I am joining Linux machines to windows active directory and i am able to do it successfully using SSSD.
Now I am trying to automate the same process wherein i came across the step where i need to enter a password while joining the domain.
Can someone help in how to enter the password via shell script?
My code is :
#!/bin/bash
set -x
passwd=`cat /domain/domain_join.txt | grep password | awk -F '[=]' '{print$2}'`
/usr/bin/expect << EOF
spawn realm join domainname -U username#domainname -v
expect "Password for username#domainname: \r"
send "$passwd\r"
EOF
set +x
This isn't actually an LDAP question - it's AD and Kerberos and sshd.
It looks like you've got a user account to join the machine - presumably it has the correct rights. The easiest thing to do is to get a keytab created for that account, and then you can do a kinit and call the script in that context
kinit principal#EXAMPLE.COM -k -t keytab; joinscript
You don't need to define your username in the realm join command if you've already done the kinit.
Sorry, I can't test this, and it's been a while, but the secret sauce is a keytab for the Windows credential.
Related
I am building a bash script for my work to make initial setup and windows-domain join for our Ubuntu machines easy enough for someone who knows nothing about Linux can do it. I have found a lot of people that say that you shouldn't pass passwords through a script but to be efficient, I have to. The script prompts for info and credentials in the beginning and it needs to be able to be left to do it's job without interaction. I can't have it visible through ps when I pass it and I can't have it stored as an unsecured variable. Any suggestions?
If you really must do this, you can read the credentials into variables with read -s early in the script and then pass those values to the prompts. For example:
read -p "Enter your username: " username
read -sp "Enter your password: " password
echo
I included the blank echo because the -s option for read prevents the user's typing from appearing in the terminal, including the new line usually created after a user presses Enter when answering a prompt.
You can then use the $username and $password variables for the rest of your script and the credentials will not have to be stored outside of memory, meaning they will be lost/destroyed after the script completes.
However, note that any programs or utilities which take the credentials as command-line arguments will display those to other users on the machine running the script. For example, if I were to run a MySQL query using this method, I could do:
mysql -u "${username}" -p"${password}" -e "SHOW DATABASES;"
Other users on the machine could see the credentials while that was running with something like ps:
ps -ef | grep mysql
...
watrudoin 29512 29443 0 12:57 pts/4 00:00:00 mysql -u MyUserName -phunter2 -e SHOW DATABASES
You just need to be aware that what you are doing is not necessarily secure, but it seems that you already are.
I am having trouble creating a keytab in order to automate the script I am running.
I am using this website for reference here
This is what I did so far:
$ ktutil
ktutil: addent -password -p bli1#testtesttest.corp.supernice.net -k 1 -e arcfour-hmac
Password for bli1#testtesttest.corp.supernice.net:
ktutil:
ktutil: wkt bli1.keytab
ktutil: quit
When I tried to run the script, I got this error:
$ kinit bli1#testtesttest.corp.supernice.net -k -t bli1.keytab; python3 -m pytrinity.monitors.rate_monitor test
kinit: Cannot find KDC for requested realm while getting initial credentials
I'm not sure if I created the keytab correctly as I am having a hard time finding in-depth documentation on each argument during the keytab creation process. I'm not sure what -k is used for.
addent: add entry
-password: add password
-p: principal
-e: encryption
I think the problem is with connectivity to your KDC as per error message. What's in your kerberos configuration file? /etc/krb5.conf is usually the name for it.
I am using a script to automatically set up a computer. I need to assign a password to the vnc server for the user, which is normally done using the vncserver command. However, it prompts for the user to enter and re-enter their password, neither of which the script is capable of doing.
So, how can I set up the VNC password without an interactive prompt?
Please try following bash script sample:
#!/bin/sh
vncpasswd << EOF
123456
123456
EOF
I have to write a shell script which ssh to another server with other username without actually asking for a password from the user?
Due to constraints I cannot use key based authentication.
let,
Source Server -- abc.efg.com
Source UserName -- tom
Source Password -- tom123
Destination Server -- xyz.efc.com
Destination UserName -- bob
destination Password -- bob123
I have to place the bash script in source server.
Please let me know if something could be done using expect tool and/or sshpass.
It is okay for me to hardcode the password for destination server in the bash script but I cannot bear an interactive session, simply when I run he script, I want to see the destination server logged in with another username.
Thanks in Advance.
You want to use key-authentication http://ornellas.apanela.com/dokuwiki/pub:ssh_key_auth
Generate your keys ssh-keygen
Copy the keys to your new box ssh-copy-id -i ~/.ssh/id_rsa.pub me#otherhost.com
ssh to other host without password ssh me#otherhost.com
You can use expect to wrap ssh, but it's pretty hectic, and fails easily when there are network errors, so test it well or use a script specifically designed for wrapping ssh passwords. Key based authentication is better.
You can prevent interactive sessions by redirecting standard input from the null device, ie.
ssh me#destination destination-command < /dev/null
About placing the script in the source server, if the script you are running is local, rather than remote, then you can pass the script on standard input, rather than the command line:
cat bashscript.sh | ssh me#destination
You can install the sshpass program, which lets you write a script like
#!/bin/bash
sshpass -p bob123 ssh UserName#xyz.efc.com
The answer is that you can't as OpenSSH actively prevent headless password-based authentication. Use key-based authentication.
You may be able to fork the OpenSSH client code and patch it, but I think that is a bit excessive.
I have 10 Linux servers.
To connect to server every time I have to execute the ssh command to login.
I need one single shell script to login to a remote server.
e.g if server is host name is testhost.com, user is user1 and pass password
when I give the user name user1 in terminal, it should automatically execute the shell script and logged in to remote server for the user user1
Hi i know this is an old question but here is a way to do it follow the link above from the #nick hartung then after that since you have 10 servers you call each server by name so say 'server1' or any name you like but for this example ill name one of the servers 'server1' also remember to change the port from 22 to something else eg 22277 so create a script and name it server1 and the put this in it
#!/bash/bin
ssh username#hostname -p22277
then move the script to user bin
$ sudo chmod 600 server1
$ sudo mv server1 /usr/bin/
then now u can just login to the remote host like this
$ server1
the you will be automatically logged in.
You can write a script that will take a username as a parameter and ssh to the correct host based on that. A quick example:
if [ "$1" == "username" ]; then
ssh username#hostname
fi
if [ "$1" == "username2" ]; then
...
However, the ssh command doesn't have a built in way to provide a password AFAIK. You shouldn't be storing your passwords in a script anyway. The way to get around this is to set up automatic authentication by creating a key pair using ssh-keygen. Here is a link that will show you how to set this up.