quatauta · December 5, 2019 09:11
diff --git a/realm-join.sh b/realm-join.sh
 #!/bin/bash
 #
 # /usr/local/bin/realm-join - Join CentOS to Active Directoy with realmd and sssd
 #
 # Options are provided to command "realm join", see 'man realm'
 #
 # - Install required packages on CentOS (realmd, sssd, crudini, redhat-lsb-core)
 # - Discover Active Directory domain/realm
 # - Configure realmd
 # - Join discovered domain/realm
 #
 # References
 # - https://outsideit.net/realmd-sssd-ad-authentication/
 # - https://derflounder.wordpress.com/2012/12/14/adding-ad-domain-groups-to-etcsudoers/

 REALMD_CONF="/etc/realmd.conf"
 PERMIT_GROUP="domain admins"
 FALLBACK_REALM="$(domainname -d)"

 _install_dependencies() {
    local DEPS=""

    [ -x "$(which realm)"       ] || DEPS="${DEPS} realmd sssd krb5-workstation"
    [ -x "$(which crudini)"     ] || DEPS="${DEPS} crudini"
    [ -x "$(which lsb_release)" ] || DEPS="${DEPS} redhat-lsb-core"

    if [ -n "${DEPS}" ] ; then
        yum install ${DEPS}
    fi
 }

 _discover_realm() {
    local FALLBACK="$1"
    local REALM="$(realm discover -n || realm discover -n "${FALLBACK_REALM}")"

    echo "Discovered realm '${REALM}'" 1>&2
    echo "${REALM}"
 }

 _join_realm() {
    local REALM="$1"
    shift

    if [ -n "${REALM}" ] ; then
        echo "Configuring realmd ..." 1>&2
        crudini --set "${REALMD_CONF}" active-directory os-name "$(lsb_release -si)"
        crudini --set "${REALMD_CONF}" active-directory os-version "$(lsb_release -sr)"
        crudini --set "${REALMD_CONF}" "${REALM}" fully-qualified-names no

        echo "Trying to join realm ${REALM} ... (specificy user account for join with '-U USERNAME')" 1>&2
        realm join "${REALM}" "${@}"
    fi
 }

 _permit() {
    local REALM="$1"
    local GROUP="$2"
    local SUDOERS="/etc/sudoers.d/${GROUP// /-}@${REALM//./_}"

    echo "Permitting login and sudo to members of group '${GROUP}@${REALM}' ... (see 'man realm' to permitt login)" 1>&2
    realm permit -R "${REALM}" -g "${GROUP}"
    echo "%${GROUP// /\\ }@${REALM}" "ALL=(ALL) ALL" >  "${SUDOERS}"
    echo "%${GROUP// /\\ }"          "ALL=(ALL) ALL" >> "${SUDOERS}"
    chmod 440 "${SUDOERS}"
 }

 _install_dependencies
 REALM="$(_discover_realm "${FALLBACK_REALM}")"
 _join_realm "${REALM}" "${@}"
 _permit "${REALM}" "${PERMIT_GROUP}"
 realm list
	#!/bin/bash
	#
	# /usr/local/bin/realm-join - Join CentOS to Active Directoy with realmd and sssd
	#
	# Options are provided to command "realm join", see 'man realm'
	#
	# - Install required packages on CentOS (realmd, sssd, crudini, redhat-lsb-core)
	# - Discover Active Directory domain/realm
	# - Configure realmd
	# - Join discovered domain/realm
	#
	# References
	# - https://outsideit.net/realmd-sssd-ad-authentication/
	# - https://derflounder.wordpress.com/2012/12/14/adding-ad-domain-groups-to-etcsudoers/

	REALMD_CONF="/etc/realmd.conf"
	PERMIT_GROUP="domain admins"
	FALLBACK_REALM="$(domainname -d)"

	_install_dependencies() {
	local DEPS=""

	[ -x "$(which realm)" ] \|\| DEPS="${DEPS} realmd sssd krb5-workstation"
	[ -x "$(which crudini)" ] \|\| DEPS="${DEPS} crudini"
	[ -x "$(which lsb_release)" ] \|\| DEPS="${DEPS} redhat-lsb-core"

	if [ -n "${DEPS}" ] ; then
	yum install ${DEPS}
	fi
	}

	_discover_realm() {
	local FALLBACK="$1"
	local REALM="$(realm discover -n \|\| realm discover -n "${FALLBACK_REALM}")"

	echo "Discovered realm '${REALM}'" 1>&2
	echo "${REALM}"
	}

	_join_realm() {
	local REALM="$1"
	shift

	if [ -n "${REALM}" ] ; then
	echo "Configuring realmd ..." 1>&2
	crudini --set "${REALMD_CONF}" active-directory os-name "$(lsb_release -si)"
	crudini --set "${REALMD_CONF}" active-directory os-version "$(lsb_release -sr)"
	crudini --set "${REALMD_CONF}" "${REALM}" fully-qualified-names no

	echo "Trying to join realm ${REALM} ... (specificy user account for join with '-U USERNAME')" 1>&2
	realm join "${REALM}" "${@}"
	fi
	}

	_permit() {
	local REALM="$1"
	local GROUP="$2"
	local SUDOERS="/etc/sudoers.d/${GROUP// /-}@${REALM//./_}"

	echo "Permitting login and sudo to members of group '${GROUP}@${REALM}' ... (see 'man realm' to permitt login)" 1>&2
	realm permit -R "${REALM}" -g "${GROUP}"
	echo "%${GROUP// /\\ }@${REALM}" "ALL=(ALL) ALL" > "${SUDOERS}"
	echo "%${GROUP// /\\ }" "ALL=(ALL) ALL" >> "${SUDOERS}"
	chmod 440 "${SUDOERS}"
	}

	_install_dependencies
	REALM="$(_discover_realm "${FALLBACK_REALM}")"
	_join_realm "${REALM}" "${@}"
	_permit "${REALM}" "${PERMIT_GROUP}"
	realm list