Migration Script from Winbind to SSSD

#!/bin/bash
echo Disable winbind

authconfig --disablewinbindauth  --disablewinbind --disablekrb5 --updateall
service winbind stop
chkconfig winbind off

echo Setup Kerberos
rm -f /etc/krb5.conf 
cat > /etc/krb5.conf << "EOF"
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 EXAMPLE.COM = {
  kdc = ad.example.com
  admin_server = ad.example.com
 }


[domain_realm]
 example.com = EXAMPLE.COM
 .example.com= EXAMPLE.COM

EOF

echo Samba Setup

rm -f /etc/samba/smb.conf 
cat > /etc/samba/smb.conf << "EOF"
[global]
        workgroup = EXAMPLE
        server string = Samba Server Version %v
# Max Log Size let you specify the max size log files should reach
        # logs split per machine
        log file = /var/log/samba/log.%m
        # max 50KB per log file, then rotate
        max log size = 50

# ----------------------- Standalone Server Options ------------------------
        security = ads
        passdb backend = tdbsam
        client signing = yes
        client use spnego =yes
        kerberos method = secrets and keytab
        realm = example.com
        server role = member server

EOF


echo Setup sudoers 
echo '%domain\ admins    ALL=(ALL)   ALL' >> /etc/sudoers


echo Pam Setup
rm -f /etc/pam.d/system-auth-ac
cat > /etc/pam.d/system-auth-ac << 'EOF'
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
EOF
rm -f /etc/pam.d/password-auth-ac
cp /etc/pam.d/system-auth-ac /etc/pam.d/password-auth-ac
chmod 644 /etc/pam.d/password-auth-ac
chmod 644 /etc/pam.d/system-auth-ac

echo Installing SSSD Packages
yum install sssd -y
authconfig --enablesssdauth --enablesssd --enablemkhomedir --updateall

echo Enable services
chkconfig oddjobd on
chkconfig sssd on
chmod 715 /home/example.com

echo setup ntpd
yum install ntpd -y
cat > /etc/ntp.conf <<"EOF"
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server time01.example.com
server time02.example.com

#broadcast 192.168.1.255 autokey        # broadcast server
#broadcastclient                        # broadcast client
#broadcast 224.0.1.1 autokey            # multicast server
#multicastclient 224.0.1.1              # multicast client
#manycastserver 239.255.254.254         # manycast server
#manycastclient 239.255.254.254 autokey # manycast client

# Enable public key cryptography.
#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8

# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
EOF

service ntpd start
service ntpd stop
date
sleep5
ntpdate -s 172.25.176.37
service ntpd start
date
sleep 5
chkconfig ntpd on

echo Join to the Domain 
net ads join example.com -U Administrator%Password

echo SSD Configuration
cat > /etc/sssd/sssd.conf << 'EOF'
[sssd]
config_file_version = 2
debug_level = 0
domains = example.com
services = nss, pam, ssh, sudo
override_homedir = /home/%d/%u
default_shell = /bin/bash

[domain/example.com]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
#Permits offline logins:
#cache_credentials = true
# Use when service discovery not working:
ad_server = ad.example.com
# Enables use of POSIX UIDs and GIDs:
ldap_id_mapping = true
override_homedir = /home/%d/%u
default_shell = /bin/bash


[ssh]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
ad_server = ad.example.com
ldap_id_mapping = true
override_homedir = /home/%d/%u
default_shell = /bin/bash


[sudo]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
ad_server = ad.example.com
ldap_id_mapping = true
override_homedir = /home/%d/%u
default_shell = /bin/bash
ldap_id_mapping = true
EOF
chmod 600 /etc/sssd/sssd.conf
service sssd start

echo Make sure the NTP always sync after reboot
rm -f /etc/rc.d/rc.local
cat > /etc/rc.d/rc.local << 'EOF'
#!/bin/bash
touch /var/lock/subsys/local
service ntpd stop
ntpdate -s 172.25.176.37
service ntpd start
EOF
chmod 755 /etc/rc.d/rc.local



Comments

Post a Comment

Popular posts from this blog

How to clean all the foreman task and locked task

1.- First make su to postgres user su -s /bin/bash - postgres  2.-Execute psql psql  3.- connect to the foreman database \c foreman;  4.- Delete all the foreman task and foreman task locks delete from foreman_tasks_tasks;  delete from foreman_tasks_locks;  5.- Quit from postgres and exit \q  exit  6. Restart all the services for s in {qpidd,pulp_celerybeat,pulp_ resource_manager,pulp_workers, httpd}; do sudo service $s restart; done  Update in todays foreman you can clean the task using the following command: foreman-rake foreman_tasks:cleanup
Read more

CentOS 7 Server Hardening Guide

CentOS 7 Server Hardening Guide 1. System Settings – Disk Partitioning and Post installation 1.1 Disk Encryption with Kickstart The easiest way to encrypt a partition is during Kickstart installation. This can be achieved by adding the –encrypted and –passphrase= options to the definition of a physical LVM volume. Our Kickstart template is provided below. Note that the template requires a 32GB disk. #version=CentOS7.5 # System authorisation information auth --enableshadow --passalgo=sha512 # Use CDROM installation media cdrom ignoredisk --only-use=sda # Keyboard layouts keyboard --vckeymap=gb --xlayouts='gb' # System language lang en_GB.UTF-8 # SELinux selinux --enforcing # Network information network --bootproto=dhcp --device=eth0 --onboot=on --activate network --hostname=ks-c7.example.com # Plaintext root password: PleaseChangeMe rootpw --iscrypted $6$nS0mBJyS$q/QgCof5unWrT9W3qngTISueSDhDHVNntDqd8sOcgmHp2lq4f/niUbjCmoEzaf3EWQ2x3z/k0eIZa
Read more

How to restrict users to send only mail to the local domain in Zimbra

How to restrict users to send only mail to the local domain in Zimbra 1. Open file /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf and add this line below reject_non_fqdn_recipient. This is example on my system permit_sasl_authenticated check_sender_access lmdb:/opt/zimbra/postfix/conf/restricted_senders permit_mynetworks 2. Open file /opt/zimbra/conf/zmconfigd.cf and add those lines before RESTART mta. This is example on my system POSTCONF smtpd_restriction_classes local_only POSTCONF local_only FILE postfix_check_recipient_access.cf RESTART mta 3. Create a file /opt/zimbra/conf/postfix_check_recipient_access.cf and add the following line.  check_recipient_access lmdb:/opt/zimbra/postfix/conf/local_domains, reject 4. Create a file "/opt/zimbra/postfix/conf/restricted_senders" and list all the users, whom you want to restrict. Follow this syntax: user@yourdomain.com local_only 5. Create a file "/opt/zimbra/postfix/con
Read more