Pages

Automating Linux Active Directory Integration with a Shell Script

Integrating Linux servers with Microsoft Active Directory (AD) is a standard requirement in enterprise environments. While manual configuration works, it becomes inefficient and error-prone when managing multiple servers.
This post explains how to automate Linux–AD integration using a single Bash script, covering installation, configuration, domain joining, access control, and sudo permissions.

Why Use a Script?
Automating AD integration provides:
  • Consistent configuration across servers
  • Faster provisioning
  • Reduced human error
  • Easy reuse for new environments
  • Improved operational reliability
What the Script Accomplishes
The script performs the following:
  • Installs required AD integration packages
  • Configures DNS resolution
  • Updates /etc/hosts
  • Configures Kerberos encryption policies
  • Enables SSSD and automatic home directory creation
  • Joins the Linux system to Active Directory
  • Restricts login access to a specific AD group
  • Configures SSSD securely
  • Grants sudo access to an AD group
  • Restarts required services
Prerequisites
Before running the script, ensure:
  • You are logged in as root
  • The system can reach the AD Domain Controller
  • Correct DNS and domain information is available
  • The AD group unix_admin exists
  • You have AD administrator credentials
Complete AD Integration Script
Save the following script as ad_join.sh:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash
#  Author        : adminCtrlX
#  Description : Automates Linux Active Directory integration on server.
#                     - Installs required packages
#                     - Configures DNS, Kerberos, and SSSD
#                     - Joins the system to Active Directory
#                     - Restricts access to an AD group
#                     - Configures sudo using /etc/sudoers
#  Usage          : ./ad_join.sh

set -e

### VARIABLES ###
DOMAIN="ppc.com"
REALM="PPC.COM"
AD_SERVER_FQDN="inddcpads01.ppc.com"
AD_SERVER_IP1="192.168.10.100"
AD_SERVER_IP2="192.168.20.100"
AD_GROUP="unix_admin"
AD_ADMIN="administrator"
RESOLV_CONF="/etc/resolv.conf"
HOSTS_FILE="/etc/hosts"
SSSD_CONF="/etc/sssd/sssd.conf"
KRB_CRYPTO="/etc/krb5.conf.d/crypto-policies"

echo "===== Starting AD Integration Setup ====="

### STEP 1: Install Required Packages ###
echo "Installing required packages..."
dnf install -y realmd sssd oddjob oddjob-mkhomedir adcli samba-common-tools krb5-workstation

### STEP 2: Configure DNS ###
echo "Configuring DNS..."
cp $RESOLV_CONF ${RESOLV_CONF}.bak
cat <<EOF > $RESOLV_CONF
search $DOMAIN
nameserver $AD_SERVER_IP1
nameserver $AD_SERVER_IP2
EOF

### STEP 3: Update /etc/hosts ###
echo "Updating /etc/hosts..."
cp $HOSTS_FILE ${HOSTS_FILE}.bak
if ! grep -q "$AD_SERVER_FQDN" $HOSTS_FILE; then
echo "$AD_SERVER_IP1 $AD_SERVER_FQDN inddcpads01" >> $HOSTS_FILE
fi

### STEP 4: Configure Kerberos Encryption Types ###
echo "Configuring Kerberos crypto policies..."
cp $KRB_CRYPTO ${KRB_CRYPTO}.bak || true
cat <<EOF > $KRB_CRYPTO
[libdefaults]
permitted_enctypes = aes256-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 camellia256-cts-cmac aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 camellia128-cts-cmac rc4-hmac
EOF

### STEP 5: Configure Authselect and Oddjob ###
echo "Configuring authselect and oddjob..."
mkdir -p /etc/authselect
authselect select sssd with-mkhomedir --force
systemctl enable --now oddjobd.service

### STEP 6: Join AD Domain ###
echo "Joining AD domain..."
realm join -v -U $AD_ADMIN $AD_SERVER_FQDN

### STEP 7: Verify Domain Join ###
echo "Verifying domain join..."
realm list

### STEP 8: Permit AD Group Login ###
echo "Permitting AD group access..."
realm permit -g $AD_GROUP

### STEP 9: Configure SSSD ###
echo "Configuring SSSD..."
cp $SSSD_CONF ${SSSD_CONF}.bak || true
cat <<EOF > $SSSD_CONF
[sssd]
domains = $DOMAIN
services = nss, pam
[domain/$DOMAIN]
ad_server = $AD_SERVER_FQDN
ad_domain = $DOMAIN
krb5_realm = $REALM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = simple
simple_allow_groups = $AD_GROUP
EOF

chmod 600 $SSSD_CONF

### STEP 10: Restart SSSD ###
echo "Restarting SSSD..."
systemctl restart sssd

### STEP 11: AD Group/User Creation ###
echo "NOTE: Ensure AD group '$AD_GROUP' exists and users are added on the AD server."

### STEP 12: Configure Sudo Access ###
echo "Configuring sudo access..."
if ! grep -q "%$AD_GROUP" /etc/sudoers; then
echo "%$AD_GROUP ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
fi

### STEP 13: Final Test Instructions ###
echo "===== Setup Complete ====="
echo "Test with:"
echo " ssh sysadm@$(hostname)"
echo " sudo su -"
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
How to Run the Script
chmod +x ad_join.sh
./ad_join.sh
You will be prompted for the Active Directory administrator password during the domain join process.

Testing the Configuration
Log in using an AD user:
ssh sysadm@hostname
Verify sudo/root access:
sudo su -
If successful, the system is fully integrated with Active Directory.

Best Practices & Improvements
  • Use /etc/sudoers.d/unix_admin instead of editing /etc/sudoers
  • Configure DNS via nmcli on NetworkManager systems
  • Use keytabs for non-interactive domain joins
  • Convert this script into an Ansible role
  • Add logging and rollback mechanisms
Conclusion
This script provides a clean, repeatable, and enterprise-ready solution for integrating Linux systems with Active Directory. It is ideal for system administrators, DevOps teams, and automated provisioning workflows.
by

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)