#!/bin/bash

# This is the holy grail script that you've been looking for joining your
# Ubuntu 16.04 box into Microsoft Active Directory compliant domain
# You'll always need: sudo apt install dnsutils samba-common-bin dialog krb5-user ldap-utils openssl
# If you want to join domain with winbind: sudo apt install libpam-winbind libnss-winbind
# If you want to join domain with SSSD: sudo apt install libpam-sss libnss-sss sssd
# If you want to set up fileserver (works properly only with winbind): sudo apt install samba samba-vfs-modules
# Reconfigure lightdm to show manual login
# Reconfigure /etc/security/group.conf to inherit video, audio, etc groups
# To enable sudo for domain admins: echo "%domain\\ admins ALL=(ALL) ALL" > /etc/sudoers.d/domain-admins


if [ $UID -ne 0 ]; then
    echo 'Run as root!'
    exit 255
fi

set -e

########################
### Prompt hostname  ###
########################

if [ -z $BUTTERKNIFE_HOSTNAME ]; then
    if [ -e /var/lib/butterknife/persistent/hostname ]; then
        BUTTERKNIFE_HOSTNAME=$(cat /var/lib/butterknife/persistent/hostname)
    else
        BUTTERKNIFE_HOSTNAME=$(cat /etc/hostname)
    fi
    BUTTERKNIFE_HOSTNAME=$(dialog --max-input 15 --inputbox "Enter hostname" 0 0 $BUTTERKNIFE_HOSTNAME 2>&1 >$(tty))
fi


# Generate NetBIOS name and hostname
NMBNAME=$(echo $BUTTERKNIFE_HOSTNAME | tr '[:lower:]' '[:upper:]')
HOSTNAME=$(echo $BUTTERKNIFE_HOSTNAME | tr '[:upper:]' '[:lower:]')


######################
### Prompt domain  ###
######################

if [ -z $BUTTERKNIFE_DOMAIN ]; then
    if [ -e /etc/krb5.conf ]; then
        BUTTERKNIFE_DOMAIN=$(cat /etc/krb5.conf  | grep "^default_realm.*=" | tr '[:upper:]' '[:lower:]' | cut -d '=' -f 2 | xargs)
    fi
    BUTTERKNIFE_DOMAIN=$(dialog --inputbox "Enter domain" 0 0 $BUTTERKNIFE_DOMAIN 2>&1 >$(tty))
fi

DOMAIN=$(echo $BUTTERKNIFE_DOMAIN | tr '[:upper:]' '[:lower:]')
REALM=$(echo $BUTTERKNIFE_DOMAIN | tr '[:lower:]' '[:upper:]')
FQDN=$HOSTNAME.$DOMAIN


#########################
### Prompt workgroup  ###
#########################

if [ -z $BUTTERKNIFE_WORKGROUP ]; then
    if [ -e /etc/samba/smb.conf ]; then
        BUTTERKNIFE_WORKGROUP=$(cat /etc/samba/smb.conf | grep ^workgroup.*= | cut -d '=' -f 2 | xargs)
    else
        BUTTERKNIFE_WORKGROUP=$(echo $REALM | rev | cut -d . -f 2 | rev)
    fi
    BUTTERKNIFE_WORKGROUP=$(dialog --inputbox "Enter workgroup" 0 0 $BUTTERKNIFE_WORKGROUP 2>&1 >$(tty))
fi

WORKGROUP=$(echo $BUTTERKNIFE_WORKGROUP | tr '[:lower:]' '[:upper:]')

################################################
### Prompt joiner account username/password  ###
################################################

USERNAME=$(dialog --inputbox "Enter username" 0 0 Administrator 2>&1 >$(tty))
PASSWORD=$(dialog --insecure --passwordbox "Enter password for $USERNAME@$REALM" 0 0 2>&1 >$(tty))

clear

set +e

echo "About to join $HOSTNAME to domain $DOMAIN, fully qualified name is $FQDN"
echo "Using Kerberos realm: $REALM"
echo "Using NetBIOS name $NMBNAME and workgroup $WORKGROUP"

if [ -x /usr/sbin/sssd ]; then
    METHOD=sss
    echo "Using SSSD to configure domain-enabled login"
elif [ -x /usr/sbin/winbindd ]; then
    METHOD=winbind
    echo "Using Winbind to configure domain-enabled login"
else
    METHOD=skip
    echo "No SSSD or Winbind PAM modules detected! Please: apt-get install libpam-sss libnss-sss sssd"
fi

####################
### Set hostname ###
####################

echo $HOSTNAME > /etc/hostname
sed -i -e "s/^PRETTY_HOSTNAME=.*/PRETTY_HOSTNAME=$HOSTNAME/" /etc/machine-info

if [ -d /var/lib/butterknife/persistent ]; then
    echo $HOSTNAME > /var/lib/butterknife/persistent/hostname
fi

sed -i -e "s/127\.0\.1\.1.*$/127.0.1.1 $FQDN $HOSTNAME/g" /etc/hosts

##########################
### Set Kerberos realm ###
##########################

cat > /etc/krb5.conf << EOF
[libdefaults]
default_realm = $REALM
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true
proxiable = true
EOF


####################################
### Generate /etc/samba/smb.conf ###
####################################

cat > /etc/samba/smb.conf << EOF
[global]
security = ads
netbios name = $NMBNAME
workgroup = $WORKGROUP
realm = $REALM
kerberos method = system keytab

# UNIX attribute templates for rid backend
template homedir = /home/%U
template shell = /bin/bash

# Reserve 1 000 000 to 16 777 216 for algorithmically generated UID-s
idmap config *:range = 1000000-16777216
idmap config *:backend = rid

# libpam-winbind config
winbind offline logon = yes
winbind trusted domains only = no
winbind use default domain = yes
winbind refresh tickets = yes
username map = /etc/samba/user.map

# hardening
client ldap sasl wrapping = seal
ntlm auth = no
lanman auth = no

# Map Windows ACL-s to chown/chmod/setfacl/attr
vfs objects = acl_xattr

EOF

if [ ! -f /etc/samba/user.map ]; then
    echo "!root = Administrator administrator" > /etc/samba/user.map
fi

cat > /etc/security/pam_winbind.conf << EOF
[global]
cached_login = yes
krb5_auth = yes
EOF

#####################################################
### This populates keytab and creates secrets.tdb ###
#####################################################

mkdir -p /var/lib/samba/private /var/cache/samba
(echo;echo;echo;net ads join -U $USERNAME%$PASSWORD) | dialog --programbox "Joining to domain $DOMAIN" 15 76
clear

################################
### Setup LDAP client config ###
################################

LDAP_BASE=$(echo ".$DOMAIN" | sed "s/\./,dc=/g" | cut -c 2-)

cat > /etc/ldap/ldap.conf << EOF
BASE $LDAP_BASE
URI ldap://$DOMAIN
EOF

if [ $METHOD == "skip" ]; then
    exit 0
fi


##########################
### Set up SSSD config ###
##########################

mkdir -p /etc/sssd

cat > /etc/sssd/sssd.conf << EOF
[sssd]
services = nss, pam
config_file_version = 2
domains = $DOMAIN

[nss]
fallback_homedir = /home/%u
override_shell = /bin/bash

[pam]

[domain/$DOMAIN]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
sudo_provider = ad
cache_credentials = true
dyndns_update = false
krb5_use_enterprise_principal = false
krb5_store_password_if_offline = true
krb5_renew_interval = 7200
ldap_disable_referrals = true
EOF

chmod 0600 /etc/sssd/sssd.conf


##################
### Set up PAM ###
##################

# Following assumes libpam-blah package has corresponding /usr/share/pam-configs/blah bundled,
# this includes mkhomedir for home directory creation
DEBIAN_FRONTEND=noninteractive pam-auth-update -f

sed -i -e "s/^passwd:.*/passwd: compat $METHOD/" /etc/nsswitch.conf
sed -i -e "s/^group:.*/group: compat $METHOD/" /etc/nsswitch.conf
sed -i -e "s/^shadow:.*/shadow: compat/" /etc/nsswitch.conf


####################
### Purge caches ###
####################
[ -d /var/lib/samba ] && find /var/lib/samba/ -type f -delete -print
[ -d /var/cache/samba ] && find /var/cache/samba/ -type f -delete -print
[ -d /var/lib/sss ] && find /var/lib/sss/ -type f -delete -print


#######################
### Enable services ###
#######################

case $METHOD in
    sss)
        systemctl unmask sssd
    ;;
    winbind)
        systemctl unmask winbind
    ;;
esac