Finish v1.0.4

CMakeLists.txt

@@ -1,5 +1,6 @@
 cmake_minimum_required(VERSION 2.8.11)
 
+project(domain_join)
 
 install(FILES src/realmd.conf DESTINATION /etc)
 install(FILES src/active_directory DESTINATION /etc/sudoers.d PERMISSIONS OWNER_READ GROUP_READ)
@@ -8,13 +9,15 @@ install(FILES src/krb5.conf.unconfigured DESTINATION /etc)
 install(FILES src/domain_user_for_sudo.conf DESTINATION /etc)
 install(FILES src/domain_join.sh DESTINATION bin PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
 install(FILES src/domain_leave.sh DESTINATION bin PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
+install(FILES LICENSE DESTINATION /usr/share/doc/domain_join/ )
+install(FILES README.md DESTINATION /usr/share/doc/domain_join/ )
 
 set(CPACK_PACKAGE_NAME "domain-join")
 set(CPACK_PACKAGE_DESCRIPTION_SUMMARY "meta package that automates domain join for ubuntu systems")
-set(CPACK_PACKAGE_VERSION "0.0.4")
+set(CPACK_PACKAGE_VERSION "1.0.4")
 set(SYSTEM_ARCH "all")
 
-set(CPACK_DEBIAN_PACKAGE_DEPENDS "realmd,sssd,sssd-tools,samba-common,packagekit,samba-common-bin,samba-libs,adcli,cifs-utils,libpam-mount,libpam-ccreds,findutils,dialog,libpam-sss,coreutils,xmlstarlet,smbclient")
+set(CPACK_DEBIAN_PACKAGE_DEPENDS "realmd,sssd,sssd-tools,samba-common,packagekit,samba-common-bin,samba-libs,adcli,cifs-utils,libpam-mount,libpam-ccreds,findutils,dialog,libpam-sss,coreutils,xmlstarlet,smbclient,pcregrep")
 set(CPACK_GENERATOR "DEB")
 set(PACKAGE_OS "linux")
 set(CPACK_SYSTEM_NAME "${PACKAGE_OS}-amd64")

README.md

@@ -3,9 +3,9 @@
 # Why domain join?
 In a Enterprise environment it is state of the art to have a network that is managed by a domain controller. In Linux it can be a pain to join to a AD domain. In order to make it nearly as convenient as in windows to join the domain, this script has been written.
 # Installation
-Download [here](https://github.com/majojoe/domain_join/releases/download/v0.0.4/domain-join-0.0.4-linux-amd64.deb) and install the \*.deb package provided using the following command:
+Download [here](https://github.com/majojoe/domain_join/releases/download/v1.0.4/domain-join-1.0.4-linux-amd64.deb) and install the \*.deb package provided using the following command:
 ```bash
-sudo apt install ./domain-join-0.0.4-linux-amd64.deb
+sudo apt install ./domain-join-1.0.4-linux-amd64.deb
 ```
 # Join a domain
 Execute the join script as so:
@@ -18,3 +18,81 @@ To leave a domain:
 sudo domain_leave.sh
 ```
 
+# SSO with AD and Apache
+
+The package domain_join works also with Apache and Single Sign On. Apart from installing domain_join and executing domain_join.sh the following steps have to be executed:
+
+
+- Add dedicated Kerberos user
+
+You should create a new Active Directory user which is dedicated for Kerberos usage. For further reference, the username of this user $KERBEROS_USER and his password is $KERBEROS_PASSWORD.
+Create keytab file
+
+- On the domain controller you have to create a .keytab file:
+
+ktpass -princ HTTP/webserver.test.ad@TEST.AD -mapuser ${KERBEROS_USERNAME}@TEST.AD -pass ${KERBEROS_PASSWORD} -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -out C:\Temp\kerberos.keytab
+Example:
+ktpass -princ HTTP/webserver01.test.ad@TEST.AD -mapuser sso_user@TEST.AD -pass pa$$w0rd -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -out C:\Temp\kerberos.keytab
+
+Some notes about this:
+
+    - The encryption type should be AES256-SHA1 (recommended). Note that in this case KrbServiceName of the Apache configuration must be Any to work as expected.
+    - Please note that the Kerberos principal you are using is case-sensitive. 
+    - If you use HTTPS you must use HTTP/webserver.test.ad as principal.
+    - Kerberos authentication is only used when you access http://webserver.test.ad and not http://$IP_OF_WEBSERVER.
+
+
+- Copy the kerberos.keytab file securely to the webserver's path /etc/apache2/auth/kerberos.keytab and change the ownership to this file to the Apache user.
+
+```bash
+$ sudo chown www-data:www-data /etc/apache2/auth/apache2.keytab
+$ sudo chmod 400 /etc/apache2/auth/apache2.keytab
+```
+
+check if Authentication works with:
+```bash
+$ sudo kinit -VV -k -t /etc/apache2/auth/kerberos.keytab HTTP/webserver.test.ad@TEST.AD
+```
+
+## Enable Kerberos in Apache
+
+Install mod_auth_kerb:
+
+```bash
+$ sudo apt-get install libapache2-mod-auth-kerb
+```
+
+To enable Kerberos in your Apache configuration open /etc/apache2/sites-available/000-default.conf or any other vhost configuration file you want to use.
+
+```
+ <VirtualHost *:80>
+ 
+	# ...
+	ServerName webserver.test.ad      
+	<Location />
+		AuthType Kerberos
+		AuthName "Kerberos authenticated intranet"
+		KrbAuthRealms TEST.AD
+		KrbServiceName Any
+		Krb5Keytab /etc/apache2/auth/kerberos.keytab
+		KrbMethodNegotiate On
+		KrbMethodK5Passwd On
+		require valid-user
+	</Location>
+</VirtualHost>
+```
+
+## Configure browsers
+
+### Firefox
+- Open new tab and type about:config 
+- Set the following entries to the value: .test.ad
+  - network.automatic-ntlm-auth.trusted-uris
+  - network.negotiate-auth.trusted-uris
+
+
+## References:
+[https://active-directory-wp.com/docs/Networking/Single_Sign_On/Kerberos_SSO_with_Apache_on_Linux.html](https://active-directory-wp.com/docs/Networking/Single_Sign_On/Kerberos_SSO_with_Apache_on_Linux.html)
+[https://serverfault.com/questions/721497/enabling-aes-encrypted-single-sign-on-to-apache-in-a-win2008-domain](https://serverfault.com/questions/721497/enabling-aes-encrypted-single-sign-on-to-apache-in-a-win2008-domain)
+[https://help.ubuntu.com/community/Kerberos](https://help.ubuntu.com/community/Kerberos)
+

src/domain_join.sh

@@ -23,6 +23,7 @@ DOMAIN_NAME=""
 TIMEZONE="Europe/Berlin"
 DOMAIN_CONTROLLER=""
 FULLY_QUALIFIED_DN=0
+SDDM_CONF_FILE="/etc/sddm.conf"
 
 
 
@@ -99,21 +100,48 @@ set_group_policies () {
         fi
 }
 
-
 # install krb5-user package in order to not get any dialogs presented, since the configuration files must be there, first.
 # first param: domain name
+# second param: admin server (main domain controller)
 install_krb5_package() {
         local KRB5_UNCONF
         local KRB5_CONF
         local DOMAIN_NAME
+        local ADMIN_SERVER
+        local DOMAIN_REALM
+        local DOMAIN_UPPER
+        local REALM_DEFINITION
 
         KRB5_UNCONF="/etc/krb5.conf.unconfigured"
         KRB5_CONF="/etc/krb5.conf"
         DOMAIN_NAME="${1}"
+        ADMIN_SERVER="${2}"
         echo "install krb5-user"
         if [ -f "${KRB5_UNCONF}" ]; then
                 cp "${KRB5_UNCONF}" "${KRB5_CONF}"
+                #realm name
                 sed -i "s/REALM_NAME/${DOMAIN_NAME^^}/g" "${KRB5_CONF}"
+
+                #realm definiton
+                DOMAIN_UPPER=${DOMAIN_NAME^^}
+                REALM_DEFINITION="${DOMAIN_UPPER} = {"
+                DC_DNS_LIST=$(nslookup -type=srv _kerberos._tcp."${DOMAIN_NAME}" | grep "${DOMAIN_NAME}" | pcregrep -o1 "(\S+)\.$")
+                DC_LIST=()
+                while IFS= read -r DC; do
+                        DC_LIST+=("${DC}")
+                done <<< "$DC_DNS_LIST"
+
+                for i in "${DC_LIST[@]}"
+                do
+                        REALM_DEFINITION="${REALM_DEFINITION}\n        kdc = $i"
+                done
+
+                REALM_DEFINITION="${REALM_DEFINITION}\n        admin_server = ${ADMIN_SERVER}\n}"
+                sed -i "s/REALM_DEFINITION/${REALM_DEFINITION}/g" "${KRB5_CONF}"
+
+                # domain realm
+                DOMAIN_REALM="        .${DOMAIN_NAME} = ${DOMAIN_UPPER}\n        ${DOMAIN_NAME} = ${DOMAIN_UPPER}"
+                sed -i "s/DOMAIN_REALM/${DOMAIN_REALM}/g" "${KRB5_CONF}"                
         fi
         apt install krb5-user -y
 }
@@ -130,6 +158,21 @@ set_domain_realmd() {
         fi
 }
 
+# set the domanin in /etc/hosts
+# first param: domain name
+set_domain_hosts() {
+        local DOMAIN_NAME
+        DOMAIN_NAME="${1}"
+        HOSTS_FILE="/etc/hosts"
+        HOSTNAME_STR=$(hostname)
+        HOSTNAME_ENTRY=$(cat "${HOSTS_FILE}" | grep "127.0.1.1")
+
+        if [ -f "${HOSTS_FILE}" ]; then     
+                if ! echo "${HOSTNAME_ENTRY}" | grep -q "${DOMAIN_NAME}"; then
+                        sed -i "s/127.0.1.1.*/127.0.1.1       ${HOSTNAME_STR}.${DOMAIN_NAME}  ${HOSTNAME_STR}/g" "${HOSTS_FILE}"
+                fi
+        fi
+}
 
 # set the timeserver to use
 # first param:  domain controller
@@ -220,7 +263,7 @@ set_sudo_users_or_groups() {
         DN="${2}"
         SUDOERS_AD_FILE="/etc/sudoers.d/active_directory"
         DU_SUDO_FILE="/etc/domain_user_for_sudo.conf"
-        PERMITTED_AD_ENTITIES=$(dialog --title "administrative rights for domain users/groups"  --inputbox "Enter the domain users or groups that shall be allowed to gain administrative rights. \\nUsers/groups must be comma separated. \\nGroups must be prepended by a '%' sign.\\nLeave blank if you don't want allow any user/group in the domain to gain administrative rights.\\n " 15 60 "" 3>&1 1>&2 2>&3 3>&-)
+        PERMITTED_AD_ENTITIES=$(dialog --title "administrative rights for domain users/groups"  --inputbox "Enter the domain users or groups that shall be allowed to gain administrative rights. \\nUsers/groups must be comma separated. \\nGroups must be prepended by a '%' sign.\\nLeave blank if you don't want allow any user/group in the domain to gain administrative rights.\\nHint: Some environments like KDE require to give the users with administrative rights here in order for the password popups to work - giving the groups the users are in will not work.\\n " 15 60 "" 3>&1 1>&2 2>&3 3>&-)
 
         clear
 
@@ -270,6 +313,12 @@ allow_xrdp_login() {
         fi
 }
 
+# remove input method from /etc/sddm.conf file
+correct_input_method() {
+        if [ -f "${SDDM_CONF_FILE}" ]; then
+                sed -i "s/^InputMethod=.*/InputMethod=/g" "${SDDM_CONF_FILE}"
+        fi
+}
 
 #find domain controller
 DNS_IP=$(systemd-resolve --status | grep "DNS Servers" | cut -d ':' -f 2 | tr -d '[:space:]')
@@ -281,6 +330,9 @@ DOMAIN_CONTROLLER="${DNS_SERVER_NAME}"
 #set domain name in realm configuration
 set_domain_realmd "${DOMAIN_NAME}"
 
+#set domain name in /etc/hosts
+set_domain_hosts  "${DOMAIN_NAME}"
+
 #choose the timezone
 choose_timezone
 #set NTP server
@@ -304,7 +356,7 @@ echo "${JOIN_PASSWORD}" | realm -v join -U "${JOIN_USER}" "${DOMAIN_NAME}"
 
 
 #install krb5-user package 
-install_krb5_package "${DOMAIN_NAME}"
+install_krb5_package "${DOMAIN_NAME}" "${DOMAIN_CONTROLLER}"
 
 set_group_policies "${JOIN_USER}"
 
@@ -323,4 +375,7 @@ set_std_groups_for_domain
 
 allow_xrdp_login
 
+#correct input method for sddm - no onscreen keyboard anymore (if sddm is used). 
+correct_input_method
+
 echo "############### DOMAIN JOIN  AND SHARES CONFIGURATION SUCCESSFULL #################"

src/domain_leave.sh

@@ -28,6 +28,23 @@ if [ "$(id -u)" -ne 0 ]; then
         exit
 fi
 
+# remove the domanin in /etc/hosts
+# first param: domain name
+remove_domain_hosts() {
+        local DOMAIN_NAME
+        DOMAIN_NAME="${1}"
+        HOSTS_FILE="/etc/hosts"
+        HOSTNAME_STR=$(hostname)
+        HOSTNAME_ENTRY=$(cat "${HOSTS_FILE}" | grep "127.0.1.1")
+
+        if [ -f "${HOSTS_FILE}" ]; then     
+                if echo "${HOSTNAME_ENTRY}" | grep -q "${DOMAIN_NAME}"; then
+                        sed -i "s/127.0.1.1.*/127.0.1.1       ${HOSTNAME_STR}/g" "${HOSTS_FILE}"
+                fi
+        fi
+}
+
+
 
 #find domain controller
 DNS_IP=$(systemd-resolve --status | grep "DNS Servers" | cut -d ':' -f 2 | tr -d '[:space:]')
@@ -70,6 +87,7 @@ if [ -f "${DU_SUDO_FILE}" ]; then
         done < "${DU_SUDO_FILE}"
 fi
 
-
+#remove domain from hosts file
+remove_domain_hosts "${DOMAIN_NAME}"
 
 echo "############### LEFT DOMAIN SUCCESSFULL AND SHARES REMOVED #################"

src/kdc.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+REALM="maier.localnet"
+DC_DNS_LIST=$(nslookup -type=srv _kerberos._tcp."${REALM}" | grep "${REALM}" | pcregrep -o1 "(\S+)\.$")
+DC_LIST=()
+while IFS= read -r DC; do
+    DC_LIST+=("${DC}")
+done <<< "$DC_DNS_LIST"
+
+for i in "${DC_LIST[@]}"
+do
+    echo "    kdc = $i"
+done
+
+
+#sddm.conf.d/kde_settings.conf:11:Current=ExposeBlue
+#
+#jo@nb-jm:/etc$ cat /etc/sddm.conf
+#InputMethod=

src/krb5.conf.unconfigured

@@ -26,72 +26,8 @@
         fcc-mit-ticketflags = true
 
 [realms]
-        ATHENA.MIT.EDU = {
-                kdc = kerberos.mit.edu
-                kdc = kerberos-1.mit.edu
-                kdc = kerberos-2.mit.edu:88
-                admin_server = kerberos.mit.edu
-                default_domain = mit.edu
-        }
-        ZONE.MIT.EDU = {
-                kdc = casio.mit.edu
-                kdc = seiko.mit.edu
-                admin_server = casio.mit.edu
-        }
-        CSAIL.MIT.EDU = {
-                admin_server = kerberos.csail.mit.edu
-                default_domain = csail.mit.edu
-        }
-        IHTFP.ORG = {
-                kdc = kerberos.ihtfp.org
-                admin_server = kerberos.ihtfp.org
-        }
-        1TS.ORG = {
-                kdc = kerberos.1ts.org
-                admin_server = kerberos.1ts.org
-        }
-        ANDREW.CMU.EDU = {
-                admin_server = kerberos.andrew.cmu.edu
-                default_domain = andrew.cmu.edu
-        }
-        CS.CMU.EDU = {
-                kdc = kerberos-1.srv.cs.cmu.edu
-                kdc = kerberos-2.srv.cs.cmu.edu
-                kdc = kerberos-3.srv.cs.cmu.edu
-                admin_server = kerberos.cs.cmu.edu
-        }
-        DEMENTIA.ORG = {
-                kdc = kerberos.dementix.org
-                kdc = kerberos2.dementix.org
-                admin_server = kerberos.dementix.org
-        }
-        stanford.edu = {
-                kdc = krb5auth1.stanford.edu
-                kdc = krb5auth2.stanford.edu
-                kdc = krb5auth3.stanford.edu
-                master_kdc = krb5auth1.stanford.edu
-                admin_server = krb5-admin.stanford.edu
-                default_domain = stanford.edu
-        }
-        UTORONTO.CA = {
-                kdc = kerberos1.utoronto.ca
-                kdc = kerberos2.utoronto.ca
-                kdc = kerberos3.utoronto.ca
-                admin_server = kerberos1.utoronto.ca
-                default_domain = utoronto.ca
-        }
+REALM_DEFINITION
 
 [domain_realm]
-        .mit.edu = ATHENA.MIT.EDU
-        mit.edu = ATHENA.MIT.EDU
-        .media.mit.edu = MEDIA-LAB.MIT.EDU
-        media.mit.edu = MEDIA-LAB.MIT.EDU
-        .csail.mit.edu = CSAIL.MIT.EDU
-        csail.mit.edu = CSAIL.MIT.EDU
-        .whoi.edu = ATHENA.MIT.EDU
-        whoi.edu = ATHENA.MIT.EDU
-        .stanford.edu = stanford.edu
-        .slac.stanford.edu = SLAC.STANFORD.EDU
-        .toronto.edu = UTORONTO.CA
-        .utoronto.ca = UTORONTO.CA
+DOMAIN_REALM