Add support to AstraLinux

dc-client/tune_sssd.sh

@@ -10,39 +10,35 @@ fatal()
     exit 1
 }
 
+
+if ! which subst 2>/dev/null ; then
+subst()
+{
+    sed -i -e "$@"
+}
+fi
+
 if epm assure etckeeper ; then
     [ -d /etc/.git ] || fatal "For first, initialize /etc with # etckeeper init"
 else
     echo "Can't install etckeeper, so skipping it"
 fi
 
+[ "$(hostname)" = "$(hostname -s)" ] && fatal "Hostname $(hostname) is short (without domain)."
+
 ADMIN=Administrator
 if [ -n "$1" ] ; then
     ADMIN="$1"
     shift
 fi
 
-epm assure bind-utils || fatal
-# Get REALM (needed for sssd tuning only) from DNS
-REALM=$(host -t txt _kerberos | sed -e 's|.*"\(.*\)".*|\1|') #"
-if [ -z "$REALM" ] || echo "$REALM" | grep "not found" ; then
-    if [ -n "$1" ] ; then
-        REALM="$1"
-        shift
-    else
-        fatal "Check your DNS with $ host -t txt _kerberos or run with REALM as param"
-    fi
-fi
-echo "Use REALM $REALM ..."
-
-
 case $(epm print info -d) in
     Ubuntu|Debian|AstraLinux)
         # Ubuntu
-        epmi --skip-installed samba-common-bin krb5-config krb5-user ldb-tools sssd-ad samba
+        epmi --skip-installed samba-common-bin krb5-config krb5-user ldb-tools sssd-ad sssd-tools samba bind9-host
         ;;
     ALTLinux)
-        epmi --skip-installed krb5-kinit ldb-tools sssd-ad samba-common-tools samba-common-client samba-common
+        epmi --skip-installed krb5-kinit ldb-tools sssd-ad samba-common-tools samba-common-client samba-common bind-utils
         # pam_mount task-auth-ad-sssd
         ;;
     Fedora|RedOS|GosLinux|CentOS|RHEL)
@@ -53,7 +49,21 @@ case $(epm print info -d) in
         ;;
 esac
 
-if [ -d /etc/krb5.conf.d/ ] ; then
+# Get REALM (needed for sssd tuning only) from DNS
+REALM=$(host -t txt _kerberos | sed -e 's|.*"\(.*\)".*|\1|') #"
+if [ -z "$REALM" ] || echo "$REALM" | grep "not found" ; then
+    if [ -n "$1" ] ; then
+        REALM="$1"
+        shift
+    else
+        fatal "Check your DNS with $ host -t txt _kerberos or run with REALM as param"
+    fi
+fi
+echo "Use REALM $REALM ..."
+
+
+if grep -q "include /etc/krb5.conf.d" /etc/krb5.conf ; then
+mkdir -p /etc/krb5.conf.d/
 cat <<EOF >/etc/krb5.conf.d/ad
 [libdefaults]
  dns_lookup_kdc = true
@@ -63,17 +73,16 @@ EOF
 # rdns disabled!
 # See https://bugs.etersoft.ru/show_bug.cgi?id=15473#c13
 else
-    echo "Can't set dns_lookup* in /etc/krb5.conf.d"
+    echo "Switch dns_lookup* right in /etc/krb5.conf"
+    subst "s|dns_lookup_kdc = false|dns_lookup_kdc = true|" /etc/krb5.conf
+    subst "s|dns_lookup_realm = false|dns_lookup_realm = true|" /etc/krb5.conf
+    subst "s|rdns = false|rdns = true|" /etc/krb5.conf
+    if ! grep -q "rdns = true" /etc/krb5.conf ; then
+    subst "s|\(.*\)dns_lookup_realm = true|\1dns_lookup_realm = true\n\1rdns = true|" /etc/krb5.conf
+    fi
 fi
 
 
-if ! which subst 2>/dev/null ; then
-subst()
-{
-    sed -i -e "$@"
-}
-fi
-
 #LIBDIR=$(getconf LIBDIR)
 #if [ ! -d "$LIBDIR" ] ; then
 #    LIBDIR=/usr/lib64
@@ -87,10 +96,12 @@ fi
 #    ln -s $LIBDIR/ldb/modules/ldb $LIBDIR/samba/ldb
 #fi
 
-if [ -d /etc/sssd/conf.d ] ; then
-[ -f /etc/sssd/conf.d/etersoft.conf ] && rm -vf /etc/sssd/conf.d/etersoft.conf
+SSSDCONF=/etc/sssd/conf.d/ad.conf
+if [ ! -d /etc/sssd/conf.d ] || [ ! -s /etc/sssd/sssd.conf ]; then
+    SSSDCONF=/etc/sssd/sssd.conf
+fi
 
-cat <<EOF >/etc/sssd/conf.d/ad.conf || fatal
+cat <<EOF >$SSSDCONF || fatal
 [sssd]
 config_file_version = 2
 services = nss, pam
@@ -98,15 +109,16 @@ domains = $REALM
 debug_level = 1
 EOF
 
+# TODO: что на других системах?
 if [ "$(epm print info -d)" = "ALTLinux" ] ; then
-cat <<EOF >>/etc/sssd/conf.d/ad.conf || fatal
+cat <<EOF >>$SSSDCONF || fatal
 
 ; Should be used until ALT#34124 will be resolved
 user = root
 EOF
 fi
 
-cat <<EOF >>/etc/sssd/conf.d/ad.conf || fatal
+cat <<EOF >>$SSSDCONF || fatal
 
 [nss]
 debug_level = 1
@@ -131,30 +143,21 @@ ldap_chpass_dns_service_name = ad
 ldap_id_mapping = False
 
 use_fully_qualified_names = False
-; always ask KDC
 cache_credentials = true
 
 enumerate = true
 dyndns_update = False
 EOF
 
-chmod 0600 /etc/sssd/conf.d/ad.conf
-else
-    echo "Skipping sssd conf creating (/etc/sssd/conf.d/ad.conf is exists)"
-fi
+chmod 0600 $SSSDCONF
 
-# TODO: Fedora has special command for change nssswitch.conf
-#passwd:     files sss
-#shadow:     tcb files sss
-#group:      files sss role
-#gshadow:    files sss
-
-if ! grep -q " sss" /etc/nsswitch.conf ; then
-    for i in passwd shadow group gshadow ; do
-        subst "s|^\($i:.*\)files\(.*\)|\1files sss\2|g" /etc/nsswitch.conf
-    done
-    ( cd /etc ; git diff nsswitch.conf | cat )
-fi
+# TODO: проверить на ALT, если control system-auth sss уже достаточно
+#if ! grep -q " sss" /etc/nsswitch.conf ; then
+#    for i in passwd shadow group gshadow ; do
+#        subst "s|^\($i:.*\)files\(.*\)|\1files sss\2|g" /etc/nsswitch.conf
+#    done
+#    ( cd /etc ; git diff nsswitch.conf | cat )
+#fi
 
 # TODO: realmd
 
@@ -186,7 +189,7 @@ kinit $ADMIN || fatal "Can't get kerberos ticket for '$ADMIN'"
 echo "Have got a kerberos ticker!"
 [ -f /etc/krb5.keytab ] && echo "Removing old keytab /etc/krb5.keytab ..." && rm -fv /etc/krb5.keytab
 echo "Join to domain... "
-net ads join -k || fatal "Failed to join to the domain '$REALM'"
+net ads join -k --no-dns-updates || fatal "Failed to join to the domain '$REALM'"
 kdestroy
 
 case $(epm print info -d) in
@@ -198,11 +201,14 @@ case $(epm print info -d) in
         roleadd etersysadmin wheel
         ;;
     RedOS|Fedora|CentOS)
-        echo "Check the script for autoselect"
+        # echo "Check the script for autoselect"
         authselect select sssd --force
         authselect apply-changes
         authconfig --enablemkhomedir
         ;;
+    Debian|Ubuntu|AstraLinux)
+        pam-auth-update --package
+        ;;
     *)
         echo "Unknown system $(epm print info -d). Check /etc/pam.d/system-auth for pam_sss.so using"
         ;;