This script will assist in searching for, joining or leaving a Microsoft Active Directory (AD).
While this is specifically written and tested for Red Hat you should be able to do it with Fedora or CENTOS without changing anything.
If you are on a different distro like Ubuntu it will need modifications at the very least to change ‘yum install’ to ‘apt-get install’ but it has not been tested on anything other than Red Hat
The code below assumes:
- Shell script is named ‘RedHat_JoinDomain.sh’
- The computer is connected to a network that has a AD server on it
- The user (in example below as dkittell) is at least a domain admin on the AD domain.
- The AD has a user group ‘linuxsudo’ for the sudoers list
# To search for AD sh RedHat_JoinDomain.sh search # To Join AD sh RedHat_JoinDomain.sh join dkittell test.com # To Leave AD sh RedHat_JoinDomain.sh leave dkittell test.com
#!/bin/sh
# RedHat_JoinDomain.sh
#
# Reference Sites:
# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/realmd-domain.html
#
# Created by David Kittell on 9/8/16.
#
clear
if [ -z ${1+x} ]; then
echo -e "AD Option is unset\nExample: RedHat_JoinDomain.sh search\nExample: RedHat_JoinDomain.sh join\nExample: RedHat_JoinDomain.sh leave"
exit 0
else
case "$1" in
"join")
echo "AD Option is set to '$1'"
adOption="join"
;;
"leave")
echo "AD Option is set to '$1'"
adOption="leave"
;;
"search")
echo "AD Option is set to '$1'"
echo "Realm Name(s): $(realm discover --server-software=active-directory | grep realm-name | awk '{split($0,a,":"); print a[2]}' | tr -d '[[:space:]]')"
echo "Realm Verbose Lookup"
realm discover -v
echo ""
exit 0
;;
*)
echo -e "AD Option is unset\nExample: RedHat_JoinDomain.sh search\nExample: RedHat_JoinDomain.sh join\nExample: RedHat_JoinDomain.sh leave"
exit 0
;;
esac
fi
if [ -z ${2+x} ]; then
echo -e "AD Username is unset\nExample: RedHat_JoinDomain.sh join dkittell\nExample: RedHat_JoinDomain.sh leave dkittell"
exit 0
else
echo "AD Username is set to '$2'"
adUsername=$2
fi
if [ -z ${3+x} ]; then
echo -e "AD Domain is unset\nExample: RedHat_JoinDomain.sh join dkittell test.com\nExample: RedHat_JoinDomain.sh leave dkittell test.com"
exit 0
else
echo "AD Domain is set to '$3'"
adDomain=$3
fi
if [ "$adOption" == "join" ]; then
# Join defined AD Domain
echo "Attempting to Join Domain $adDomain"
if rpm -qa | grep -q ilookup; then
echo "installed"
else
echo "not installed"
fi
# Install needed items if not already installed - Start
[[ "$(rpm -qa | grep realmd)" ]] && sudo yum -y install realmd
[[ "$(rpm -qa | grep oddjob)" ]] && sudo yum -y install oddjob
[[ "$(rpm -qa | grep oddjob-mkhomedir)" ]] && sudo yum -y install oddjob-mkhomedir
[[ "$(rpm -qa | grep sssd)" ]] && sudo yum -y install sssd
[[ "$(rpm -qa | grep adcli)" ]] && sudo yum -y install adcli
# Install needed items if not already installed - Stop
#realm discover --server-software=active-directory | grep realm-name | awk '{split($0,a,":"); print a[2]}' | tr -d '[[:space:]]'
# Join AD Domain
#realm discover -v $adDomain
sudo realm join -v $adDomain -U $adUsername
# Permit AD Users to connect
sudo realm permit -v --realm $adDomain --all
# Permit AD Users to use SSH - start
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.original
sudo cat /etc/ssh/sshd_config | grep Kerberos
sudo cat /etc/ssh/sshd_config | grep GSSAPI
#sudo sed -i "s|# Kerberos options|Kerberos options|" /etc/ssh/sshd_config
sudo sed -i "s|#KerberosAuthentication no|KerberosAuthentication yes|" /etc/ssh/sshd_config
sudo sed -i "s|#KerberosOrLocalPasswd yes|KerberosOrLocalPasswd yes|" /etc/ssh/sshd_config
sudo sed -i "s|#KerberosTicketCleanup yes|KerberosTicketCleanup yes|" /etc/ssh/sshd_config
sudo sed -i "s|#KerberosGetAFSToken no|KerberosGetAFSToken no|" /etc/ssh/sshd_config
sudo sed -i "s|#KerberosUseKuserok yes|KerberosUseKuserok yes|" /etc/ssh/sshd_config
#sudo sed -i "s|# GSSAPI options|GSSAPI options|" /etc/ssh/sshd_config
sudo sed -i "s|GSSAPICleanupCredentials no|GSSAPICleanupCredentials yes|" /etc/ssh/sshd_config
# Permit AD Users to use SSH - stop
# Sudoers List - Start
# Make sure there is a LinuxSudo group in AD first
sudo cp /etc/sudoers /etc/sudoers.original
echo "%linuxsudo@$adDomain ALL=(ALL) ALL" | sudo tee -a /etc/sudoers
sudo cat /etc/sudoers | grep $adDomain
# Sudoers List - Stop
else
# Leave defined AD Domain
echo "Attempting to Leave Domain $adDomain"
#realm list --all --name-only
# Leave AD Domain
#echo $adDomain
sudo realm leave $adDomain -U $adUsername
# Disable AD Users to use SSH - Start
#sudo sed -i "s|Kerberos options|# Kerberos options|" /etc/ssh/sshd_config
sudo sed -i "s|KerberosAuthentication yes|#KerberosAuthentication no|" /etc/ssh/sshd_config
sudo sed -i "s|KerberosOrLocalPasswd yes|#KerberosOrLocalPasswd yes|" /etc/ssh/sshd_config
sudo sed -i "s|KerberosTicketCleanup yes|#KerberosTicketCleanup yes|" /etc/ssh/sshd_config
sudo sed -i "s|KerberosGetAFSToken no|#KerberosGetAFSToken no|" /etc/ssh/sshd_config
sudo sed -i "s|KerberosUseKuserok yes|#KerberosUseKuserok yes|" /etc/ssh/sshd_config
#sudo sed -i "s|GSSAPI options|# GSSAPI options|" /etc/ssh/sshd_config
sudo sed -i "s|GSSAPICleanupCredentials yes|#GSSAPICleanupCredentials no|" /etc/ssh/sshd_config
# Disable AD Users to use SSH - Stop
# Sudoers List - Start
sudo sed -i '/%linuxsudo/d' /etc/sudoers
sudo cat /etc/sudoers | grep linuxsudo
# Sudoers List - Stop
fi
sudo systemctl restart sshd
All information on this site is shared with the intention to help. Before any source code or program is ran on a production (non-development) system it is suggested you test it and fully understand what it is doing not just what it appears it is doing. I accept no responsibility for any damage you may do with this code.