Differences

This shows you the differences between two versions of the page.

--- linux_wiki:freeipa_client_enroll [2018/06/02 23:19]
billdozor [FreeIPA Client Enroll]
+++ linux_wiki:freeipa_client_enroll [2019/05/25 23:50]
@@ Line 1: / Line 1: @@
-====== FreeIPA Client Enroll ======
-**General Information**
-Enrolling a new client with FreeIPA servers.
-**Checklist**
-  * Distro(s): Enterprise Linux 6/7
-  * Other: [[http://www.unixmen.com/configure-freeipa-server-centos-7/|FreeIPA Server Installed]]
-----
-====== The Script ======
-<code bash ipa-enroll-client.sh>
-#!/bin/bash
-# Name: ipa-enroll-client.sh
-# Description: Sets up a system with sssd and configures to point to IPA servers
-# Last Updated: 12/28/2016
-# Recent Changes:-Copied from ldap migrate script for a base. Minor formatting.
-###################################################################################
-##### Customize These Variables #####
-# Domain Name
-domain_name="example.com"
-# IPA Servers
-ipa_server1="ipaserver01.${domain_name}"
-ipa_server2="ipaserver02.${domain_name}"
-# User with permissions to enroll/admin hosts into realm
-# For security purposes, this account should not be able to login to any systems
-enroll_user="enrolladmin"
-# Password of Enroll User
-enroll_pw="enroll-secret-here"
-##### End of Customize Variables #####
-#### Functions Here: Main Starts After ####
-function check_os_type
-{
-  if [ -f /etc/system-release-cpe ];then
-    distro=$(awk -F: '{printf "%s", $3}' /etc/system-release-cpe)
-    major_version=$(awk -F: '{printf "%d", $5}' /etc/system-release-cpe)
-  elif [ -f /etc/redhat-release ];then
-    distro=$(awk '{printf "%s", $1}' /etc/redhat-release)
-    major_version=$(awk -F. '{print $1}' /etc/redhat-release | awk '{printf "%d", $3}')
-  fi
-}
-function show_usage
-{
-  echo -e "\n==== IPA: Enroll a Client with the IPA Domain ===="
-  echo -e "\nDescripton: Sets up a system with sssd and configures to point to IPA servers."
-  echo -e "\n--Usage--"
-  echo -e "-h                    => Display usage."
-  echo -e "-i                    => Interactive Mode (Unattended is default)."
-  echo -e "\n--Other Requirements--"
-  echo -e "-> FreeIPA admin access for interactive mode."
-  echo -e
-}
-#### End of Functions ####
-#=======================
-# Get Script Arguments
-#=======================
-# Reset POSIX variable in case it has been used previously in this shell
-OPTIND=1
-#Default Settings
-interactive="no"
-while getopts "hi" opt; do
-  case "${opt}" in
-    h) # -h (help) argument
-      show_usage
-      exit 0
-    ;;
-    i) # -i (interactive) argument
-      interactive="yes"
-    ;;
-    *) # invalid argument
-      show_usage
-      exit 0
-    ;;
-  esac
-done
-#==================
-# Main Starts Here
-#==================
-# Pre-checks
-check_os_type
-#==============================================================
-# Confirm running the script
-#==============================================================
-echo -e "=============================================="
-echo -e "####======== IPA: Enroll Client  =========####"
-echo -e "=============================================="
-echo
-echo -e "Warning: This script will disable nscd/nslcd, install sssd, and set LDAP authentication to IPA servers."
-echo -e "Detected Distro: ${distro} ${major_version}"
-if [[ ${interactive} == "no" ]]; then
-  echo -e "Mode: Unattended"
-else
-  echo -e "Mode: Interactive"
-fi
-echo -e "\n=>Continue?[y/n]:\c"
-read run_script
-if [[ ${run_script} != "y" ]]; then
-  echo -e "\n>>Will not run the IPA Enroll Client script. Exiting..."
-  exit 1
-fi
-echo -e "\n>>Installing the ipa-client..."
-yum -y install ipa-client
-echo -e "\n>>Configuring IPA authentication..."
-case ${major_version} in
-  "7")
-    if [[ ${interactive} == "no" ]]; then
-      ## Unattended ##
-      ipa-client-install --domain=${domain_name} --server=${ipa_server1} --server=${ipa_server2} --mkhomedir --no-dns-sshfp --fixed-primary --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --principal ${enroll_user} --password=${enroll_pw} --unattended --force-join
-    else
-      ## Interactive ##
-      ipa-client-install --domain=${domain_name} --server=${ipa_server1} --server=${ipa_server2} --mkhomedir --no-dns-sshfp --fixed-primary --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --force-join
-    fi
-  ;;
-  "6")
-    if [[ ${interactive} == "no" ]]; then
-      ## Unattended ##
-      ipa-client-install --domain=${domain_name} --server=${ipa_server2} --server=${ipa_server1} --mkhomedir --no-dns-sshfp --fixed-primary --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --principal ${enroll_user} --password=${enroll_pw} --unattended --force-join
-    else
-      ## Interactive ##
-      ipa-client-install --domain=${domain_name} --server=${ipa_server2} --server=${ipa_server1} --mkhomedir --no-dns-sshfp --fixed-primary --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --force-join
-    fi
-  ;;
-  "5")
-    if [[ ${interactive} == "no" ]]; then
-      ## Unattended ##
-      ipa-client-install --domain=${domain_name} --server=${ipa_server1} --server=${ipa_server2} --mkhomedir --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --principal ${enroll_user} --password=${enroll_pw} --unattended --force-join
-    else
-      ## Interactive ##
-      ipa-client-install --domain=${domain_name} --server=${ipa_server1} --server=${ipa_server2} --mkhomedir --hostname=$(hostname | sed "s/.${domain_name}//" | tr '[:upper:]' '[:lower:]').${domain_name} --no-ntp --force-join
-    fi
-  ;;
-esac
-echo -e "\n>>Redeploying sshd config (ipa-client-install changed it)..."
-rhncfg-client get /etc/ssh/sshd_config
-echo -e "\n>>Restarting sshd..."
-case ${major_version} in
-  "7")
-    systemctl restart sshd
-  ;;
-"6"|"5")
-    service sshd restart
-  ;;
-esac
-echo -e "\n>>Disabling nscd/nslcd..."
-case ${major_version} in
-  "7")
-    systemctl stop nslcd
-    systemctl stop nscd
-    systemctl disable nslcd
-    systemctl disable nscd
-  ;;
-  "6")
-    service nslcd stop
-    service nscd stop
-    chkconfig nslcd off
-    chkconfig nscd off
-  ;;
-  "5")
-    service nscd stop
-    chkconfig nscd off
-  ;;
-esac
-echo -e "\n>>Disabling ldap identification, ldap auth, and force legacy (sssd used instead)..."
-case ${major_version} in
-  "7"|"6")
-    authconfig --disableldap --disableldapauth --disableforcelegacy --update
-  ;;
-  "5")
-    authconfig --disableldap --disableldapauth --update
-  ;;
-esac
-echo -e "\n>>Restarting sssd..."
-case ${major_version} in
-  "7")
-    systemctl restart sssd
-  ;;
-  "6"|"5")
-    service sssd restart
-  ;;
-esac
-echo -e "\n>>Starting and enabling oddjobd..."
-case ${major_version} in
-  "7")
-    systemctl start oddjobd
-    systemctl enable oddjobd
-  ;;
-  "6")
-    service messagebus start
-    service oddjobd start
-    chkconfig messagebus on
-    chkconfig oddjobd on
-  ;;
-  "5")
-    service messagebus start
-    service oddjobd start
-    chkconfig messagebus on
-    chkconfig oddjobd on
-  ;;
-esac
-if [[ ${major_version} == "6" ]]; then
-  echo -e "\n>>Checking for sssd.conf client idle timeout. (fix for EL6 cron bug)..."
-  if [[ $(grep client_idle_timeout /etc/sssd/sssd.conf) ]]; then
-    echo -e "->Client idle timeout found in sssd.conf, will not append"
-  else
-    echo -e "\n->Adding client idle timeout to sssd.conf (fix for EL6 cron bug)..."
-    sed -i '/services = nss, sudo, pam, ssh/ a\client_idle_timeout=75' /etc/sssd/sssd.conf
-    service sssd restart
-    service crond restart
-  fi
-fi
-echo -e "\n============================================="
-echo -e "####==== IPA: Enroll Client Complete ====####"
-echo -e "============================================="
-</code>
-----