From 32fa6384342d0e617a227c16f82d2e582ab966da Mon Sep 17 00:00:00 2001 From: Marten Cassel Date: Thu, 15 Aug 2024 18:32:43 +0200 Subject: [PATCH] Add dockerfile for development testing. And some scripts and documentation for testing functionality against ADDS/DNS/NTP/KERBEROS --- CONTRIBUTING.md | 73 +++++++++++ Dockerfile | 72 +++++++++++ Makefile | 49 ++++++++ docs/INTRO.md | 93 ++++++++++++++ docs/INTRO_WITH_MAKE.md | 107 ++++++++++++++++ docs/ad_dc.sh | 19 +++ scripts/bootstrap_adds_test_env.md | 93 ++++++++++++++ scripts/check_dns_sync.sh | 115 +++++++++++++++++ scripts/check_krb5.sh | 194 +++++++++++++++++++++++++++++ scripts/check_ntp_sync.sh | 112 +++++++++++++++++ scripts/install_adds.ps1 | 115 +++++++++++++++++ scripts/set_dns.sh | 6 + 12 files changed, 1048 insertions(+) create mode 100644 CONTRIBUTING.md create mode 100644 Dockerfile create mode 100644 Makefile create mode 100644 docs/INTRO.md create mode 100644 docs/INTRO_WITH_MAKE.md create mode 100644 docs/ad_dc.sh create mode 100644 scripts/bootstrap_adds_test_env.md create mode 100755 scripts/check_dns_sync.sh create mode 100755 scripts/check_krb5.sh create mode 100755 scripts/check_ntp_sync.sh create mode 100644 scripts/install_adds.ps1 create mode 100755 scripts/set_dns.sh diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..5487675 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,73 @@ +# smart_proxy_realm_ad_plugin + +Welcome to the project! This repository contains smart_proxy_realm_ad_plugin. + +## Getting Started + +For detailed onboarding instructions, please refer to the [ONBOARDING.md](ONBOARDING.md) file. + +## Prerequisites + +- Docker +- Git + +## Quick Start + +1. **Clone your fork** + + ```sh + git clone https://github.com/your-username/smart_proxy_realm_ad_plugin.git + cd smart_proxy_realm_ad_plugin + ``` + +2. **Install the prerequisites** + + Ensure you have Docker and Git installed on your machine. You can follow the official installation guides: + + - [Docker Installation](https://docs.docker.com/get-docker/) + - [Git Installation](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) + +3. **Build the Docker image** + + Use Docker to build the image for the development environment. + + ```sh + docker build -t smart_proxy_realm_ad_plugin . + ``` + +4. **Run the Docker container** + + Start the Docker container with the necessary configurations. + + ```sh + docker run -it --rm --name smart_proxy_realm_ad_plugin -v $(pwd):/app -w /app smart_proxy_realm_ad_plugin + ``` + + This command will run the Docker container interactively, mount the current directory to `/app` inside the container, and set the working directory to `/app`. + +5. **Install dependencies** + + Inside the running Docker container, install the necessary dependencies. + + ```sh + bundle install + ``` + +6. **Run tests** + + To ensure everything is set up correctly, you can run the tests inside the Docker container. + + ```sh + bundle exec rake test + ``` + +7. **Start developing** + + You are now ready to start developing! Make your changes and see them reflected in the running application. + +## Additional Resources + +- [Foreman Documentation](https://theforeman.org/documentation.html) +- [Foreman Smart Proxy Documentation](https://theforeman.org/manuals/latest/index.html#4.3SmartProxies) +- [Foreman Community](https://community.theforeman.org/) + \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..2348662 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,72 @@ +FROM ubuntu:22.04 + +# Define package lists +ENV RUBY_PACKAGES="ruby ruby-dev gem" +ENV BUILD_TOOLS="automake autoconf gcc make libc-dev" +ENV RADCLI_DEPENDENCIES="libkrb5-dev libldap2-dev libsasl2-dev" +ENV TESTING_TOOLS="adcli krb5-user ldap-utils dnsutils ltrace strace" +ENV VERSION_CONTROL="git" +ENV NETWORK_TOOLS="iputils-ping nmap tshark" +ENV UTILITY_TOOLS="wget gnupg sudo" + +# Define DNS resolver variables +ENV DNS_SERVER=192.168.3.1 +ENV DNS_SEARCH=lab.local +ENV DOMAIN="lab.local" + +# Preconfigure krb5-config and tshark to avoid interactive prompts +RUN echo "krb5-config krb5-config/default_realm string LAB.LOCAL" | debconf-set-selections && \ + echo "resolvconf resolvconf/linkify-resolvconf boolean false" | debconf-set-selections && \ + echo "wireshark-common wireshark-common/install-setuid boolean true" | debconf-set-selections && \ + echo "wireshark-common wireshark-common/install-setuid boolean true" | debconf-set-selections + +# Copy the DNS setup script +COPY ./scripts/set_dns.sh /usr/local/bin/set_dns.sh +RUN chmod +x /usr/local/bin/set_dns.sh + +# Install packages +RUN DEBIAN_FRONTEND=noninteractive apt-get update && \ + apt-get install -y --no-install-recommends \ + $RADCLI_DEPENDENCIES \ + $RUBY_PACKAGES \ + $BUILD_TOOLS \ + $LIBRARIES \ + $TESTING_TOOLS \ + $NETWORK_TOOLS \ + $VERSION_CONTROL \ + $UTILITY_TOOLS && \ + rm -rf /var/lib/apt/lists/* + +# Install foreman-proxy nightly +RUN apt update && \ + apt install -y wget ca-certificates && \ + cd /tmp && wget https://apt.puppet.com/puppet7-release-jammy.deb && \ + apt install -y /tmp/puppet7-release-jammy.deb && \ + wget https://deb.theforeman.org/foreman.asc -O /etc/apt/trusted.gpg.d/foreman.asc && \ + echo "deb http://deb.theforeman.org/ jammy nightly" | tee /etc/apt/sources.list.d/foreman.list && \ + echo "deb http://deb.theforeman.org/ jammy nightly" | tee /etc/apt/sources.list.d/foreman.list && \ + echo "deb http://deb.theforeman.org/ plugins nightly" | tee -a /etc/apt/sources.list.d/foreman.list && \ + apt update -y && \ + apt upgrade -y + +# Create a non-root user with sudo access +RUN groupadd -r devuser && useradd -r -g devuser -m -s /bin/bash devuser && \ + usermod -aG sudo devuser && \ + echo "devuser ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers + +# Set the user to the newly created non-root user +USER devuser + +# Set the working directory +WORKDIR /home/devuser + +# Install oh-my-bash for devuser +RUN git clone https://github.com/ohmybash/oh-my-bash.git /home/devuser/.oh-my-bash && \ + cp /home/devuser/.oh-my-bash/templates/bashrc.osh-template /home/devuser/.bashrc && \ + chown -R devuser:devuser /home/devuser/.oh-my-bash /home/devuser/.bashrc + +WORKDIR /app + +# Set the entrypoint to the DNS setup script +ENTRYPOINT ["/usr/local/bin/set_dns.sh"] +CMD ["/bin/bash"] diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..a7bbdc0 --- /dev/null +++ b/Makefile @@ -0,0 +1,49 @@ +IMAGE_NAME=smart_proxy_realm_ad_plugin:master +CONTAINER_NAME=smart_proxy_realm_ad_plugin-dev + +# Default goal +.DEFAULT_GOAL := help + +# Phony targets +.PHONY: help build default shell clean stop logs rebuild restart test + +## Default target to build and run +default: build run + +help: ## Diplay this help + @echo "Usage: make [target]" + @echo "Targets:" + @awk 'BEGIN {FS = ":.*?## "} /^[a-zA-Z_-]+:.*?## / {printf "\033[36m%-20s\033[0m %s\n", $$1, $$2}' $(MAKEFILE_LIST) + +build: ## Build from Dockerfile + docker build -t $(IMAGE_NAME) . + +rebuild: ## Build without cache + docker build -t $(IMAGE_NAME) --no-cache . + +run: ## Run in the background + docker inspect $(CONTAINER_NAME) >/dev/null 2>&1 && docker rm -f $(CONTAINER_NAME) || true + docker run --name=$(CONTAINER_NAME) -v $(PWD):/app -d $(IMAGE_NAME) sleep infinity + +shell: build run ## Open a shell in the running container + docker exec -it $(CONTAINER_NAME) /bin/bash + +stop: ## Stop the running container + docker stop $(CONTAINER_NAME) || true + +restart: stop run ## Restart the container + +clean: ## clean + docker rm -f $(CONTAINER_NAME) >> /dev/null 2>&1 || true + docker rmi -f $(IMAGE_NAME) >> /dev/null 2>&1 || true + +## Use inside the container + +local-build: ## Inside Container: Build a local gem inside the container + sudo gem build + #sudo gem install radcli + sudo gem install smart_proxy_realm_ad_plugin-0.1.gem + sudo find /var/lib -name radcli* + sudo find /var -name provider.rb + sudo find /var -name realm* + diff --git a/docs/INTRO.md b/docs/INTRO.md new file mode 100644 index 0000000..1d3132d --- /dev/null +++ b/docs/INTRO.md @@ -0,0 +1,93 @@ +# Getting Started with the [`smart_proxy_realm_ad_plugin`] + +This tutorial will guide you through the steps to build, run, and use the [`smart_proxy_realm_ad_plugin`] + +This container is based on Ubuntu 22.04 and includes various development tools, libraries, and configurations for working with Kerberos and LDAP. + +## Prerequisites + +- Docker installed on your machine. +- Internet connection to pull base images and clone repositories. + +## Step 1: Clone the Repository + +First, clone the repository containing the Dockerfile and related scripts. + +```sh +git clone https://github.com/your-repo/smart_proxy_realm_ad_plugin.git +cd smart_proxy_realm_ad_plugin +``` + +## Step 2: Build the Docker Image + +Build the Docker image using the provided Dockerfile. This step will install all necessary packages and configure the environment. + +```sh +docker build -t smart_proxy_realm_ad_plugin:master . +``` + +## Step 3: Run the Docker Container + +Run the container in the background. This command will start the container and keep it running. + +```sh +docker run --name smart_proxy_realm_ad_plugin-dev -d smart_proxy_realm_ad_plugin:master sleep infinity +``` + +## Step 4: Access the Container + +Open a shell inside the running container to start using it. + +```sh +docker exec -it smart_proxy_realm_ad_plugin-dev /bin/bash +``` + +## Step 5: Verify the Environment + +Once inside the container, you can verify that the environment is set up correctly. + +1. **Check Installed Packages**: + ```sh + dpkg -l | grep -E 'ruby|automake|autoconf|gcc|make|libkrb5-dev|libldap2-dev|libsasl2-dev|adcli|krb5-user|ldap-utils|dnsutils|git' + ``` + +2. **Check DNS Configuration**: + ```sh + cat /etc/resolv.conf + ``` + +3. **Check Oh-My-Bash Installation**: + ```sh + echo $OSH + ``` + +## Step 6: Run Tests (Optional) + +If you have tests to run inside the container, you can execute them as follows: + +```sh +docker exec smart_proxy_realm_ad_plugin-dev /bin/bash -c "cd /path/to/tests && ./run_tests.sh" +``` + +## Step 7: Clean Up + +When you are done, you can stop and remove the container, and optionally remove the image. + +1. **Stop the Container**: + ```sh + docker stop smart_proxy_realm_ad_plugin-dev + ``` + +2. **Remove the Container**: + ```sh + docker rm smart_proxy_realm_ad_plugin-dev + ``` + +3. **Remove the Image** (optional): + ```sh + docker rmi smart_proxy_realm_ad_plugin:master + ``` + +## Summary + +You have successfully built and run the [`smart_proxy_realm_ad_plugin`] container. You can now use this container for development and testing purposes, with all necessary tools and configurations pre-installed. \ No newline at end of file diff --git a/docs/INTRO_WITH_MAKE.md b/docs/INTRO_WITH_MAKE.md new file mode 100644 index 0000000..6a3e156 --- /dev/null +++ b/docs/INTRO_WITH_MAKE.md @@ -0,0 +1,107 @@ +# Getting Started with the `smart_proxy_realm_ad_plugin` Container + +This tutorial will guide you through the steps to build, run, and use the `smart_proxy_realm_ad_plugin` container. This container is based on Ubuntu 22.04 and includes various development tools, libraries, and configurations for working with Kerberos and LDAP. + +## Prerequisites + +- Docker installed on your machine. +- Make installed on your machine. +- Internet connection to pull base images and clone repositories. + +## Step 1: Clone the Repository + +First, clone the repository containing the Dockerfile, Makefile, and related scripts. + +```sh +git clone https://github.com/your-repo/smart_proxy_realm_ad_plugin.git +cd smart_proxy_realm_ad_plugin +``` +## Step 2: Understand the Makefile + +The Makefile contains several targets to help you manage the Docker container. Here is a brief overview of each target: + +- **default**: Builds the Docker image and runs the container. +- **help**: Displays help information. +- **build**: Builds the Docker image from the Dockerfile. +- **rebuild**: Builds the Docker image without using the cache. +- **run**: Runs the container in the background. +- **shell**: Opens a shell in the running container. +- **stop**: Stops the running container. +- **restart**: Restarts the container. +- **clean**: Cleans up by removing the container and image. + +## Step 3: Build the Docker Image + +To build the Docker image, use the `build` target. This will install all necessary packages and configure the environment. + +```sh +make build +``` + +## Step 4: Run the Docker Container + +To run the container in the background, use the `run` target. This command will start the container and keep it running. + +```sh +make run +``` + +## Step 5: Access the Container + +To open a shell inside the running container, use the [`shell`] target. This is useful for debugging and development. + +```sh +make shell +``` + +## Step 6: Verify the Environment + +Once inside the container, you can verify that the environment is set up correctly. + +1. **Check Installed Packages**: + ```sh + dpkg -l | grep -E 'ruby|automake|autoconf|gcc|make|libkrb5-dev|libldap2-dev|libsasl2-dev|adcli|krb5-user|ldap-utils|dnsutils|git' + ``` + +2. **Check DNS Configuration**: + ```sh + cat /etc/resolv.conf + ``` + +3. **Check Oh-My-Bash Installation**: + ```sh + echo $OSH + ``` + +## Step 7: Stop the Container + +To stop the running container, use the [`stop`] target. + +```sh +make stop +``` + +## Step 8: Clean Up + +When you are done, you can clean up by removing the container and image using the [`clean`] target. + +```sh +make clean +``` + +## Additional Targets + +- **rebuild**: If you need to rebuild the Docker image without using the cache, use the [`rebuild`] target. + ```sh + make rebuild + ``` + +- **restart**: To restart the container, use the [`restart`] target. + ```sh + make restart + ``` + +## Summary + +You have successfully used the Makefile to build, run, and manage the [`smart_proxy_realm_ad_plugin`] devcontainer. The Makefile simplifies common tasks, making it easier to develop and test your application. +You can now use this setup for efficient development and testing purposes. diff --git a/docs/ad_dc.sh b/docs/ad_dc.sh new file mode 100644 index 0000000..810ec6e --- /dev/null +++ b/docs/ad_dc.sh @@ -0,0 +1,19 @@ +# 1. Configure NTP on Windows DC: +# Set the DC to use its own clock as the time source: + +w32tm /config /manualpeerlist:"0.pool.ntp.org,0x1" /syncfromflags:manual /reliable:YES /update +Restart-Service w32time + +# 2. Configure Ubuntu 22.04: +# Install the NTP client package on your Ubuntu server: + +make shell + +apt-get update +apt-get install ntp + +# Edit the NTP configuration file: +DC_IP_ADDRESS=192.168.3.1 + +# +sed -i "s/server ntp.ubuntu.com/server $DC_IP_ADDRESS/g" /etc/ntp.conf diff --git a/scripts/bootstrap_adds_test_env.md b/scripts/bootstrap_adds_test_env.md new file mode 100644 index 0000000..55e2f7b --- /dev/null +++ b/scripts/bootstrap_adds_test_env.md @@ -0,0 +1,93 @@ +### Overview of the Topology + +The script is designed to configure an Active Directory (AD) forest and domain controllers on multiple Windows servers. Here's an overview of the topology and how the script operates: + +#### Topology + +1. **Windows Servers**: + - **ad01**: The first server where the AD forest is initially configured. + - **ad02**, **ad03**, **ad04**: Additional servers that are joined to the domain and promoted as domain controllers. + +2. **Control Machine**: + - This is the machine from which the script is executed. It could be a Windows machine, a Linux machine with PowerShell Core installed, or a Docker container running PowerShell Core. + +#### Script Execution + +The script can be executed from various environments, including: + +1. **Windows Machine**: + - The script can be run directly on a Windows machine with administrative privileges. + +2. **Linux Machine with PowerShell Core**: + - The script can be run from a Linux machine with PowerShell Core installed. This could be a physical Linux machine, a virtual machine, or a Windows machine with Windows Subsystem for Linux (WSL) and PowerShell Core installed. + +3. **Docker Container**: + - The script can be run from a Docker container running PowerShell Core. This is useful for environments where Docker is available and provides a consistent runtime environment. + +#### Connectivity + +The script uses PowerShell remoting to connect to the Windows servers. This requires: + +1. **WinRM (Windows Remote Management)**: + - WinRM must be enabled and configured on the Windows servers to allow remote PowerShell execution. + +2. **Network Access**: + - The control machine must have network access to the Windows servers. This includes proper routing, firewall rules, and any necessary VPN connections. + +#### Script Execution Flow + +1. **Configure Network Settings and Install Updates**: + - The script configures network settings (static IP, DNS) and installs Windows updates on all servers. + +2. **Install AD DS and Configure the Forest on ad01**: + - The script installs the AD DS role and configures a new AD forest on the first server (`ad01`). + +3. **Join Additional Servers to the Domain and Promote as Domain Controllers**: + - The script joins the remaining servers (`ad02`, `ad03`, `ad04`) to the domain and promotes them as additional domain controllers. + +4. **Configure NTP Settings**: + - The script configures NTP settings on all servers to synchronize time with an external NTP server. + +### Example: Running the Script from a Docker Container on a Linux Host + +#### Dockerfile + +Create a Dockerfile to build a PowerShell Core container: + +```Dockerfile +FROM mcr.microsoft.com/powershell:7.2.0-ubuntu-20.04 + +# Install necessary packages +RUN apt-get update && apt-get install -y \ + curl \ + wget \ + && rm -rf /var/lib/apt/lists/* + +# Copy the PowerShell script into the container +COPY install_adds.ps1 /scripts/install_adds.ps1 + +# Set the entrypoint to PowerShell +ENTRYPOINT ["pwsh", "/scripts/install_adds.ps1"] +``` + +#### Build and Run the Container + +1. **Build the Docker Image**: + +```sh +docker build -t powershell-core-ad-config . +``` + +2. **Run the Docker Container**: + +```sh +docker run --rm -it powershell-core-ad-config +``` + +### Summary + +- **Control Machine**: The script can be run from a Windows machine, a Linux machine with PowerShell Core, or a Docker container. +- **Connectivity**: Requires WinRM to be enabled on Windows servers and proper network access. +- **Execution Flow**: Configures network settings, installs updates, sets up AD DS, joins additional servers to the domain, and configures NTP settings. + +By following this topology and execution flow, you can effectively configure an AD forest and domain controllers on multiple Windows servers from various environments. \ No newline at end of file diff --git a/scripts/check_dns_sync.sh b/scripts/check_dns_sync.sh new file mode 100755 index 0000000..3661bb9 --- /dev/null +++ b/scripts/check_dns_sync.sh @@ -0,0 +1,115 @@ +#!/usr/bin/env bash +set -e +set -u +set -o pipefail + +# Define colors +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[0;33m' +BLUE='\033[0;34m' +NC='\033[0m' # No Color + +# Introduction text +echo -e "${GREEN}This script tests and validates DNS functionality between the local Linux host (Ubuntu 22.04) and the remote Windows Domain on the same network.${NC}" +echo -e "${GREEN}It checks if the DNS server is reachable, if it can resolve the domain, and if the DNS configuration is correct.${NC}" +echo -e "${GREEN}Additionally, it verifies the required DNS records that ADDS registers so clients can discover the domain.${NC}" +echo -e "${GREEN}For more information, visit:${NC}" +echo -e "${YELLOW}https://www.example.com/dns-validation-guide${NC}" +echo "" + +# Explanation of major DNS records +echo -e "${GREEN}Active Directory Domain Services (ADDS) publishes several important DNS records that are essential for domain functionality.${NC}" +echo -e "${GREEN}These records include SRV records and A records, which are used by clients to locate domain controllers and other services.${NC}" +echo -e "${GREEN}Here are some of the major DNS records and their purposes:${NC}" +echo -e "${YELLOW}_ldap._tcp.dc._msdcs.${NC} - ${GREEN}Used by clients to locate domain controllers for LDAP services.${NC}" +echo -e "${YELLOW}_kerberos._tcp.dc._msdcs.${NC} - ${GREEN}Used by clients to locate domain controllers for Kerberos authentication.${NC}" +echo -e "${YELLOW}_ldap._tcp.gc._msdcs.${NC} - ${GREEN}Used by clients to locate global catalog servers for LDAP services.${NC}" +echo -e "${YELLOW}_kerberos._tcp.${NC} - ${GREEN}Used by clients to locate Kerberos servers.${NC}" +echo -e "${YELLOW}_kpasswd._tcp.${NC} - ${GREEN}Used by clients to locate Kerberos password change servers.${NC}" +echo -e "${YELLOW}_kpasswd._udp.${NC} - ${GREEN}Used by clients to locate Kerberos password change servers (UDP).${NC}" +echo "" + +# Explanation of how Linux tools use these DNS records +echo -e "${GREEN}Linux tools such as adcli, kerberos, krb5-workstation, and ldap use these DNS records to interact with Active Directory.${NC}" +echo -e "${GREEN}Here is how some of these tools use the DNS records:${NC}" +echo -e "${YELLOW}adcli${NC} - ${GREEN}Uses the _ldap._tcp.dc._msdcs. record to locate domain controllers for joining the domain and managing computer accounts.${NC}" +echo -e "${YELLOW}Kerberos (krb5-workstation)${NC} - ${GREEN}Uses the _kerberos._tcp.dc._msdcs. and _kerberos._tcp. records to locate Kerberos servers for authentication.${NC}" +echo -e "${YELLOW}LDAP${NC} - ${GREEN}Uses the _ldap._tcp.dc._msdcs. and _ldap._tcp.gc._msdcs. records to locate domain controllers and global catalog servers for directory services.${NC}" +echo -e "${YELLOW}kpasswd${NC} - ${GREEN}Uses the _kpasswd._tcp. and _kpasswd._udp. records to locate Kerberos password change servers.${NC}" +echo "" + +# Prompt user for detailed trace logs +echo -e "${BLUE}Would you like to see detailed trace logs of DNS packets? (yes/no)${NC}" +read -r show_trace_logs + +# Define the domain controller and domain +DNS_DOMAIN="lab.local" +DOMAIN_CONTROLLER="192.168.3.1" + +# Verify that DNS is configured correctly +if ! grep -q "nameserver $DOMAIN_CONTROLLER" /etc/resolv.conf; then + echo -e "${RED}DNS is not configured correctly. Please update /etc/resolv.conf with the domain controller's IP address.${NC}" + echo "" + echo -e "${YELLOW}Example configuration:${NC}" + echo "" + echo -e "${YELLOW} nameserver $DOMAIN_CONTROLLER${NC}" + echo -e "${YELLOW} search $DNS_DOMAIN${NC}" + echo "" + exit 1 +fi + +# Check if the DNS server is reachable +if ! ping -c 1 $DOMAIN_CONTROLLER &> /dev/null; then + echo -e "${RED}The DNS server ($DOMAIN_CONTROLLER) is not reachable. Please check your network connection.${NC}" + exit 1 +else + echo -e "${GREEN}The DNS server ($DOMAIN_CONTROLLER) is reachable.${NC}" +fi + +# Try to resolve the domain +if ! host $DNS_DOMAIN &> /dev/null; then + echo -e "${RED}Could not resolve the domain ($DNS_DOMAIN). Please check DNS configuration.${NC}" + exit 1 +else + echo -e "${GREEN}The domain ($DNS_DOMAIN) was successfully resolved.${NC}" +fi + +# Validate DNS functionality +echo -e "${GREEN}Validating DNS functionality...${NC}" +if ! nslookup $DNS_DOMAIN $DOMAIN_CONTROLLER &> /dev/null; then + echo -e "${RED}DNS functionality validation failed. The domain ($DNS_DOMAIN) could not be resolved using the DNS server ($DOMAIN_CONTROLLER).${NC}" + exit 1 +else + echo -e "${GREEN}DNS functionality validation succeeded. The domain ($DNS_DOMAIN) was successfully resolved using the DNS server ($DOMAIN_CONTROLLER).${NC}" +fi + +# Verify required DNS records for ADDS +echo -e "${GREEN}Verifying required DNS records for ADDS...${NC}" + +REQUIRED_RECORDS=( + "_ldap._tcp.dc._msdcs.$DNS_DOMAIN" + "_kerberos._tcp.dc._msdcs.$DNS_DOMAIN" + "_ldap._tcp.gc._msdcs.$DNS_DOMAIN" + "_kerberos._tcp.$DNS_DOMAIN" + "_kpasswd._tcp.$DNS_DOMAIN" + "_kpasswd._udp.$DNS_DOMAIN" +) + +for record in "${REQUIRED_RECORDS[@]}"; do + echo -e "${YELLOW}Querying DNS record: $record${NC}" + if [ "$show_trace_logs" == "yes" ]; then + dig +trace +short $record @$DOMAIN_CONTROLLER | xxd + else + dig +short $record @$DOMAIN_CONTROLLER + fi + if ! host -t SRV $record $DOMAIN_CONTROLLER &> /dev/null; then + echo -e "${RED}Required DNS record $record is missing.${NC}" + exit 1 + else + echo -e "${GREEN}Required DNS record $record is present.${NC}" + fi +done + +echo -e "${GREEN}All required DNS records for ADDS are present.${NC}" +echo -e "${GREEN}DNS functionality test and validation completed successfully.${NC}" \ No newline at end of file diff --git a/scripts/check_krb5.sh b/scripts/check_krb5.sh new file mode 100755 index 0000000..34926b6 --- /dev/null +++ b/scripts/check_krb5.sh @@ -0,0 +1,194 @@ +#!/usr/bin/env bash +set -e +set -u +set -o pipefail + +# Define colors +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[0;33m' +NC='\033[0m' # No Color + +# Introduction text +echo -e "${GREEN}This script verifies connectivity and functionality between krb5-workstation tools and the Active Directory (AD) domain.${NC}" +echo -e "${GREEN}It includes steps to check Kerberos configuration, obtain a Kerberos ticket, and verify the ticket.${NC}" +echo -e "${GREEN}For more information, visit:${NC}" +echo -e "${YELLOW}https://www.example.com/kerberos-setup-guide${NC}" +echo "" + +# Ask user for REALM NAME and DC server IP address +read -p "Enter your Kerberos REALM NAME (e.g., EXAMPLE.COM): " REALM + +while true; do + read -p "Enter your Domain Controller (DC) server IP address (e.g., 192.168.1.1): " KDC + if [[ $KDC =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + break + else + echo -e "${RED}Please enter a valid IP address.${NC}" + fi +done + +# Define the domain and realm +DNS_DOMAIN=$(echo $REALM | tr '[:upper:]' '[:lower:]') +ADMIN_SERVER=$KDC + +# If kerberos is not installed, install it on ubuntu 22.04 +if ! command -v kinit &> /dev/null; then + echo -e "${YELLOW}Installing krb5-user package...${NC}" + sudo apt-get update + sudo apt-get install -y krb5-user +fi + +# Step 1: Configure Kerberos +echo -e "${GREEN}Step 1: Configure Kerberos${NC}" +echo -e "${YELLOW}Creating and editing /etc/krb5.conf...${NC}" + +# Create /etc/krb5.conf +sudo bash -c "cat > /etc/krb5.conf < /dev/null; then + echo -e "${GREEN}DNS resolution for $KDC succeeded.${NC}" +else + echo -e "${RED}DNS resolution for $KDC failed. Please check your DNS configuration.${NC}" + exit 1 +fi + +echo -e "${YELLOW}Checking DNS resolution for $ADMIN_SERVER...${NC}" +if host $ADMIN_SERVER &> /dev/null; then + echo -e "${GREEN}DNS resolution for $ADMIN_SERVER succeeded.${NC}" +else + echo -e "${RED}DNS resolution for $ADMIN_SERVER failed. Please check your DNS configuration.${NC}" + exit 1 +fi + +# Check NTP synchronization, using ./check_ntp_sync.sh +./check_ntp_sync.sh $ADMIN_SERVER $DNS_DOMAIN + +# Write status to /tmp/ntp_sync_status.txt +NTP_SYNC_STATUS=$(cat /tmp/ntp_sync_status.txt) +# Check if not defined +if [ -z "$NTP_SYNC_STATUS" ]; then + echo -e "${RED}Error: NTP synchronization status could not be determined.${NC}" +fi +echo -e "${YELLOW}NTP synchronization status: $NTP_SYNC_STATUS${NC}" + +if [ "$NTP_SYNC_STATUS" != "synchronized" ]; then + echo -e "${RED}Continuing with NTP unsynchronized can give unpredictable results.${NC}" + read -p "Do you want to continue? (yes/no): " CONTINUE + if [ "$CONTINUE" != "yes" ]; then + echo -e "${RED}Please synchronize your system time and rerun the script.${NC}" + exit 1 + fi +fi + +# Step 3: Obtain a Kerberos Ticket +echo -e "${GREEN}Step 3: Obtain a Kerberos Ticket${NC}" +echo -e "${YELLOW}Running kinit to obtain a Kerberos ticket...${NC}" + +while true; do + read -p "Enter your Kerberos username: " USERNAME + if [[ "$USERNAME" == *"@"* ]]; then + echo -e "${RED}Please enter only the username without the domain (e.g., 'username' instead of 'username@domain').${NC}" + else + break + fi +done + +read -s -p "Enter your Kerberos password: " PASSWORD +echo "" +echo $PASSWORD | kinit $USERNAME@$REALM + + +# Verify Kerberos Ticket +echo -e "${YELLOW}Verifying Kerberos ticket...${NC}" +if ! klist &> /dev/null; then + echo -e "${RED}No valid Kerberos ticket found. Please obtain a ticket using kinit.${NC}" + exit 1 +fi + +# Test Kerberos Authentication +echo -e "${YELLOW}Testing Kerberos authentication...${NC}" +if ! kvno host/$ADMIN_SERVER@$DNS_DOMAIN &> /dev/null; then + echo -e "${RED}Kerberos authentication failed. Server not found in Kerberos database.${NC}" + echo -e "${RED}Please check your Kerberos configuration and ensure the server is registered in the Kerberos database.${NC}" + exit 1 +else + echo -e "${GREEN}Kerberos authentication succeeded.${NC}" +fi + + +# Conclusion +echo -e "${GREEN}Kerberos connectivity and functionality with the AD domain have been verified successfully.${NC}" +echo -e "${GREEN}You can now authenticate using Kerberos.${NC}" +echo -e "${GREEN}For more information, visit:${NC}" +echo -e "${YELLOW}https://www.example.com/kerberos-setup-guide${NC}" + +# Explain What can happen if NTP sync is not done +# Give some examples of what can go wrong, + +# NTP_SYNC_STATUS check then display text + +if [ "$NTP_SYNC_STATUS" != "synchronized" ]; then + echo -e "${RED}Warning: NTP synchronization issues can severely impact Kerberos functionality.${NC}" + echo -e "${YELLOW}Here are some examples of what can go wrong if NTP sync is not properly configured:${NC}" + + # Example 1: Authentication Failures + echo -e "${YELLOW}1. Authentication Failures:${NC}" + echo -e "${YELLOW} Kerberos relies on time-sensitive tickets for authentication. If the time difference between the client and the KDC exceeds the allowed limit, authentication requests will fail.${NC}" + echo -e "${YELLOW} This can prevent users from logging in, accessing network resources, or using services that rely on Kerberos authentication.${NC}" + + # Example 2: Ticket Expiration Issues + echo -e "${YELLOW}2. Ticket Expiration Issues:${NC}" + echo -e "${YELLOW} Kerberos tickets have specific lifetimes. If the system clocks are not synchronized, tickets may appear expired or not yet valid.${NC}" + echo -e "${YELLOW} This can cause issues with renewing tickets or accessing resources that require valid tickets.${NC}" + + # Example 3: Service Disruptions + echo -e "${YELLOW}3. Service Disruptions:${NC}" + echo -e "${YELLOW} Many services depend on Kerberos for authentication. If Kerberos fails due to time synchronization issues, these services may become unavailable.${NC}" + echo -e "${YELLOW} This can impact critical applications, file shares, email systems, and more.${NC}" + + # Example 4: Increased Administrative Overhead + echo -e "${YELLOW}4. Increased Administrative Overhead:${NC}" + echo -e "${YELLOW} Administrators may need to spend significant time troubleshooting and resolving authentication issues caused by NTP problems.${NC}" + echo -e "${YELLOW} Ensuring proper NTP configuration can save time and reduce the risk of authentication-related incidents.${NC}" + + # Example 5: Security Risks + echo -e "${YELLOW}5. Security Risks:${NC}" + echo -e "${YELLOW} Time synchronization is crucial for security protocols. Unsynchronized clocks can lead to vulnerabilities and potential security breaches.${NC}" + echo -e "${YELLOW} Proper NTP configuration helps maintain the integrity and security of the authentication" + echo -e "${YELLOW} infrastructure.${NC}" + + echo -e "${RED}It is highly recommended to synchronize your system time with the domain controller.${NC}" + echo -e "${RED}Please refer to the following resources for guidance:${NC}" + echo -e "${YELLOW}https://www.example.com/ntp-sync-guide${NC}" + echo -e "${YELLOW}https://www.example.com/dns-configuration${NC}" +fi diff --git a/scripts/check_ntp_sync.sh b/scripts/check_ntp_sync.sh new file mode 100755 index 0000000..308f4b8 --- /dev/null +++ b/scripts/check_ntp_sync.sh @@ -0,0 +1,112 @@ +#!/usr/bin/env bash + +# Check if arguments are empty +if [ -z "$1" ] || [ -z "$2" ]; then + echo "Usage: $0 " + echo "not synchronized" > /tmp/ntp_sync_status.txt + return 1 +fi + +# DOMAIN_CONTROLLER: IP address of the domain controller +DOMAIN_CONTROLLER=$1 +# DNS_DOMAIN: DNS domain name +DNS_DOMAIN=$2 + +if [ -z "$DOMAIN_CONTROLLER" ] || [ -z "$DNS_DOMAIN" ]; then + echo "Usage: $0 " + echo "not synchronized" > /tmp/ntp_sync_status.txt + return 1 +fi + +# Define colors +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[0;33m' +NC='\033[0m' # No Color + +# Introduction text +echo -e "${GREEN}This script checks the synchronization of your system time with the domain controller.${NC}" +echo -e "${GREEN}It verifies DNS configuration and attempts to resolve the domain controller.${NC}" +echo -e "${GREEN}If the time difference exceeds acceptable limits, it provides guidance on how to investigate and resolve the issue.${NC}" +echo -e "${GREEN}For more information, visit:${NC}" +echo -e "${YELLOW}https://www.example.com/ntp-sync-guide${NC}" +echo -e "${YELLOW}https://www.example.com/dns-configuration${NC}" +echo "" + +# Verify that DNS is configured correctly +if ! grep -q "nameserver $DOMAIN_CONTROLLER" /etc/resolv.conf; then + echo "DNS is not configured correctly. Please update /etc/resolv.conf with the domain controller's IP address." + echo "" + echo "Example configuration:" + echo "" + echo " nameserver $DOMAIN_CONTROLLER" + echo " search $DNS_DOMAIN" + echo "" + echo "not synchronized" > /tmp/ntp_sync_status.txt + return 1 +fi + +# Try to resolve the domain +if ! host $DOMAIN_CONTROLLER &> /dev/null; then + echo "Could not resolve the domain controller. Please check DNS configuration." + echo "not synchronized" > /tmp/ntp_sync_status.txt + return 1 +fi + +# Ensure ntpdate is installed +if ! command -v ntpdate &> /dev/null; then + echo -e "${RED}Error: ntpdate could not be found.${NC}" + echo -e "${YELLOW}Resolution: Installing ntpdate...${NC}" + sudo apt-get update && sudo apt-get install -y ntpdate + if [ $? -eq 0 ]; then + echo -e "${GREEN}ntpdate has been successfully installed.${NC}" + else + echo -e "${RED}Failed to install ntpdate. Please check your network connection and package manager settings.${NC}" + echo "not synchronized" > /tmp/ntp_sync_status.txt + return 1 + fi +fi + +# Get the time from the domain controller +domain_time=$(ntpdate -q $DOMAIN_CONTROLLER | grep -oP '(?<=offset )[^ ]+') + +# Ensure domain_time is not empty +if [ -z "$domain_time" ]; then + echo -e "${RED}Error: Unable to retrieve time offset from the domain controller.${NC}" + echo "not synchronized" > /tmp/ntp_sync_status.txt + return 1 +fi + +# Dump the domain_time variable as hex +echo -e "${YELLOW}Hex dump of domain_time:${NC}" +echo "$domain_time" | xxd + +# Convert domain time offset to a floating-point number +domain_time_offset=$(echo "$domain_time" | awk '{print $1}') + +# Dump the domain_time_offset variable as hex +echo -e "${YELLOW}Hex dump of domain_time_offset:${NC}" +echo "$domain_time_offset" | xxd + +# Ensure domain_time_offset is a valid floating-point number +# It should be a decimal number like: +11.605469 + +# Parse the number of float using python. +# Parse the float string into a property float type in python +# If the float is valid, it will return the float value + +if python -c "print($domain_time_offset)" &> /dev/null; then + echo -e "${GREEN}Time offset from the domain controller: $domain_time_offset seconds.${NC}" +else + echo -e "${RED}Error: Unable to parse the time offset from the domain controller.${NC}" + echo "not synchronized" > /tmp/ntp_sync_status.txt + return 1 +fi + + +# Check if the time difference is within acceptable limits (e.g., 5 seconds) +# The time is in decimal form +if (( $(echo "$domain_time_offset <= 5" | bc -l) )); then + echo -e "${GREEN}Time is synchronized with the domain controller.${NC}" + echo "synchronized" > /tmp/ntp_sync_status.txt +fi \ No newline at end of file diff --git a/scripts/install_adds.ps1 b/scripts/install_adds.ps1 new file mode 100644 index 0000000..0968863 --- /dev/null +++ b/scripts/install_adds.ps1 @@ -0,0 +1,115 @@ +# Define network settings and domain information +$interfaceAlias = "Ethernet" +$ipAddress = "192.168.3.60" +$subnetMask = "255.255.255.0" +$gateway = "192.168.3.1" +$dnsServer = "8.8.8.8" +$servers = @("ad01", "ad02", "ad03", "ad04") +$domainName = "LAB.LOCAL" +$adminPassword = ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force +$credential = New-Object System.Management.Automation.PSCredential("Administrator", $adminPassword) + +# Function to configure network settings +function Configure-Network { + param ( + [string]$server, + [string]$ipAddress + ) + + Invoke-Command -ComputerName $server -Credential $using:credential -ScriptBlock { + $interfaceAlias = $using:interfaceAlias + $ipAddress = $using:ipAddress + $subnetMask = $using:subnetMask + $gateway = $using:gateway + $dnsServer = $using:dnsServer + + # Set static IP address + New-NetIPAddress -InterfaceAlias $interfaceAlias -IPAddress $ipAddress -PrefixLength 24 -DefaultGateway $gateway + + # Set DNS server + Set-DnsClientServerAddress -InterfaceAlias $interfaceAlias -ServerAddresses $dnsServer + + # Rename the server + Rename-Computer -NewName $env:COMPUTERNAME -Restart + } +} + +# Function to install Windows updates +function Install-WindowsUpdates { + param ( + [string]$server + ) + + Invoke-Command -ComputerName $server -Credential $using:credential -ScriptBlock { + Install-Module -Name PSWindowsUpdate -Force + Import-Module PSWindowsUpdate + Get-WindowsUpdate -Install -AcceptAll -AutoReboot + } +} + +# Function to install AD DS role and configure the forest +function Install-ADDSForest { + param ( + [string]$server + ) + + Invoke-Command -ComputerName $server -Credential $using:credential -ScriptBlock { + Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools + Import-Module ADDSDeployment + Install-ADDSForest -DomainName $using:domainName -SafeModeAdministratorPassword $using:adminPassword -InstallDNS -Force + } +} + +# Function to configure NTP settings +function Configure-NTP { + param ( + [string]$server + ) + + Invoke-Command -ComputerName $server -Credential $using:credential -ScriptBlock { + Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters" -Name "NtpServer" -Value "time.windows.com,0x9" + Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Config" -Name "AnnounceFlags" -Value 5 + Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient" -Name "SpecialPollInterval" -Value 3600 + Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters" -Name "Type" -Value "NTP" + Restart-Service w32time + } +} + +# Configure network settings and install updates on all servers +$ipAddresses = @("192.168.3.60", "192.168.3.61", "192.168.3.62", "192.168.3.63") +for ($i = 0; $i -lt $servers.Length; $i++) { + Configure-Network -server $servers[$i] -ipAddress $ipAddresses[$i] + Install-WindowsUpdates -server $servers[$i] +} + +# Install AD DS and configure the forest on the first server +Install-ADDSForest -server $servers[0] + +# Wait for the first server to complete the installation and reboot +Start-Sleep -Seconds 300 + +# Join the remaining servers to the domain and promote them as additional domain controllers +foreach ($server in $servers[1..3]) { + Invoke-Command -ComputerName $server -Credential $credential -ScriptBlock { + Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools + Import-Module ADDSDeployment + Add-Computer -DomainName $using:domainName -Credential $using:credential -Restart + } + + # Wait for the server to reboot + Start-Sleep -Seconds 300 + + Invoke-Command -ComputerName $server -Credential $credential -ScriptBlock { + Install-ADDSDomainController -DomainName $using:domainName -SafeModeAdministratorPassword $using:adminPassword -InstallDNS -Force + } + + # Wait for the server to complete the installation and reboot + Start-Sleep -Seconds 300 +} + +# Configure NTP services on all servers +foreach ($server in $servers) { + Configure-NTP -server $server +} + +Write-Host "Active Directory forest and domain controllers have been configured successfully." \ No newline at end of file diff --git a/scripts/set_dns.sh b/scripts/set_dns.sh new file mode 100755 index 0000000..ee37b00 --- /dev/null +++ b/scripts/set_dns.sh @@ -0,0 +1,6 @@ +#!/bin/sh +echo "nameserver $DNS_SERVER" > /tmp/resolv.conf +echo "search $DNS_SEARCH" >> /tmp/resolv.conf +echo "domain $DOMAIN" >> /tmp/resolv.conf +cat /tmp/resolv.conf > /etc/resolv.conf +exec "$@" \ No newline at end of file