Ubuntu AD-JOIN

#!/usr/bin/env bash

set -e

if [[ $EUID -ne 0 ]]; then
   echo "You must be root to join domain. Please run with sudo." 1>&2
   exit 100
fi

if [ -z "$DOMAIN" ]; then
  echo '$DOMAIN and $PASSWORD are required'
  exit 1
fi
if [ -z "$PASSWORD" ]; then
  echo '$DOMAIN and $PASSWORD are required'
  exit 1
fi

INTERFACE=$(ip route get $(dig +short $DOMAIN)|awk -- '{printf $3}')
if [ -z "$INTERFACE" ]; then
  echo "Route to domain $DOMAIN not found"
  exit 1
fi

if lsof /var/lib/dpkg/lock-frontend > /dev/null; then
  echo 'Cannot get apt lock'
  exit 1
fi

FQDN="$(hostname|cut -d'.' -f 1).$DOMAIN"

# Setting full fqdn hostname is required to get the DNS server to create the corresponding A Record"
echo "Setting fqdn hostname to $FQDN"
hostnamectl set-hostname $FQDN

echo "Setting DNS search to $DOMAIN in netplan configuration"
cat <<EOF > /etc/netplan/99-netcfg-zzz-domain.yaml
# This file set the DNS search to the Active Directory Domain
network:
  version: 2
  renderer: networkd
  ethernets:
    $INTERFACE:
      nameservers:
        search:
        - $DOMAIN
EOF

echo "Applying netplan configuration"
netplan generate
netplan apply

echo "Enabling Pam mkhomedir"
pam-auth-update --enable mkhomedir >/dev/null 2>&1

echo "Updating apt repositories"
apt-get -qq update >/dev/null 2>&1
echo "Installing dependencies"
apt-get -qq -o Dpkg::Use-Pty=0 install realmd policykit-1 sssd-tools sssd libnss-sss libpam-sss adcli samba-common-bin packagekit >/dev/null 2>&1

echo $PASSWORD|realm join $DOMAIN -U ${DOMAIN_USER:-Administrator} > /dev/null

echo "Enabling domain admins as sudoers"
echo '%domain\ admins ALL=(ALL:ALL) NOPASSWD: ALL' > /etc/sudoers.d/domain-admins
chmod 0440 /etc/sudoers.d/domain-admins

echo "Appying sssd configuration"
cat <<EOF > /etc/sssd/sssd.conf

[sssd]
domains = $DOMAIN
config_file_version = 2
services = nss, pam, ssh

[domain/$DOMAIN]
ad_domain = $DOMAIN
krb5_realm = $(echo $DOMAIN|tr '[a-z]' '[A-Z]')
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
access_provider = ad


dyndns_update = True
dyndns_refresh_interval = 3600
dyndns_update_ptr = False
dyndns_ttl = 3600

ldap_user_ssh_public_key = altSecurityIdentities

ad_gpo_ignore_unreadable = True
ad_gpo_access_control = permissive

EOF

echo "Restarting sssd"
systemctl restart sssd

echo "Configuring sshd to use sssd authorized keys"
cat <<EOF >> /etc/ssh/sshd_config
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
AuthorizedKeysCommandUser root
EOF

echo "Restarting sshd"
systemctl restart sshd

echo "Domain $DOMAIN joined !"