[debian-edu-commits] r80561 - in branches/wheezy/debian-edu-config: debian share/debian-edu-config/tools

pere at alioth.debian.org pere at alioth.debian.org
Fri Jun 14 02:27:42 UTC 2013 

Author: pere
Date: 2013-06-13 10:26:40 +0000 (Thu, 13 Jun 2013)
New Revision: 80561

Added:
   branches/wheezy/debian-edu-config/share/debian-edu-config/tools/setup-ad-client
Modified:
   branches/wheezy/debian-edu-config/debian/changelog
   branches/wheezy/debian-edu-config/share/debian-edu-config/tools/sssd-generate-config
Log:
New script setup-ad-client to set up a roaming workstation as a
Active Directory client and adjust sssd-generate-config to allow
this to work.

Modified: branches/wheezy/debian-edu-config/debian/changelog
===================================================================
--- branches/wheezy/debian-edu-config/debian/changelog	2013-06-13 10:25:02 UTC (rev 80560)
+++ branches/wheezy/debian-edu-config/debian/changelog	2013-06-13 10:26:40 UTC (rev 80561)
@@ -9,6 +9,9 @@
     the TLS certificate, now that it is working as it should.
   * Make sssd-generate-config more robust, to not fail when hostname
     do not understand the -d argument.
+  * New script setup-ad-client to set up a roaming workstation as a
+    Active Directory client and adjust sssd-generate-config to allow
+    this to work.
 
  -- Petter Reinholdtsen <pere at debian.org>  Thu, 13 Jun 2013 10:57:58 +0200
 

Added: branches/wheezy/debian-edu-config/share/debian-edu-config/tools/setup-ad-client
===================================================================
--- branches/wheezy/debian-edu-config/share/debian-edu-config/tools/setup-ad-client	                        (rev 0)
+++ branches/wheezy/debian-edu-config/share/debian-edu-config/tools/setup-ad-client	2013-06-13 10:26:40 UTC (rev 80561)
@@ -0,0 +1,80 @@
+#!/bin/sh
+# Based on
+# <URL: https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server >
+
+set -e
+
+# See if we can find an Active Directory LDAP server.
+lookup_ad_server() {
+    dnsdomain="$1"
+    adserver=$(host -N 2 -t SRV _ldap._tcp.$dnsdomain | grep -v NXDOMAIN | awk '{print $NF}' | head -1)
+    if [ "$adserver" ] ; then
+	echo $adserver | sed 's/\.$//'
+    fi
+}
+
+lookup_ad_realm() {
+    ldapuri="$1"
+    realm=$(ldapsearch -LLL -x -H $ldapuri. -b '' -s base ldapServiceName | grep ldapServiceName: | cut -d@ -f2)
+}
+
+bindir=$(dirname $0)
+
+# Set up roaming profile and AD connection for PAM and NSS (using sssd)
+$bindir/setup-roaming
+
+dnsdomain=$1
+adserver=$(lookup_ad_server $dnsdomain)
+ldapuri=ldap://$adserver
+realm=$(lookup_ad_realm)
+
+cat > /etc/krb5.conf <<EOF
+[logging]
+ default = FILE:/var/log/krb5libs.log
+
+[libdefaults]
+ default_realm = $realm
+ dns_lookup_realm = true
+ dns_lookup_kdc = true
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ rdns = false
+ forwardable = yes
+
+# You may also want either of:
+# allow_weak_crypto = true
+# default_tkt_enctypes = arcfour-hmac
+
+[realms]
+# Define only if DNS lookups are not working
+# $realm = {
+#  kdc = server.ad.example.com
+#  admin_server = server.ad.example.com
+# }
+
+[domain_realm]
+# Define only if DNS lookups are not working
+# .ad.example.com = $realm
+# ad.example.com = $realm
+EOF
+
+cat > /etc/samba/smb.conf <<EOF
+[global]
+   workgroup = UNKNOWN
+   client signing = yes
+   client use spnego = yes
+   kerberos method = secrets and keytab
+   log file = /var/log/samba/%m.log
+   password server = $adserver
+   realm = $realm
+   security = ads
+EOF
+
+adminaduser=Administrator
+echo
+echo "Log in as domain administrator to register machine in Active Directory"
+echo
+net ads join -U $adminaduser
+
+service sssd restart
+


Property changes on: branches/wheezy/debian-edu-config/share/debian-edu-config/tools/setup-ad-client
___________________________________________________________________
Added: svn:executable
   + *

Modified: branches/wheezy/debian-edu-config/share/debian-edu-config/tools/sssd-generate-config
===================================================================
--- branches/wheezy/debian-edu-config/share/debian-edu-config/tools/sssd-generate-config	2013-06-13 10:25:02 UTC (rev 80560)
+++ branches/wheezy/debian-edu-config/share/debian-edu-config/tools/sssd-generate-config	2013-06-13 10:26:40 UTC (rev 80561)
@@ -66,6 +66,17 @@
     echo $realm
 }
 
+ldap_is_active_directory() {
+    ldapuri="$1"
+    # OpenLDAP do not have defaultNamingContext in the root LDAP
+    # object, while Active Directory do.
+    if ldapsearch -LLL -H "$ldapuri" -x -b '' -s base 2>/dev/null | \
+	grep -q defaultNamingContext ; then
+	true
+    else
+	false
+    fi
+}
 
 generate_config() {
     if [ "$1" ] ; then
@@ -117,9 +128,17 @@
     chpass="ldap";
 fi
 
-cat <<EOF
+if ldap_is_active_directory $ldapuri ; then
+    cat <<EOF
 
 [domain/$domain]
+ldap_id_mapping = True
+ldap_schema = ad
+EOF
+else
+    cat <<EOF
+
+[domain/$domain]
 ; Using enumerate = true leads to high load and slow response
 enumerate = false
 cache_credentials = true
@@ -134,14 +153,15 @@
 ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
 EOF
 
-if [ "$kerberosserver" ] ; then
-    cat <<EOF
+    if [ "$kerberosserver" ] ; then
+	cat <<EOF
 
 krb5_server = $kerberosserver
 krb5_realm = $kerberosrealm
 krb5_changepw_principle = kadmin/changepw
 krb5_auth_timeout = 15
 EOF
+    fi
 fi
 }
 generate_config "$@"

More information about the debian-edu-commits mailing list