Home Explore Help
Sign In
yunoadmin
/
tora_join-domain-linux
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: d7dd0c68c0
Branches Tags
tora_join-domai...
/
join_unix_ad_local.sh

join_unix_ad_local.sh 6.7 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240 
  1. #!/usr/bin/env bash
    2. 

  2. set -euo pipefail
    3. 

  3. 

  4. # =========================
    5. 

  5. # Konfiguration (ANPASSEN!)
    6. 

  6. # =========================
    7. 

  7. DOMAIN="DOMAIN.local"
    8. 

  8. REALM="DOMAIN.LOCAL"           # i.d.R. DOMAIN in GROSS
    9. 

  9. AD_DNS_IP="192.168.178.3"       # Synology AD/DNS IP
    10. 

  10. DC_HOST="nas.DOMAIN.local"     # optional für Tests
    11. 

  11. ADMIN_USER="Administrator@DOMAIN.LOCAL"
    12. 

  12. # Optional: Test-User (nur für getent/id Test nach Join)
    13. 

  13. TEST_USER="TESTUSER"
    14. 

  14. 

  15. # Optional: Computer OU (leer lassen wenn nicht benötigt)
    16. 

  16. COMPUTER_OU=""
    17. 

  17. 

  18. # Verhalten
    19. 

  19. FORCE_NO_MDNS=true             # hosts: files dns  (empfohlen bei .local)
    20. 

  20. DISABLE_AVAHI=true             # avahi-daemon stoppen/deaktivieren
    21. 

  21. SET_KRB5_RDNS_FALSE=true       # rdns = false setzen (sehr empfehlenswert)
    22. 

  22. 

  23. # =========================
    24. 

  24. # Helper
    25. 

  25. # =========================
    26. 

  26. require_root() {
    27. 

  27.   if [[ "${EUID}" -ne 0 ]]; then
    28. 

  28.     echo "Bitte als root ausführen: sudo $0"
    29. 

  29.     exit 1
    30. 

  30.   fi
    31. 

  31. }
    32. 

  32. 

  33. backup_file() {
    34. 

  34.   local f="$1"
    35. 

  35.   if [[ -f "$f" ]]; then
    36. 

  36.     cp -a "$f" "${f}.bak.$(date +%Y%m%d%H%M%S)"
    37. 

  37.   fi
    38. 

  38. }
    39. 

  39. 

  40. have_cmd() { command -v "$1" >/dev/null 2>&1; }
    41. 

  41. 

  42. fail() {
    43. 

  43.   echo "FEHLER: $*" >&2
    44. 

  44.   exit 1
    45. 

  45. }
    46. 

  46. 

  47. info() { echo "==> $*"; }
    48. 

  48. 

  49. # =========================
    50. 

  50. # Install packages (Debian/Ubuntu)
    51. 

  51. # =========================
    52. 

  52. install_packages() {
    53. 

  53.   info "Installiere benötigte Pakete..."
    54. 

  54.   export DEBIAN_FRONTEND=noninteractive
    55. 

  55.   apt-get update -y
    56. 

  56.   apt-get install -y \
    57. 

  57.     realmd sssd sssd-tools libnss-sss libpam-sss adcli \
    58. 

  58.     krb5-user packagekit samba-common-bin oddjob oddjob-mkhomedir \
    59. 

  59.     dnsutils network-manager
    60. 

  60. }
    61. 

  61. 

  62. # =========================
    63. 

  63. # Disable Avahi/mDNS
    64. 

  64. # =========================
    65. 

  65. disable_mdns() {
    66. 

  66.   if [[ "${DISABLE_AVAHI}" == "true" ]] && systemctl list-unit-files | grep -q '^avahi-daemon\.service'; then
    67. 

  67.     info "Stoppe/Deaktiviere avahi-daemon (mDNS/.local)..."
    68. 

  68.     systemctl stop avahi-daemon || true
    69. 

  69.     systemctl disable avahi-daemon || true
    70. 

  70.   fi
    71. 

  71. 

  72.   if [[ "${FORCE_NO_MDNS}" == "true" ]]; then
    73. 

  73.     info "Erzwinge hosts: files dns (mdns raus) in /etc/nsswitch.conf..."
    74. 

  74.     backup_file /etc/nsswitch.conf
    75. 

  75.     if grep -q '^hosts:' /etc/nsswitch.conf; then
    76. 

  76.       # setze hosts-Zeile hart auf "files dns"
    77. 

  77.       sed -i -E 's/^hosts:.*/hosts: files dns/' /etc/nsswitch.conf
    78. 

  78.     else
    79. 

  79.       echo 'hosts: files dns' >> /etc/nsswitch.conf
    80. 

  80.     fi
    81. 

  81.   else
    82. 

  82.     info "Setze nur dns vor mdns in /etc/nsswitch.conf..."
    83. 

  83.     backup_file /etc/nsswitch.conf
    84. 

  84.     # Best-effort: files dns mdns4_minimal
    85. 

  85.     if grep -q '^hosts:' /etc/nsswitch.conf; then
    86. 

  86.       sed -i -E 's/^hosts:.*/hosts: files dns mdns4_minimal/' /etc/nsswitch.conf
    87. 

  87.     else
    88. 

  88.       echo 'hosts: files dns mdns4_minimal' >> /etc/nsswitch.conf
    89. 

  89.     fi
    90. 

  90.   fi
    91. 

  91. }
    92. 

  92. 

  93. # =========================
    94. 

  94. # Set DNS persistently
    95. 

  95. # =========================
    96. 

  96. set_dns_persistent() {
    97. 

  97.   info "Setze DNS persistent auf ${AD_DNS_IP}..."
    98. 

  98. 

  99.   # 1) NetworkManager: DNS fest in Verbindung setzen
    100. 

  100.   if systemctl is-active --quiet NetworkManager && have_cmd nmcli; then
    101. 

  101.     info "NetworkManager aktiv -> setze DNS via nmcli (persistent)"
    102. 

  102.     # aktive Verbindung ermitteln
    103. 

  103.     local con
    104. 

  104.     con="$(nmcli -t -f NAME,DEVICE con show --active | head -n1 | cut -d: -f1 || true)"
    105. 

  105.     if [[ -n "${con}" ]]; then
    106. 

  106.       nmcli con mod "${con}" ipv4.ignore-auto-dns yes
    107. 

  107.       nmcli con mod "${con}" ipv4.dns "${AD_DNS_IP}"
    108. 

  108.       nmcli con mod "${con}" ipv4.dns-search "${DOMAIN}"
    109. 

  109.       nmcli con up "${con}" >/dev/null
    110. 

  110.       return 0
    111. 

  111.     fi
    112. 

  112.   fi
    113. 

  113. 

  114.   # 2) systemd-resolved: DNS auf Interface setzen (nicht immer persistent, aber oft)
    115. 

  115.   if systemctl is-active --quiet systemd-resolved && have_cmd resolvectl; then
    116. 

  116.     info "systemd-resolved aktiv -> setze DNS via resolvectl"
    117. 

  117.     local iface
    118. 

  118.     iface="$(ip -o route show default | awk '{print $5}' | head -n1)"
    119. 

  119.     [[ -n "${iface}" ]] || fail "Konnte Default-Interface nicht ermitteln."
    120. 

  120.     resolvectl dns "${iface}" "${AD_DNS_IP}"
    121. 

  121.     resolvectl domain "${iface}" "~${DOMAIN}"
    122. 

  122.     return 0
    123. 

  123.   fi
    124. 

  124. 

  125.   # 3) Fallback: /etc/resolv.conf (kann überschrieben werden, aber besser als nichts)
    126. 

  126.   info "Fallback -> schreibe /etc/resolv.conf (kann überschrieben werden)"
    127. 

  127.   backup_file /etc/resolv.conf
    128. 

  128.   cat >/etc/resolv.conf <<EOF
    129. 

  129. search ${DOMAIN}
    130. 

  130. nameserver ${AD_DNS_IP}
    131. 

  131. EOF
    132. 

  132. }
    133. 

  133. 

  134. # =========================
    135. 

  135. # Kerberos: rdns=false
    136. 

  136. # =========================
    137. 

  137. set_krb5_options() {
    138. 

  138.   if [[ "${SET_KRB5_RDNS_FALSE}" != "true" ]]; then
    139. 

  139.     return 0
    140. 

  140.   fi
    141. 

  141. 

  142.   info "Setze Kerberos rdns=false in /etc/krb5.conf..."
    143. 

  143.   backup_file /etc/krb5.conf
    144. 

  144. 

  145.   # Wenn libdefaults existiert, rdns setzen/ersetzen, sonst block hinzufügen
    146. 

  146.   if grep -q '^\s*\[libdefaults\]' /etc/krb5.conf; then
    147. 

  147.     if grep -q '^\s*rdns\s*=' /etc/krb5.conf; then
    148. 

  148.       sed -i -E 's/^\s*rdns\s*=.*/ rdns = false/' /etc/krb5.conf
    149. 

  149.     else
    150. 

  150.       # rdns nach libdefaults einfügen
    151. 

  151.       awk '
    152. 

  152.         BEGIN{done=0}
    153. 

  153.         /^\s*\[libdefaults\]\s*$/{
    154. 

  154.           print
    155. 

  155.           if(!done){print " rdns = false"; done=1}
    156. 

  156.           next
    157. 

  157.         }
    158. 

  158.         {print}
    159. 

  159.       ' /etc/krb5.conf > /tmp/krb5.conf.new && mv /tmp/krb5.conf.new /etc/krb5.conf
    160. 

  160.     fi
    161. 

  161.   else
    162. 

  162.     cat >>/etc/krb5.conf <<EOF
    163. 

  163. 

  164. [libdefaults]
    165. 

  165.  rdns = false
    166. 

  166. EOF
    167. 

  167.   fi
    168. 

  168. }
    169. 

  169. 

  170. # =========================
    171. 

  171. # Preflight checks
    172. 

  172. # =========================
    173. 

  173. preflight() {
    174. 

  174.   info "Prüfe Zeit (Kerberos ist zeitkritisch)..."
    175. 

  175.   timedatectl status | sed -n '1,12p' || true
    176. 

  176. 

  177.   info "Prüfe DNS-Auflösung (_ldap SRV)..."
    178. 

  178.   dig +short _ldap._tcp."${DOMAIN}" SRV | head -n5 || true
    179. 

  179. 

  180.   info "Prüfe DC Hostname (optional)..."
    181. 

  181.   dig +short "${DC_HOST}" A || true
    182. 

  182. 

  183.   info "Realm discovery..."
    184. 

  184.   realm discover "${DOMAIN}" || true
    185. 

  185. 

  186.   info "Kerberos Test (kinit) mit ${ADMIN_USER}..."
    187. 

  187.   # kinit braucht Passwort -> interaktiv
    188. 

  188.   # Wichtig: kinit muss funktionieren, sonst Join sinnlos
    189. 

  189.   if ! kinit "${ADMIN_USER}"; then
    190. 

  190.     fail "kinit fehlgeschlagen. Prüfe DNS/Zeit/Realm. (Ticket kommt nicht.)"
    191. 

  191.   fi
    192. 

  192. 

  193.   info "klist (Ticket vorhanden?)"
    194. 

  194.   klist || true
    195. 

  195. }
    196. 

  196. 

  197. # =========================
    198. 

  198. # Join domain
    199. 

  199. # =========================
    200. 

  200. join_domain() {
    201. 

  201.   info "Domain-Join: ${DOMAIN} (Realm: ${REALM})..."
    202. 

  202.   # leave nur best-effort
    203. 

  203.   realm leave "${DOMAIN}" >/dev/null 2>&1 || true
    204. 

  204. 

  205.   if [[ -n "${COMPUTER_OU}" ]]; then
    206. 

  206.     realm join "${DOMAIN}" -U "${ADMIN_USER}" --computer-ou="${COMPUTER_OU}" --verbose
    207. 

  207.   else
    208. 

  208.     realm join "${DOMAIN}" -U "${ADMIN_USER}" --verbose
    209. 

  209.   fi
    210. 

  210. 

  211.   info "Aktiviere mkhomedir..."
    212. 

  212.   pam-auth-update --enable mkhomedir || true
    213. 

  213. 

  214.   info "Starte SSSD neu..."
    215. 

  215.   systemctl restart sssd || true
    216. 

  216. 

  217.   info "realm list:"
    218. 

  218.   realm list || true
    219. 

  219. 

  220.   info "Test Benutzerauflösung:"
    221. 

  221.   if [[ -n "${TEST_USER}" ]]; then
    222. 

  222.     getent passwd "${TEST_USER}@${DOMAIN}" || true
    223. 

  223.     id "${TEST_USER}@${DOMAIN}" || true
    224. 

  224.   fi
    225. 

  225. }
    226. 

  226. 

  227. # =========================
    228. 

  228. # Main
    229. 

  229. # =========================
    230. 

  230. require_root
    231. 

  231. install_packages
    232. 

  232. disable_mdns
    233. 

  233. set_dns_persistent
    234. 

  234. set_krb5_options
    235. 

  235. preflight
    236. 

  236. join_domain
    237. 

  237. 

  238. info "FERTIG ✅"
    239. 

  239. echo "Login-Format: user@${DOMAIN}"
    240. 

  240. echo "Tipp: Teste Login: su - ${TEST_USER}@${DOMAIN}"
    241.