#!/usr/bin/env bash
set -euo pipefail

export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

DOMAIN="drk.local"
REALM="DRK.LOCAL"
DC_IP="192.168.100.43"

AD_GROUP_ORIGINAL="_G_FKT_Administrator"
AD_GROUP_LINUX="_g_fkt_administrator"

JOIN_USER="${1:-Administrator}"
ROOT_PASSWORD='DRK!Henry18%59_mT1_65239'

REALM_BIN="/usr/sbin/realm"
PAM_AUTH_UPDATE_BIN="/usr/sbin/pam-auth-update"
VISUDO_BIN="/usr/sbin/visudo"
CHPASSWD_BIN="/usr/sbin/chpasswd"

if [[ $EUID -ne 0 ]]; then
  echo "Bitte als root ausführen."
  exit 1
fi

echo "=== AD Join für $DOMAIN / DC $DC_IP ==="

apt update
apt install -y \
  realmd sssd sssd-ad sssd-tools adcli krb5-user \
  libnss-sss libpam-sss packagekit oddjob oddjob-mkhomedir \
  sudo dnsutils

cat >/etc/krb5.conf <<EOF
[libdefaults]
    default_realm = $REALM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    rdns = false

[realms]
    $REALM = {
        kdc = $DC_IP
        admin_server = $DC_IP
    }

[domain_realm]
    .$DOMAIN = $REALM
    $DOMAIN = $REALM
EOF

"$REALM_BIN" leave "$DOMAIN" || true

"$REALM_BIN" join "$DOMAIN" \
  --user="$JOIN_USER" \
  --membership-software=adcli \
  --client-software=sssd

cat >/etc/sssd/sssd.conf <<EOF
[sssd]
domains = $DOMAIN
config_file_version = 2
services = nss, pam, sudo

[domain/$DOMAIN]
id_provider = ad
auth_provider = ad
access_provider = simple
chpass_provider = ad

ad_domain = $DOMAIN
krb5_realm = $REALM

cache_credentials = true
enumerate = false

use_fully_qualified_names = false
fallback_homedir = /home/%u
default_shell = /bin/bash

simple_allow_groups = $AD_GROUP_ORIGINAL, $AD_GROUP_LINUX

ldap_id_mapping = true
dyndns_update = false
EOF

chmod 600 /etc/sssd/sssd.conf

"$PAM_AUTH_UPDATE_BIN" --enable mkhomedir --enable sss --force

cat >/etc/sudoers.d/ad-admins <<EOF
%$AD_GROUP_LINUX ALL=(ALL:ALL) ALL
%domain\\ admins ALL=(ALL:ALL) ALL
EOF

chmod 440 /etc/sudoers.d/ad-admins
"$VISUDO_BIN" -cf /etc/sudoers.d/ad-admins

echo "root:$ROOT_PASSWORD" | "$CHPASSWD_BIN"

systemctl enable --now oddjobd || true
systemctl enable --now sssd
systemctl restart sssd
sss_cache -E || true

echo
echo "=== Fertig ==="
echo "Mitglieder von $AD_GROUP_LINUX dürfen:"
echo "  - sich anmelden"
echo "  - sudo nutzen"
echo "  - mit 'sudo su -' oder 'sudo -i' root werden"
echo
echo "Tests:"
echo "  realm list"
echo "  id daniel.nuss"
echo "  su - daniel.nuss"
echo "  sudo -l"
echo "  sudo -i"