Univention Bugzilla – Attachment 8320 Details for
Bug 40662
Test the support for trusted domains as AD DC with Samba 4.7.11
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
setup_forest_trust.sh
setup_forest_trust.sh (text/x-sh), 11.81 KB, created by
Arvid Requate
on 2016-12-21 16:44:04 CET
(
hide
)
Description:
setup_forest_trust.sh
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2016-12-21 16:44:04 CET
Size:
11.81 KB
patch
obsolete
>#!/bin/bash > >sync_kerberos_time() { > local remote_host > local remote_date > local remote_time_epoch > local local_time_epoch > local time_diff > local abs_time_tiff > > remote_host="$1"; shift > if [ -z "$remote_host" ]; then > return 2 > fi > remote_date=$(rdate -np "$remote_host") > remote_time_epoch=$(date --date="$remote_date" +%s) > local_time_epoch=$(date +%s) > time_diff=$(($remote_time_epoch - $local_time_epoch)) > abs_time_tiff=$(($time_diff<0?-$time_diff:$time_diff)) > if [ "$abs_time_tiff" -ge 300 ]; then > if (("$time_diff" < 0)); then > echo "ERROR: System time of $remote_host is behind. Please fix this manually." >&2 > return 1 > fi > rdate -n "$remote_host" > fi >} > >check_kerberos_time() { > local remote_host > local remote_date > local remote_time_epoch > local local_time_epoch > local time_diff > local abs_time_tiff > > remote_host="$1"; shift > if [ -z "$remote_host" ]; then > return 2 > fi > remote_date=$(rdate -np "$remote_host") > remote_time_epoch=$(date --date="$remote_date" +%s) > local_time_epoch=$(date +%s) > time_diff=$(($remote_time_epoch - $local_time_epoch)) > abs_time_tiff=$(($time_diff<0?-$time_diff:$time_diff)) > if [ "$abs_time_tiff" -ge 300 ]; then > echo "ERROR: Time differnce to DC $remote_host is larger than 5 Minutes" >&2 > return 1 > fi > return 0 >} > >do_dns_lookup() { > local host_name > local dig_output > > host_name="$1"; shift > if [ -z "$host_name" ]; then > return 2 > fi > > dig_output=$(dig "$host_name" +short) > if [ -z "$dig_output" ]; then > echo "ERROR: DNS lookup for $host_name failed" >&2 > return 1 > else > echo "$dig_output" > fi >} > >setup_dns_proxy() { > local remote_dns_domain_name > local remote_dns_server_ip > > remote_dns_domain_name="$1"; shift > remote_dns_server_ip="$1"; shift > if [ -z "$remote_dns_domain_name" ]; then > return 2 > elif [ -z "$remote_dns_server_ip" ]; then > return 2 > fi > > cat >> /etc/bind/local.conf.samba4 <<-%EOR > > zone "$remote_dns_domain_name" { > type forward; > forwarders { $remote_dns_server_ip; }; > }; > %EOR > service bind9 restart >} > >dc_name_for_ad_domain() { > local remote_domain_name > local dsgetdcname_output > local dc_name > > remote_domain_name="$1"; shift > if [ -z "$remote_domain_name" ]; then > return 2 > fi > > dsgetdcname_output=$(net lookup dsgetdcname "$remote_domain_name") > dc_name=$(sed -nr "s/ +dc_unc +: '([^']+)'/\1/p" <<<"$dsgetdcname_output") > if [ -z "$dc_name" ]; then > echo "ERROR: dsGetDCName for domain $remote_domain_name did not find DC name" >&2 > dc_name=$(wbinfo --getdcname="$remote_domain_name") > if [ -n "$dc_name" ]; then > echo "INFO: wbinfo found dcname for $remote_domain_name : $dc_name" >&2 > echo "$dc_name" > return 1 ## None the less, if DNS doesn't work, report error > fi > fi > echo "$dc_name" >} > >dc_ip_for_dc_name() { > local dc_name > local dsgetdcname_output > > dc_name="$1"; shift > if [ -z "$dc_name" ]; then > return 2 > fi > > dc_ip=$(do_dns_lookup "$dc_name") > > if [ -z "$dc_ip" ]; then > dsgetdcname_output=$(net lookup dsgetdcname "$remote_domain_name") > dc_ip=$(sed -nr "s/ +dc_address +: '\\\\\\\\([^']+)'/\1/p" <<<"$dsgetdcname_output") > if [ -n "$dc_ip" ]; then > echo "INFO: dsGetDCName found IP for $host_name" >&2 > echo "$dc_ip" > return 1 ## None the less, report error > else > dc_ip=$(net lookup "$dc_name") > if [ -n "$dc_ip" ]; then > echo "INFO: net lookup found IP address for $host_name" >&2 > echo "$dc_ip" > return 1 ## None the less, report error > fi > fi > if [ -z "$dc_ip" ]; then > return 1 > fi > fi > echo "$dc_ip" >} > >netbios_domain_for_host() { > local dc_name > local dc_admin > local dc_pwd > local cred_option > local netbios_domain > > dc_name="$1"; shift > if [ -z "$dc_name" ]; then > return 2 > fi > > dc_admin="$1"; shift > dc_pwd="$1"; shift > if [ -n "$dc_admin" ] && [ -n "$dc_pwd" ]; then > cred_option="-U$dc_admin%$dc_pwd" > else > cred_option="-N" > fi > > netbios_domain=$(smbclient "$cred_option" "//$dc_name/IPC$" -c quit 2>&1 | sed -nr 's/Domain=\[([^]]+)\] .*/\1/p') || return $? > echo "$netbios_domain" >} > >ucs_trust_account_exists_on_ad_side() { > local dc_name > local dc_admin_principal > local dc_pwd > > dc_name="$1"; shift > if [ -z "$dc_name" ]; then > return 2 > fi > > dc_admin_principal="$1"; shift > if [ -z "$dc_admin_principal" ]; then > return 2 > fi > > dc_pwd="$1"; shift > if [ -z "$dc_pwd" ]; then > return 2 > fi > > ad_base_dn=$(ldapsearch -xLL -H "ldap://$dc_name" -b "" -s base -D"$dc_admin_principal" -w "$dc_pwd" defaultNamingContext | sed -n 's/^defaultNamingContext: //p') > ucs_domain_name=$(ucr get domainname) > ldif=$(ldapsearch -xLL -H "ldap://$dc_name" -b "$ad_base_dn" -D"$dc_admin_principal" -w "$dc_pwd" "(&(objectClass=trustedDomain)(trustPartner=$ucs_domain_name))" dn) > trustedDomain_dn=$(sed -n 's/^dn: //p' <<<"$ldif") > if [ -z "$trustedDomain_dn" ]; then > return 1 > fi > return 0 >} > >forest_trust_exists() { > local dc_domain > local netbios_domain > > dc_domain="$1"; shift > if [ -z "$dc_domain" ]; then > return 2 > fi > > netbios_domain="$1"; shift > if [ -z "$netbios_domain" ]; then > return 2 > fi > > while read trust_type transitive trust_direction trust_dom; do > if [ "$dc_domain" != "$trust_dom" ]; then > continue > fi > direction="${trust_direction,,}" > direction="${direction/both/bidirectional}" > case "$transitive" in > Yes) > transitive="transitive" > ;; > No) > transitive="non-transitive" > ;; > esac > echo "INFO: There already is a $transitive $direction ${trust_type,,} trust with $trust_dom" 1>&2 > echo "INFO: Can be deleted with samba-tool domain trust delete $dc_domain -U$netbios_domain\\\\Administrator" > return 0 > done < <(samba-tool domain trust list | sed -rn 's/Type\[([^]]+)\] +Transitive\[([^]]+)\] +Direction\[([^]]+)\] +Name\[([^]]+)\]/\1\t\2\t\3\t\4/p') > return 1 >} > >cleanup_orphaned_trust_account_on_ad_side() { > local dc_name > local dc_domain > local netbios_domain > local dc_admin > local dc_pwd > > dc_name="$1"; shift > if [ -z "$dc_name" ]; then > return 2 > fi > > dc_domain="$1"; shift > if [ -z "$dc_domain" ]; then > return 2 > fi > > netbios_domain="$1"; shift > if [ -z "$netbios_domain" ]; then > return 2 > fi > > dc_admin="$1"; shift > if [ -z "$dc_admin" ]; then > return 2 > fi > > dc_pwd="$1"; shift > if [ -z "$dc_pwd" ]; then > return 2 > fi > > if ucs_trust_account_exists_on_ad_side "$dc_name" "$dc_admin@$dc_domain" "$dc_pwd"; then > echo "INFO: There is a TDO in AD LDAP of $dc_domain" 1>&2 > read -p "Remove? [yN] " > if [ "${REPLY^^}" = "Y" ]; then > ucs_domain_name=$(ucr get domainname) > samba-tool domain trust delete "$ucs_domain_name" --local-dc-ipaddress="$dc_name" --delete-location=local --local-dc-username="$netbios_domain\\$dc_admin" --local-dc-password="$dc_pwd" > if [ $? -ne 0 ]; then > echo "removal failed" > return 1 > else > read -s -p "Removal succeeded. Hit return to continue." > return 0 > fi > fi > return 1 > fi > return 0 >} > >check_forest_trust() { > local dc_domain_to_check > > dc_domain_to_check="$1"; shift > if [ -z "$dc_domain_to_check" ]; then > return 2 > fi > > while read trust_type transitive trust_direction trust_dom; do > if [ -n "$dc_domain_to_check" ] && [ "$dc_domain_to_check" != "$trust_dom" ]; then > continue > fi > direction="${trust_direction,,}" > direction="${direction/both/bidirectional}" > case "$transitive" in > Yes) > transitive="transitive" > ;; > No) > transitive="non-transitive" > ;; > esac > echo "INFO: Checking $transitive $direction ${trust_type,,} trust with $trust_dom" > dsgetdcname_output=$(net lookup dsgetdcname "$trust_dom") > dc_name=$(sed -nr "s/ +dc_unc +: '([^']+)'/\1/p" <<<"$dsgetdcname_output") > if [ -z "$dc_name" ]; then > echo "ERROR: dsGetDCName for domain $trust_dom did not find DC name" >&2 > dc_name=$(wbinfo --getdcname=$trust_dom) > if [ -n "$dc_name" ]; then > echo "INFO: wbinfo found dcname for $trust_dom : $dc_name" >&2 > else > continue > fi > fi > > dc_ip=$(do_dns_lookup "$dc_name") > if [ -z "$dc_ip" ]; then > dc_ip=$(sed -nr "s/ +dc_address +: '\\\\\\\\([^']+)'/\1/p" <<<"$dsgetdcname_output") > if [ -n "$dc_ip" ]; then > echo "INFO: dsGetDCName found IP for $host_name" >&2 > else > dc_ip=$(net lookup "$dc_name") > if [ -n "$dc_ip" ]; then > echo "INFO: net lookup found IP address for $host_name" >&2 > fi > fi > if [ -z "$dc_ip" ]; then > continue > fi > fi > > wbinfo --ping-dc --domain="$trust_dom" > wbinfo --check-secret --domain="$trust_dom" > > if [ "$trust_type" = 'Forest' ]; then > check_kerberos_time "$dc_ip" > fi > > case "$trust_direction" in > BOTH|OUTGOING) > trust_validate_output=$(samba-tool domain trust validate --validate-location=local "$trust_dom") > if [ $? -ne 0 ]; then > echo "ERROR: local domain trust validation did not succeed" >&2 > else > echo "INFO: local domain trust validation succeeded for $trust_dom" >&2 > fi > ;; > *) > ;; > esac > done < <(samba-tool domain trust list | sed -rn 's/Type\[([^]]+)\] +Transitive\[([^]]+)\] +Direction\[([^]]+)\] +Name\[([^]]+)\]/\1\t\2\t\3\t\4/p') >} > > >setup_forest_trust() { > local dc_name > local dc_ip > local dc_domain > local dc_admin > local dc_pwd > > dc_ip="$1"; shift > if [ -z "$dc_ip" ]; then > return 2 > fi > echo "Checking $dc_ip ..." > > dc_name=$(ldapsearch -xLLL -H "ldap://$dc_ip/" -b '' -s base dnsHostName | sed -n 's/dnsHostName: //p') > if [ -z "$dc_name" ]; then > return 1 > fi > > if [ -n "$1" ] && [ "${1#-}" = "$1" ]; then > dc_domain="$1"; shift > else > dc_domain=$(ldapsearch -xLLL -H "ldap://$dc_ip/" -b '' -s base ldapServiceName | sed -n 's/ldapServiceName: //p' | sed -n 's/:.*//p') > fi > if [ -z "$dc_domain" ]; then > echo "ERROR: Domain lookup via LDAP failed, please specify the remote AD domain name" >&2 > read -p "AD domain name: " dc_domain > fi > if [ -z "$dc_domain" ]; then > echo "ERROR: AD domain required." >&2 > return 1 > fi > > if [ -n "$1" ] && [ "${1#-}" = "$1" ]; then > dc_admin="$1"; shift > fi > > if [ -n "$1" ] && [ "${1#-}" = "$1" ]; then > dc_pwd="$1"; shift > else > dc_admin="" ## just ask > fi > > netbios_domain=$(netbios_domain_for_host "$dc_ip") > if [ -z "$netbios_domain" ]; then > echo "ERROR: Netbios name lookup failed for $dc_domain" >&2 > return 1 > fi > > forest_trust_exists "$dc_domain" "$netbios_domain" && return 1 > > if [ -z "$dc_admin" ]; then > read -p "$dc_domain Domain Admin account name: " dc_admin > fi > if [ -z "$dc_admin" ]; then > echo "ERROR: Administrator name required" >&2 > return 1 > fi > > if [ -z "$dc_pwd" ]; then > read -s -p "$dc_domain Domain Admin password: " dc_pwd && echo > fi > if [ -z "$dc_pwd" ]; then > echo "ERROR: Administrator password required" >&2 > return 1 > fi > > if ! host "$dc_name" > /dev/null; then > echo "Setting up DNS-Forwarding for $dc_domain to $dc_ip" > setup_dns_proxy "$dc_domain" "$dc_ip" > sleep 3 > ucr set "hosts/static/$dc_ip=$dc_name" # to be safe > fi > > dc_ip=$(do_dns_lookup "$dc_name") || return 1 > if [ -z "$dc_ip" ]; then > return 1 > fi > > echo "Synchronizing system clock with $dc_ip" > sync_kerberos_time "$dc_ip" > > echo "Checking RPC and NETBIOS name resolution for $dc_name ..." > if ! net lookup dsgetdcname "$dc_domain" >/dev/null; then > echo "ERROR: dsGetDCName failed for $dc_domain" >&2 > return 1 > fi > > netbios_domain=$(netbios_domain_for_host "$dc_name" "$netbios_domain\\$dc_admin" "$dc_pwd") > if [ -z "$netbios_domain" ]; then > echo "ERROR: Credential check failed." >&2 > return 1 > fi > > echo "Checking for existing orphaned trust domain objects for this domain in $dc_name LDAP ..." > cleanup_orphaned_trust_account_on_ad_side "$dc_name" "$dc_domain" "$netbios_domain" "$dc_admin" "$dc_pwd" || return 1 > > echo "Setting up trust" > service samba stop > service samba start > sleep 3 > > samba-tool domain trust create "$dc_domain" \ > -k no -U"$netbios_domain\\$dc_admin%$dc_pwd" \ > --type=forest "$@" || return 1 > > echo -e "\n\nSetup completed, check:\n" > check_forest_trust "$dc_domain" > > echo "" > samba-tool domain trust list >} > >if [ -z "$1" ] || [ "${1#-h}" != "$1" ] || [ "${1#--help}" != "$1" ]; then > echo "usage: $0 <IP-of-AD-DC>" [AD-DNS-Domain] > echo "extended usage example: $0 <IP-of-AD-DC> <AD-DNS-Domain> <AD-Administrator> <AD-Password> --not-transitive" > exit 2 >fi >setup_forest_trust "$@" || exit 1
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8320">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 40662
: 8320 |
9410
|
9411
|
9426
|
9427
|
9428