add dc commands

dc/add_group.sh

+#!/bin/bash
+
+samba-tool group addmembers "$1" "$2"

dc/add_spn.sh

+#!/bin/sh
+
+# user (like priv.nginx)
+# service name (like wiki.office.etersoft.ru)
+# host name (like priv.etersoft.ru)
+
+FORCE=
+if [ "$1" = "-f" ] || [ "$1" = "--force" ] ; then
+    FORCE=1
+    shift
+fi
+
+ADUSER=$1
+SERVICE=$2
+HOST=$3
+KEYTAB=/tmp/$ADUSER.keytab
+
+fatal()
+{
+    echo "$*"
+}
+
+[ -n "$HOST" ] || fatal
+
+[ -n "$FORCE" ] && samba-tool user delete $ADUSER
+
+samba-tool user create $ADUSER --random-password && samba-tool user setexpiry $ADUSER --noexpiry
+samba-tool spn add $SERVICE/$HOST $ADUSER
+samba-tool spn add HTTP/$SERVICE $ADUSER
+
+samba-tool domain exportkeytab $KEYTAB --principal=$SERVICE/$HOST
+samba-tool domain exportkeytab $KEYTAB --principal=HTTP/$SERVICE
+
+samba-tool spn list $ADUSER
+
+klist -ke $KEYTAB || fatal "Can't create keytab"
+chmod a+r $KEYTAB
+echo $KEYTAB

dc/add_user.sh

+#!/bin/bash
+
+# Written by Vitaly Lipatov <lav@etersoft.ru> (c) 2012, 2017
+# ./add_user.sh [-f] LOGIN "FIO"
+
+#. $(dirname $0)/migrate_user_passwd.conf
+
+epm assure pwgen
+
+fatal()
+{
+       echo "$*" >&2
+       exit 1
+}
+
+FORCE=
+if [ "$1" = "--force" ] ; then
+    FORCE=1
+    shift
+fi
+
+LOGIN="$1"
+
+[ -n "$LOGIN" ] || fatal "Run me with LOGIN as param"
+
+RUSERNAME="$2"
+[ -n "$RUSERNAME" ] || fatal "Run with FIO after LOGIN"
+
+RUID="$3"
+[ -n "$RUID" ] || RUID=$()
+
+cat <<EOF
+Данные о пользователе $RGIVENNAME $RSURNAME:
+LOGIN=$RUSERNAME
+UID=$RUID GID=$RGID
+HOME=$RHOMEDIR
+SHELL=$RSHELL"
+
+EOF
+
+if [ -z "$FORCEEMAIL" ] ; then
+    USEREMAIL=$RUSERNAME@$DOMEMAIL
+else
+    USEREMAIL="$FORCEEMAIL"
+fi
+
+# samba-tool domain passwordsettings set --min-pwd-length=6 --complexity=off --max-pwd-age=0 --min-pwd-age=0
+
+# Пока сбрасывается при логине по ssh
+# To force a user to change their password at next logon, set the pwdLastSet attribute to zero (0).
+
+# никто не будет знать :)
+#  --random-password \
+RPASSWORD=$(pwgen -1)
+
+if [ -n "$FORCE" ]; then
+    echo "# samba-tool user delete $RUSERNAME"
+    samba-tool user delete $RUSERNAME
+fi
+
+# http://samba.2283325.n4.nabble.com/Full-list-of-options-when-using-samba-tool-user-create-td4685327.html
+samba-tool user create $RUSERNAME \
+  --must-change-at-next-login \
+  --surname="$RSURNAME" \
+  --given-name="$RGIVENNAME" \
+  --company="Etersoft" \
+  --mail-address="$RUSERNAME@$DOMEMAIL" \
+  --unix-home=$RHOMEDIR \
+  --uid-number=$RUID \
+  --gid-number=$RGID \
+  --login-shell=$RSHELL \
+  --random-password \
+  || fatal "Error during create user"
+
+samba-tool user setpassword $RUSERNAME --newpassword "$RPASSWORD" || fatal "Error during set password"
+samba-tool user setexpiry $RUSERNAME --noexpiry
+
+for grp in $(./migrate_group.sh --list $RUSERNAME) ; do
+    samba-tool group addmembers $grp $RUSERNAME
+done
+
+echo "Установлен пароль $RPASSWORD"
+echo
+
+test -n "$USEREMAIL" || fatal "E-mail is missed."
+#echo "E-mail: $USEREMAIL"
+
+EMAIL="$FROMEMAIL" mutt "$USEREMAIL" -s "Новый пароль для Этерсофта" << EOF
+Добрый день!
+
+Этерсофт переходит на новую схему аутентификации с использованием AD (службы каталогов).
+Вам нужно заново задать ваш пароль для входа в систему.
+
+Для этого после удачного входа в систему откройте консоль и введите команду
+\$ passwd
+на запрос
+Current Password:
+укажите временный пароль, указанный ниже. Нажмите Enter и укажите свой пароль, который вы обычно используете для входа.
+
+Ваш логин: $RUSERNAME
+Временный пароль: $RPASSWORD
+
+Старый пароль будет действовать ещё некоторое время, до окончания переходного периода.
+
+With best regards,
+Etersoft robot,
+$(LANG=C date)
+EOF
+echo "Mailed from $FROMEMAIL to $USEREMAIL"
+

dc/check_ad_dns.sh

+#!/bin/sh
+
+# https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/SSSD-AD.html
+
+# To verify the DNS SRV LDAP records
+dig -t SRV _ldap._tcp.ad.example.com
+
+# To verify AD records
+dig -t SRV _ldap._tcp.dc._msdcs.ad.example.com
+

dc/edit_user.sh

+#!/bin/sh
+
+fatal()
+{
+       echo "$*" >&2
+       exit 1
+}
+
+RUSER="$1"
+[ -n "$RUSER" ] || exit
+SID=$(wbinfo --name-to-sid "$RUSER" | cut -d" " -f1) || fatal
+RUID=$(wbinfo --sid-to-uid "$SID")
+
+[ -n "$EDITOR" ] || EDITOR="mcedit"
+#VISUAL=$EDITOR
+
+echo "User: $RUSER ($RUID), SID: $SID"
+
+# Нет в локальных пользователях
+#[ "$(id -u "$RUSER")" = "$RUID" ] || fatal "Не совпадают UID"
+
+# https://wiki.samba.org/index.php/Working_with_Active_Directory_encoded_LDAP_values
+
+ldbedit -e $EDITOR --show-binary -H /var/lib/samba/private/sam.ldb objectsid="$SID"

dc/gm.sh

+./migrate_group.sh --list | cut -d"	" -f1 >group_mirror.list

dc/gma.sh

+cat group_mirror.list | xargs -n1 ./migrate_group.sh

dc/group_mirror.list

+eter1cadmin
+confid
+devel
+winedevel
+eter1c
+db1c
+builder
+webdevel
+eterworkers
+winetester
+selta
+remotelogin
+eterwinesales
+etervbox
+asubuilder
+girar-builder
+eteradmin
+girar-office-builder
+officedevel
+modem
+eterwebmaster
+eterwebadmin
+etersysadmin
+eterbuh
+eterwineadmin
+winebuilder
+reposupdate
+etersecurity

dc/migrate_group.sh

+#!/bin/bash
+
+# Written by Vitaly Lipatov <lav@etersoft.ru> (c) 2012, 2017
+# ./migrate_user.sh LOGIN [e-mail]
+# migrate user from mysql to AD and sent a temporary password him
+
+DB_USER=nss-user
+DB_PASS=userpass
+DB_HOST=mysql.auth.office.etersoft.ru
+DB=mail
+
+# TODO
+NISDOMAIN=etersoft
+
+epm assure mysql /usr/bin/mysql
+
+fatal()
+{
+       echo "$*" >&2
+       exit 1
+}
+
+mysql_query()
+{
+        echo "$*" |
+                mysql --batch -s -N --default-character-set=utf8 --user=$DB_USER  --password=$DB_PASS --host $DB_HOST $DB
+}
+
+user_groups_list()
+{
+        mysql_query "SELECT name FROM groups g LEFT JOIN grouplist gl ON g.gid = gl.gid WHERE gl.username='$1'"
+}
+
+if [ "$1" = "--list" ] ; then
+    shift
+    if [ -z "$1" ] ; then
+        mysql_query "SELECT name,gid FROM groups"
+    else
+        user_groups_list "$1"
+    fi
+    exit
+ 
+fi
+
+FORCE=
+if [ "$1" = "--force" ] ; then
+    FORCE=1
+    shift
+fi
+
+RGROUP="$1"
+
+[ -n "$RGROUP" ] || fatal "Run with group name arg"
+
+if [ -n "$FORCE" ] ; then
+    samba-tool group delete "$RGROUP"
+fi
+
+RGID="$(mysql_query "SELECT gid FROM groups WHERE name = '$RGROUP' LIMIT 1")"
+
+[ -n "$RGID" ] || fatal "Can't get gid from $RGROUP"
+
+samba-tool group add "$RGROUP" --gid-number="$RGID" --nis-domain="$NISDOMAIN"
+

dc/migrate_user.sh

+#!/bin/bash
+
+# Written by Vitaly Lipatov <lav@etersoft.ru> (c) 2012, 2017
+# ./migrate_user.sh LOGIN [e-mail]
+# migrate user from mysql to AD and sent a temporary password him
+
+#. $(dirname $0)/migrate_user_passwd.conf
+
+DB_USER=nss-user
+DB_PASS=userpass
+DB_HOST=mysql.auth.office.etersoft.ru
+DB=mail
+
+DOMEMAIL=etersoft.ru
+FROMEMAIL=noreply@etersoft.ru
+
+epm assure mutt
+epm assure pwgen
+epm assure mysql /usr/bin/mysql
+fatal()
+{
+       echo "$*" >&2
+       exit 1
+}
+
+mysql_query()
+{
+        echo "$*" |
+                mysql --batch -s -N --default-character-set=utf8 --user=$DB_USER  --password=$DB_PASS --host $DB_HOST $DB
+}
+
+if [ "$1" = "--list" ] ; then
+    mysql_query "SELECT test(username) FROM accountuser WHERE enable=1"
+    exit
+fi
+
+if [ "$1" = "--grouplist" ] ; then
+    shift
+    echo "Group list:"
+    mysql_query "SELECT gid FROM grouplist WHERE username='$1'" | xargs echo
+    exit
+fi
+
+FORCE=
+if [ "$1" = "--force" ] ; then
+    FORCE=1
+    shift
+fi
+
+LOGIN="$1"
+FORCEEMAIL="$2"
+
+[ -n "$LOGIN" ] || fatal "Run me with LOGIN as param"
+
+read RUSERNAME RUID RGID RHOMEDIR RSHELL <<< $(mysql_query "SELECT test(username),uid,gid,homedir,shell FROM accountuser WHERE username LIKE '$LOGIN@%%' AND enable=1 LIMIT 1")
+# "
+RGECOS="$(mysql_query "SELECT gecos FROM accountuser WHERE username LIKE '$LOGIN@%%' AND enable=1 LIMIT 1")"
+read RGIVENNAME RSURNAME <<< "$RGECOS"
+# cannot be empty
+[ -n "$RSURNAME" ] || RSURNAME="User"
+
+[ "$RUSERNAME" = "$LOGIN" ] || fatal "Did not receive correct login name (wait for $LOGIN, received $RUSERNAME)"
+
+cat <<EOF
+Данные о пользователе $RGIVENNAME $RSURNAME:
+LOGIN=$RUSERNAME
+UID=$RUID GID=$RGID
+HOME=$RHOMEDIR
+SHELL=$RSHELL"
+
+EOF
+
+if [ -z "$FORCEEMAIL" ] ; then
+    USEREMAIL=$RUSERNAME@$DOMEMAIL
+else
+    USEREMAIL="$FORCEEMAIL"
+fi
+
+# samba-tool domain passwordsettings set --min-pwd-length=6 --complexity=off --max-pwd-age=0 --min-pwd-age=0
+
+# Пока сбрасывается при логине по ssh
+# To force a user to change their password at next logon, set the pwdLastSet attribute to zero (0).
+
+# никто не будет знать :)
+#  --random-password \
+RPASSWORD=$(pwgen -1)
+
+if [ -n "$FORCE" ]; then
+    echo "# samba-tool user delete $RUSERNAME"
+    samba-tool user delete $RUSERNAME
+fi
+
+# http://samba.2283325.n4.nabble.com/Full-list-of-options-when-using-samba-tool-user-create-td4685327.html
+samba-tool user create $RUSERNAME \
+  --must-change-at-next-login \
+  --surname="$RSURNAME" \
+  --given-name="$RGIVENNAME" \
+  --company="Etersoft" \
+  --mail-address="$RUSERNAME@$DOMEMAIL" \
+  --unix-home=$RHOMEDIR \
+  --uid-number=$RUID \
+  --gid-number=$RGID \
+  --login-shell=$RSHELL \
+  --random-password \
+  || fatal "Error during create user"
+
+samba-tool user setpassword $RUSERNAME --newpassword "$RPASSWORD" || fatal "Error during set password"
+samba-tool user setexpiry $RUSERNAME --noexpiry
+
+for grp in $(./migrate_group.sh --list $RUSERNAME) ; do
+    samba-tool group addmembers $grp $RUSERNAME
+done
+
+echo "Установлен пароль $RPASSWORD"
+echo
+
+test -n "$USEREMAIL" || fatal "E-mail is missed."
+#echo "E-mail: $USEREMAIL"
+
+EMAIL="$FROMEMAIL" mutt "$USEREMAIL" -s "Новый пароль для Этерсофта" << EOF
+Добрый день!
+
+Этерсофт переходит на новую схему аутентификации с использованием AD (службы каталогов).
+Вам нужно заново задать ваш пароль для входа в систему.
+
+Для этого после удачного входа в систему откройте консоль и введите команду
+\$ passwd
+на запрос
+Current Password:
+укажите временный пароль, указанный ниже. Нажмите Enter и укажите свой пароль, который вы обычно используете для входа.
+
+Ваш логин: $RUSERNAME
+Временный пароль: $RPASSWORD
+
+Старый пароль будет действовать ещё некоторое время, до окончания переходного периода.
+
+With best regards,
+Etersoft robot,
+$(LANG=C date)
+EOF
+echo "Mailed from $FROMEMAIL to $USEREMAIL"
+

dc/mua.sh

+#!/bin/sh -x
+./migrate_user.sh --list | xargs -n1 ./migrate_user.sh

dc/test_ldap.sh

+#!/bin/sh
+epm assure ldapsearch openldap-clients
+#  -H ldaps://ad.realm.local:3269
+
+#LDAPHOST="ldaps://localhost:3269"
+#ldapsearch -vv -x -LLL -E pr=200/noprompt -D "amigo@etersoft.ru" -w qweqwe1 -H $LDAPHOST -b "dc=etersoft,dc=ru"  -s sub "(cn=*)" name userPrincipalName mail sAMAccountName
+
+# работает через ticket
+# TODO: что-то типа --show-binary
+ldapsearch -u -vv -LLL -E pr=200/noprompt -Y GSSAPI -b "cn=Users,dc=etersoft,dc=ru"  -s sub "(cn=*)" name uidNumber userPrincipalNamesAMAccountName
+
+#ldapsearch -vv -x -LLL -E pr=200/noprompt -D "Administrator@ETERSOFT.RU" -H $LDAPHOST -b "dc=etersoft,dc=ru"  -s sub "(cn=*)" name userPrincipalName mail sAMAccountName
+#ldapsearch -x -LLL -E pr=200/noprompt -O maxssf=0 -Y GSSAPI -H $LDAPHOST -b "ou=Users,dc=etersoft,dc=ru"  -s sub "(cn=*)" name userPrincipalName mail sAMAccountName
+#ldapsearch -LLL -Y GSSAPI -b "ou=Users,dc=etersoft,dc=ru"  -s sub "(cn=*)" name userPrincipalName mail sAMAccountName