomain | tr [:lower:] [:upper:])"
/>" > /etc/autofs_ldap_auth.conf
chmod 600 /etc/autofs_ldap_auth.conf
# Restart autofs to apply existing automount configuration
systemctl restart autofs
# Configure NFS
sed -i "s/NEED_IDMAPD.*$/NEED_IDMAPD=yes"
sed -i "s/NEED_GSSD.*$/NEED_GSSD=yes"
[ $nfssrv -eq 1 ] && sed -i "s/NEED_SVCGSSD.*$/NEEDSVCGSSD=\"yes\"/" /etc/default/nfs-kernel-server
systemctl restart nfs-kernel-server
# Manaul steps for NFS server
ipasrv=$(grep "server =" /etc/ipa/default.conf | cut -d '=' -f 2 | tr -d ' ')
[ $nfssrv -eq 1 ] && echo -e "\n\nNEXT\n\nUse kinit to obtain a kerberos ticket (e.g. kinit admin) and run the following commands\nipa service-add nfs/$(hostname)\nipa-getkeytab -s $ipasrv -p nfs/$(hostname) -k /etc/krb5.keytab from this machine"
|
