diff options
Diffstat (limited to 'templates/configure_active_directory.erb')
-rw-r--r-- | templates/configure_active_directory.erb | 142 |
1 files changed, 142 insertions, 0 deletions
diff --git a/templates/configure_active_directory.erb b/templates/configure_active_directory.erb new file mode 100644 index 0000000..35ba86f --- /dev/null +++ b/templates/configure_active_directory.erb @@ -0,0 +1,142 @@ +#!/bin/bash + +# This script can cause a host to join or leave +# the Windows Active Directory domain + +# variables +# +# specify a timeout for domain operations +seconds=300 +# +# post_join_delay seems to be necessary after joing domain +post_join_delay=30 +# + +PROG=$(basename $0) + +function usage () { + cat >&2 <<- EOF + Usage: $PROG -[hjl] + -h help + -j join the domain + -l leave the domain + Return code indicates success (0) or failure. + EOF +} + +# kinit and klist path depend on krb5 release +export PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/kerberos/bin + +NET=$(which net) +if ! [ -x "$NET" ]; then + echo "ERROR: net command is missing or not executable." >&2 + exit 1 +fi + +EXPECT=$(which expect) +if ! [ -x "$EXPECT" ]; then + echo "ERROR: cannot run expect" >&2 + exit 1 +fi + +if [ $# -eq 0 ]; then + usage + exit 2 +fi + +while getopts "hjlq" option +do + case $option in + h ) usage; exit 0;; + j ) action="join";; + l ) action="leave";; + * ) usage; exit 2;; + esac +done + +password="<%= scope.lookupvar('samba::server::ads::winbind_pass') -%>" + +# short hostname from facter +my_hostname="<%= hostname -%>" + +# what account do we use for net ads commands? +winbind_acct="<%= scope.lookupvar('samba::server::ads::winbind_acct') -%>" + +# which realm will we be joining? +my_realm="<%= scope.lookupvar('samba::server::ads::realm') -%>" + +# where should we create computer accounts? +target_ou="<%= scope.lookupvar('samba::server::ads::target_ou') -%>" + +echo "Please do not kill me; I may be slow" >&2 + +#TODO, need write time check check_kdc_time +#if ! /bin/check_kdc_time; then +# echo "ERROR: time offset too large to manipulate domain" >&2 +# exit 1 +#else +# echo "INFO: time offset seems ok" >&2 +#fi + +if [ "$action" = "leave" ]; then + logger -st $PROG "Leaving AD domain" + $NET ads $action -U ${winbind_acct}%${password} | grep Deleted && success=true || success=false + kdestroy + rm -f /etc/krb5.keytab + if [ $success = "true" ]; then + logger -st $PROG "Left AD domain" + else + logger -st $PROG "Failed to leave AD domain" + fi +fi + +ad_settle() { + ( + echo -n "Waiting $post_join_delay seconds" + for x in $(seq 1 $post_join_delay); do + echo -n "." + sleep 1 + done + echo + ) >&2 +} + +# ldapmodify _does_ use the env var for sasl bind +export KRB5CCNAME=$(umask 0077; mktemp -q winbind_cache.XXXXXXXX) + +if [ "$action" = "join" ]; then + logger -st $PROG "Joining AD domain" >&2 + $NET ads $action -U ${winbind_acct}%${password} createcomputer="${target_ou}"\ + | grep Joined && success=true || success=false + +if [ $success = "false" ]; then + echo ERROR: failed to join domain >&2 + exit 2 +fi + +max_attempts=5 +for attempt in $(seq 1 $max_attempts); do + echo "$attempt of $max_attempts:" + ad_settle + echo "Getting TGT for ${winbind_acct}@${my_realm}" >&2 + $EXPECT -c "spawn -noecho kinit -c $KRB5CCNAME ${winbind_acct}@${my_realm}; + expect :; + send ${password}\n; + expect eof" + klist -c $KRB5CCNAME &> /dev/null && break +done + +if [ $(wbinfo -u|wc -l) != 0 ]; then + success=true +else + echo "ERROR: return user list from AD is empty" >&2 + success=false +fi + +# get rid of cred cache +kdestroy -c $KRB5CCNAME &> /dev/null +rm -f $KRB5CCNAME &> /dev/null || : + +fi + +[ "$success" = "true" ] && exit 0 || exit 1 |