Playbook that Converts Local to AD Users

If you like removing local users in favor of the domain users, check out how to do that in shell at my post Convert Local to AD Users.

If you want to do it at scale, you can wrap it with a bit of ansible. Check out the full thing with syntax highlighting on gitlab: https://gitlab.com/bgstack15/former-gists/blob/master/cladu.yml/cladu.yml

---
# Only use one thisuser at a time, for the fail/changed logic to work correctly!
# usage: ansible-playbook -l targethost1 /etc/ansible/books/stable/cladu.yml -v -e 'thisuser=joneill'

- name: book that runs cladu
  hosts: all
  become: yes
  become_user: root
  become_method: sudo
  tasks:

  - name: copy in rpm
    copy:
      src: /etc/ansible/files/bgscripts-core-1.3-9.noarch.rpm
      dest: /tmp/
      mode: 0644

  - shell: rpm -U --nodeps /tmp/bgscripts-core-1.3-9.noarch.rpm
    args:
      warn: no
    register: this_rpm
    failed_when:
    - 'not ("is already installed" in this_rpm.stdout or "is already installed" in this_rpm.stderr or this_rpm.rc == 0)'
    changed_when:
    - 'not ("is already installed" in this_rpm.stdout or "is already installed" in this_rpm.stderr)'

  - shell: /usr/share/bgscripts/work/cladu.sh -r -g '{{ thisuser }}'
    args:
      warn: no
    register: this_shell
    changed_when:
    - 'not ("Skipped" in this_shell.stdout or "Failed" in this_shell.stdout)'
    failed_when:
    - '"Failed" in this_shell.stdout'
Advertisements

Learn when a user was added or removed from AD domain group

Ripped shamelessly from https://learn-powershell.net/2013/05/21/find-when-a-user-was-added-or-removed-to-a-domain-group-using-powershell-and-repadmin/

I was investigating when a user was added to a group the other day, because I completely missed a member of a different team being added to my linux_admins group, which gets full sudo privileges on every GNU/Linux system in the corporate network.

repadmin /showobjmeta dc1 'CN=Domain Admins,CN=Users,DC=example,DC=com'

Join RHEL6 to Active Directory

There are many things you need to do first, like install the packages and configure pam and nsswitch and resolv.conf which are documented elsewhere and might make it to this document eventually. I was struggling with a RHEL6 server (for which realm is not packaged) and AD.
From EPEL, install msktutil.

kinit admininstrator
adcli join -D domain.example.com -K /etc/krb5.keytab -U administrator --show-details
msktutil -u -s host

References

https://fuhm.net/software/msktutil/manpage.html

Convert Local to AD Users

Project CLADU

CLADU stands for Convert Local to AD User.

When you want to take local accounts and remove them and have the AD user with the exact same name take its place, use cladu.

usage: cladu.sh [-duV] [-gr] [--ng] [--nr] user1 [ user2 user3 ... ]
version 2018-03-09a
-d debug Show debugging info, including parsed variables.
-u usage Show this usage block.
-V version Show script version number.
-g groups Add the AD user to the local groups of the local user. Default is to skip this action.
--ng Do not perform the -g action
-r report Generate report in each user homedir.
--nr Do not perform the -r action
Environment variables:
Parameters override environment variables
CLADU_USERINFO_SCRIPT=/usr/share/bgscripts/work/userinfo.sh
CLADU_USER_REPORT any non-null value will perform the -r action.
CLADU_USER_REPORT_FILENAME=converted.txt File to save report to in each homedir
CLADU_GROUPS any non-null value will perform the -g action.
Return values:
0 Normal
1 Help or version info displayed
2 Count or type of flaglessvals is incorrect
3 Incorrect OS type
4 Unable to find dependency
5 Not run as root or sudo

Go check out the entire source to look at the flow of the script.

Get SID from Linux ldapsearch in Active Directory

With the help of a fantastic post on ServerFault, here is a way to find a user’s SID in string format from an ldapsearch against Active Directory.

#!/bin/sh
# Filename: get_sid.sh
# Author: YasithaB
# Startdate: 2018-02-14 15:58
# Title: Script that Converts Sid from AD Ldap Hexadecimal into String
# Purpose: Help convert sid to usable value
# History:
#    2018-02-15 Modified to work with kornshell
# Usage:
#    ldapsearch -b 'dc=prod,dc=example,dc=com' -s 'sub' -x -D 'CN=My Username,OU=Domain Users,DC=prod,DC=example,DC=com' -W -H 'ldaps://adds2.prod.example.com:636' '(cn=Target Username)' objectSid | grep -E '^objectSid:' | awk '{print $2}' | ./get_sid.sh --stdin
# Reference:
#    https://serverfault.com/questions/851864/get-sid-by-its-objectsid-using-ldapsearch/852338#852338
# Improve:
# Document: Below this line

# Base-64 encoded objectSid
test -z "${OBJECT_ID}" && OBJECT_ID="AQUAAAAAAAUVAAAAPWW1S5rojK4mDAiG5BAAAA=="
case "${1}" in
   "--stdin" ) read OBJECT_ID ;;
   "") : ;;
   *) OBJECT_ID="${1}" ;;
esac

# Decode it, hex-dump it and store it in an array
H="$(echo -n $OBJECT_ID | base64 -d -i | hexdump -v -e '1/1 "%02X"')"

# SID Structure: https://technet.microsoft.com/en-us/library/cc962011.aspx
# LESA = Little Endian Sub Authority
# BESA = Big Endian Sub Authority
# LERID = Little Endian Relative ID
# BERID = Big Endian Relative ID

BESA2=${H:16:8}
BESA3=${H:24:8}
BESA4=${H:32:8}
BESA5=${H:40:8}
BERID=${H:48:10}

LESA1=${H:4:12}
LESA2=${BESA2:6:2}${BESA2:4:2}${BESA2:2:2}${BESA2:0:2}
LESA3=${BESA3:6:2}${BESA3:4:2}${BESA3:2:2}${BESA3:0:2}
LESA4=${BESA4:6:2}${BESA4:4:2}${BESA4:2:2}${BESA4:0:2}
LESA5=${BESA5:6:2}${BESA5:4:2}${BESA5:2:2}${BESA5:0:2}
LERID=${BERID:6:2}${BERID:4:2}${BERID:2:2}${BERID:0:2}

SID="S-1-$((16#$LESA1))-$((16#$LESA2))-$((16#$LESA3))-$((16#$LESA4))-$((16#$LESA5))-$((16#$LERID))"
echo "${SID}"