ActiveDirectoryFeisty
Nasty Hacky Active Directory Integration on Feisty
#run this script as ROOT, you must be root or it will not work
#put your variables in here then run the whole thing
# it will ask you to a kerberos realm., use the same value you entered for AD_DOMAIN
# then it will ask you whether or not to use the defaults form DNS, choose yes
# after kerberos config, the script stops for some reason, but copy & paste everything after dpkg-reconfigure krb5-config
# then it will restart needed services and you can ssh in as domain users to test
export DOMAIN_ADMIN=rcadmin
export DOMAIN_PASS=YOURPASS
export MACHINE_FQDN=cai17.music.uga.edu
export MACHINE_OU=Music
export AD_DOMAIN=LABS.AD.UGA.EDU
export AD_SHORTNAME=LABS
#enable universe for kerberos packages
perl -pi -e 's!# deb http://us.archive.ubuntu.com/ubuntu/ edgy universe!deb http://us.archive.ubuntu.com/ubuntu/ edgy universe!g' /etc/apt/sources.list
perl -pi -e 's!# deb http://security.ubuntu.com/ubuntu edgy-security universe!deb http://security.ubuntu.com/ubuntu edgy-security universe!g' /etc/apt/sources.list
apt-get update
#edit our host file
export HOSTNAME=`hostname`
perl -pi -e 's!$ENV{'HOSTNAME'}!$ENV{'HOSTNAME'}\t$ENV{'MACHINE_FQDN'}!g' /etc/hosts
#install samba and winbind
apt-get install samba winbind krb5-user -y
#configure samba
perl -pi -e 's! workgroup = DEBIAN_FANS!
security = ads
workgroup = $ENV{'AD_SHORTNAME'}
realm = $ENV{'AD_DOMAIN'}
idmap uid = 500-10000000
idmap gid = 500-10000000
winbind separator = +
winbind enum users = no
winbind enum groups = no
winbind use default domain = yes
template homedir = /home/%U
template shell = /bin/bash
client use spnego = yes
domain master = no
!g' /etc/samba/smb.conf
perl -pi -e 's/ encrypt passwords = no/; encrypt passwords = no/g' /etc/samba/smb.conf
#tell nsswitch to use winbind too
perl -pi -e 's/compat/compat winbind/g' /etc/nsswitch.conf
perl -pi -e 's/dns/dns wins/g' /etc/nsswitch.conf
#setup pam
perl -pi -e's/account\trequired\tpam_unix.so/account\tsufficient\tpam_winbind.so\naccount\trequired\tpam_unix.so/g' /etc/pam.d/common-account
perl -pi -e's/auth\tsufficient\tpam_unix.so/auth\tsufficient\tpam_winbind.so\nauth\trequired\tpam_unix.so/g' /etc/pam.d/common-auth
perl -pi -e's/max=8/max=50/g' /etc/pam.d/common-password
perl -pi -e's!session\trequired\tpam_unix.so!session\trequired\tpam_unix.so\nsession\trequired\tpam_mkhomedir.so umask=0022 skel=/etc/skel!g' /etc/pam.d/common-session
# configure kerberos
dpkg-reconfigure krb5-config
# synchronize system clock so that times match
ntpdate $AD_DOMAIN
# do the join dont include the last bit if you dont have a sub ou to join
net ads join createcomputer=$MACHINE_OU -U$DOMAIN_ADMIN%$DOMAIN_PASS
# restart things
/etc/init.d/samba stop
/etc/init.d/winbind stop
/etc/init.d/samba start
/etc/init.d/winbind start#WIP notes on netatalk apt-get install netatalk -y echo '- -transall -uamlist uams_dhx.so,uams_gss.so -k5service afpserver -k5keytab /etc/krb5.keytab -k5realm LABS.AD.UGA.EDU -fqdn $MACHINE_FQDN:548' >> /etc/netatalk/afpd.conf echo 'eth0' >> /etc/netatalk/atalkd.conf /etc/init.d/anettalk restart
RobCaskey/ActiveDirectoryFeisty (last edited 2008-08-06 16:38:49 by localhost)