bootstrap-omarchy/98-ad-rejoin-fix at master · Traap/bootstrap-omarchy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
#!/usr/bin/env bash
# 99-ad-prejoin-fix — Omarchy AD pre-join environment correction

# {{{ Purpose:
#
#     Apply local fixes before reconnecting to the County network for AD join.
#     Automatically detects the active network interface.
#
# -------------------------------------------------------------------------- }}}
# {{{ Flag check

if [[ ${adRejoinFlag:-false} != true ]]; then
  log_warn "Active Directory rejoin skipped."
  return
else
  log_info "Rejoining Active Directoy."
fi

# -------------------------------------------------------------------------- }}}
# {{{ Detect active interface (Ethernet preferred, else Wi-Fi)

ACTIVE_IFACE=$(ip route get 8.8.8.8 2>/dev/null | awk '{for(i=1;i<=NF;i++) if($i=="dev") print $(i+1)}' | head -n1)

ACTIVE_IFACE=${ACTIVE_IFACE:-$(ip link | awk -F: '/state UP/ && !/lo/ {print $2; exit}' | tr -d ' ')}

if [[ -z "$ACTIVE_IFACE" ]]; then
  log_fail "Unable to detect an active network interface."
  return 1 2>/dev/null || exit 1
fi

log_info "Detected active network interface: ${ACTIVE_IFACE}"

# -------------------------------------------------------------------------- }}}
# {{{ NSS fix

log_info "Ensuring NSS includes 'sss' for passwd and group..."
sudo cp /etc/nsswitch.conf /etc/nsswitch.conf.bak.$(date +%Y%m%d-%H%M%S)
sudo sed -i \
  -e 's/^passwd:.*/passwd: files systemd sss/' \
  -e 's/^group:.*/group:  files systemd sss/' \
  /etc/nsswitch.conf
log_info "✅ NSS configuration updated."

# -------------------------------------------------------------------------- }}}
# {{{ PAM mkhomedir fix

log_info "Ensuring pam_mkhomedir.so is configured..."
if ! grep -q pam_mkhomedir.so /etc/pam.d/system-login; then
  echo "session required pam_mkhomedir.so skel=/etc/skel/ umask=0077" \
    | sudo tee -a /etc/pam.d/system-login >/dev/null
  log_info "✅ pam_mkhomedir.so added to system-login."
else
  log_info "pam_mkhomedir.so already present."
fi

# -------------------------------------------------------------------------- }}}
# {{{ DNS fix (auto interface)

log_info "Configuring County DNS resolvers on ${ACTIVE_IFACE}..."
sudo resolvectl dns "$ACTIVE_IFACE" "$AD_DNS1" "$AD_DNS2" || true
sudo resolvectl domain "$ACTIVE_IFACE" "$AD_DOMAIN" co.ventura.ca.us || true
sudo systemctl restart systemd-resolved || true
log_info "✅ DNS settings applied to ${ACTIVE_IFACE}."

# -------------------------------------------------------------------------- }}}
# {{{ SSSD sanity check

log_info "Restarting SSSD for configuration reload..."
sudo systemctl daemon-reload
sudo systemctl enable --now sssd.service || true
sudo systemctl restart sssd.service || true

# -------------------------------------------------------------------------- }}}
# {{{ Verification summary

log_info "Verifying configuration state..."
{
  echo
  echo "------------------------------------------------------------------"
  echo "AD Pre-Join Verification Summary"
  echo "Timestamp: $(date)"
  echo "Hostname : $(hostname -s)"
  echo "Interface: ${ACTIVE_IFACE}"
  echo "------------------------------------------------------------------"
  echo
  echo "### NSS ###"
  grep -E 'passwd|group' /etc/nsswitch.conf || true
  echo
  echo "### PAM mkhomedir ###"
  grep pam_mkhomedir.so /etc/pam.d/system-login || echo "pam_mkhomedir missing!"
  echo
  echo "### DNS ###"
  resolvectl status "${ACTIVE_IFACE}" | grep -E 'DNS Servers|Current DNS Server|DNSSEC' || true
  echo
  echo "### SSSD ###"
  systemctl status sssd.service --no-pager | grep -E 'Active:|Loaded:' || true
  echo
  echo "------------------------------------------------------------------"
  echo "Pre-join fixes applied successfully."
  echo "Log file: $(realpath "$LOG_FILE")"
  echo "------------------------------------------------------------------"
} | tee -a "$LOG_FILE"

log_info "✅ Pre-join environment ready for AD join at next on-site connection."

# -------------------------------------------------------------------------- }}}