barukasu · April 20, 2022 20:26 · Atlas780 · Oct 4, 2019 · Rostand76 · Apr 20, 2022
diff --git a/Univention Centos Client Join b/Univention Centos Client Join
 #!/bin/bash

 #
 #   This script will allow your linux desktop to join a Univention Server domain
 #   This will allow you connect to an LDAP,Kerberos,Samba server 
 #   This was tested on Centos7.5 logging into Univention Server, but might work for other servers too
 #
 #   https://www.univention.com/
 #

 # this script was made following this website post
 # https://help.univention.com/t/member-server-kerberos-user-authentication/4516/4

 #
 #   User Edit Section
 #
 # Set IP of Domain-Controller
 MASTER_IP=10.10.53.10 # LDAP Server IP
 ldap_master=mydomain.com # my DNS to the ldap 
 ldap_base="dc=mydomain,dc=com"
 hostname=$(hostname) # set the hostname you want to register with Univention

 #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 # the rest of this script should just work by it self.
 # for an explanation of what this script is doing, go to https://docs.software-univention.de/domain-4.1.html#ext-dom-ubuntu

 # Step 0
 # install all necessary packages
 yum install sssd sssd-tools sssd-ldap openldap-clients authconfig

 echo " Variables set: going to step 1"

 # step 1
 # integration into the LDAP directory and SSL certificate authority
 echo " Attempting to connect to the LDAP server to obtain certificate"
 echo " Please enter the password for the root user to the LDAP Server (for copying certs)"
 echo "     ssh root@${ldap_master} [enter password]"
 mkdir /etc/univention
 ssh -n root@${MASTER_IP} 'ucr shell | grep -v ^hostname=' >/etc/univention/ucr_master
 echo "master_ip=${MASTER_IP}" >>/etc/univention/ucr_master
 chmod 660 /etc/univention/ucr_master
 . /etc/univention/ucr_master

 # add the ldap dns and ip into /etc/hosts
 echo "${MASTER_IP} ${ldap_master}" >>/etc/hosts


 echo " step1: complete"
 echo ""
 echo " step2: starting"

 # step 2
 # Create account on the server to Gain read access

 wget -O /etc/openldap/cacerts/CAcert.pem \
    http://${ldap_master}/ucs-root-ca.crt

 # Create an account and save the password
 yum install -y sssd redhat-lsb-core authconfig-gtk
 password="$(tr -dc A-Za-z0-9_ </dev/urandom | head -c20)"
 echo "     ssh root@${ldap_master} [enterdevlab.asrc password]"
 ssh -n root@${ldap_master} udm computers/linux create \
    --position "cn=computers,${ldap_base}" \
    --set name=$(hostname) --set password="${password}" \
    --set operatingSystem="$(lsb_release -is)" \
    --set operatingSystemVersion="$(lsb_release -rs)"
 printf '%s' "$password" >/etc/ldap.secret
 chmod 0400 /etc/ldap.secret

 echo "step2: complete"
 echo ""
 echo "step3: starting"

 # Step 3
 # Create ldap.conf locally
 cat >/etc/openldap/ldap.conf <<__EOF__
 TLS_CACERT /etc/openldap/cacerts/CAcert.pem
 URI ldap://$ldap_master:7389
 BASE $ldap_base
 __EOF__
 echo "step3:complete"
 echo ""
 echo "step4: starting"

 # sssd
 cat >/etc/sssd/sssd.conf <<___EOF___
 [sssd]
 config_file_version = 2
 reconnection_retries = 3
 sbus_timeout = 30
 services = nss, pam, sudo
 domains = $kerberos_realm

 [nss]
 reconnection_retries = 3

 [pam]
 reconnection_retries = 3

 [domain/$kerberos_realm]
 auth_provider = krb5
 krb5_kdcip = 10.51.96.10
 krb5_realm = ${ldap_master}
 krb5_server = ldap.${ldap_master}
 krb5_kpasswd = ldap.${ldap_master}
 id_provider = ldap
 ldap_uri = ldap://ldap.${ldap_master}:7389
 ldap_search_base = ${ldap_base}
 ldap_tls_reqcert = never
 ldap_tls_cacert = /etc/openldap/cacerts/CAcert.pem
 cache_credentials = true
 enumerate = true
 ldap_default_bind_dn = cn=$(hostname),cn=computers,${ldap_base}
 ldap_default_authtok_type = password
 ldap_default_authtok = $(cat /etc/ldap.secret)
 ___EOF___

 chmod 600 /etc/sssd/sssd.conf

 echo "step4: complete"

 systemctl start sssd


 #  LAST STEP !!
 # this will launch the authconfig gui with stuff filled in already. Please verify the settings and click apply to actually join 
 #     the workstation to the Univention server

 # launch authconfig gui
 authconfig-gtk

 # once the gui loads, click apply
	#!/bin/bash

	#
	# This script will allow your linux desktop to join a Univention Server domain
	# This will allow you connect to an LDAP,Kerberos,Samba server
	# This was tested on Centos7.5 logging into Univention Server, but might work for other servers too
	#
	# https://www.univention.com/
	#

	# this script was made following this website post
	# https://help.univention.com/t/member-server-kerberos-user-authentication/4516/4

	#
	# User Edit Section
	#
	# Set IP of Domain-Controller
	MASTER_IP=10.10.53.10 # LDAP Server IP
	ldap_master=mydomain.com # my DNS to the ldap
	ldap_base="dc=mydomain,dc=com"
	hostname=$(hostname) # set the hostname you want to register with Univention

	#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	# the rest of this script should just work by it self.
	# for an explanation of what this script is doing, go to https://docs.software-univention.de/domain-4.1.html#ext-dom-ubuntu

	# Step 0
	# install all necessary packages
	yum install sssd sssd-tools sssd-ldap openldap-clients authconfig

	echo " Variables set: going to step 1"

	# step 1
	# integration into the LDAP directory and SSL certificate authority
	echo " Attempting to connect to the LDAP server to obtain certificate"
	echo " Please enter the password for the root user to the LDAP Server (for copying certs)"
	echo " ssh root@${ldap_master} [enter password]"
	mkdir /etc/univention
	ssh -n root@${MASTER_IP} 'ucr shell \| grep -v ^hostname=' >/etc/univention/ucr_master
	echo "master_ip=${MASTER_IP}" >>/etc/univention/ucr_master
	chmod 660 /etc/univention/ucr_master
	. /etc/univention/ucr_master

	# add the ldap dns and ip into /etc/hosts
	echo "${MASTER_IP} ${ldap_master}" >>/etc/hosts


	echo " step1: complete"
	echo ""
	echo " step2: starting"

	# step 2
	# Create account on the server to Gain read access

	wget -O /etc/openldap/cacerts/CAcert.pem \
	http://${ldap_master}/ucs-root-ca.crt

	# Create an account and save the password
	yum install -y sssd redhat-lsb-core authconfig-gtk
	password="$(tr -dc A-Za-z0-9_ </dev/urandom \| head -c20)"
	echo " ssh root@${ldap_master} [enterdevlab.asrc password]"
	ssh -n root@${ldap_master} udm computers/linux create \
	--position "cn=computers,${ldap_base}" \
	--set name=$(hostname) --set password="${password}" \
	--set operatingSystem="$(lsb_release -is)" \
	--set operatingSystemVersion="$(lsb_release -rs)"
	printf '%s' "$password" >/etc/ldap.secret
	chmod 0400 /etc/ldap.secret

	echo "step2: complete"
	echo ""
	echo "step3: starting"

	# Step 3
	# Create ldap.conf locally
	cat >/etc/openldap/ldap.conf <<__EOF__
	TLS_CACERT /etc/openldap/cacerts/CAcert.pem
	URI ldap://$ldap_master:7389
	BASE $ldap_base
	__EOF__
	echo "step3:complete"
	echo ""
	echo "step4: starting"

	# sssd
	cat >/etc/sssd/sssd.conf <<___EOF___
	[sssd]
	config_file_version = 2
	reconnection_retries = 3
	sbus_timeout = 30
	services = nss, pam, sudo
	domains = $kerberos_realm

	[nss]
	reconnection_retries = 3

	[pam]
	reconnection_retries = 3

	[domain/$kerberos_realm]
	auth_provider = krb5
	krb5_kdcip = 10.51.96.10
	krb5_realm = ${ldap_master}
	krb5_server = ldap.${ldap_master}
	krb5_kpasswd = ldap.${ldap_master}
	id_provider = ldap
	ldap_uri = ldap://ldap.${ldap_master}:7389
	ldap_search_base = ${ldap_base}
	ldap_tls_reqcert = never
	ldap_tls_cacert = /etc/openldap/cacerts/CAcert.pem
	cache_credentials = true
	enumerate = true
	ldap_default_bind_dn = cn=$(hostname),cn=computers,${ldap_base}
	ldap_default_authtok_type = password
	ldap_default_authtok = $(cat /etc/ldap.secret)
	___EOF___

	chmod 600 /etc/sssd/sssd.conf

	echo "step4: complete"

	systemctl start sssd


	# LAST STEP !!
	# this will launch the authconfig gui with stuff filled in already. Please verify the settings and click apply to actually join
	# the workstation to the Univention server

	# launch authconfig gui
	authconfig-gtk

	# once the gui loads, click apply