I wanted to pass this on incase it helps someone.


###################################
# Authentication Config
###################################
#Config provided by
#http://www.greenviolet.net/articles/...ctory-login.gv
echo -e "Installing software"
yum install nscd oddjob oddjob-mkhomedir pam_krb5 samba-winbind -y -q

echo -e "Setting SeLinux to permissive"
sed -i 's/SELINUX=enforcing/SELINUX=permissive/' /etc/sysconfig/selinux #verified

echo -e "\e[01;33m Configuring Auth Config \e[00m"
echo -e "Enter your Workgroup Name in UPPER CASE (ex SNL):"; read WORKGROUP
echo -e "Enter your Domain Name in UPPER CASE (ex SNL.INT) :"; read DOMAIN
echo -e "Enter your Domain Admin username:"; read USERNAME
#The case is important; use all upper-case!!!!
authconfig --disablecache --winbindjoin=$USERNAME --enablelocauthorize --winbindtemplatehomedir=/home/%D/%U --enablewinbind --enablewinbindusedefaultdomain --enablewinbindauth --smbsecurity=ads --enablekrb5 --enablekrb5kdcdns --enablekrb5realmdns --enablemkhomedir --enablepamaccess --updateall --smbidmapuid=100000-1000000 --smbidmapgid=100000-1000000 --disablewinbindoffline --winbindtemplateshell=/bin/bash --smbworkgroup=$WORKGROUP --smbrealm=$DOMAIN --krb5realm=$DOMAIN

echo -e "restarting oddjobdi\n"
#/bin/systemctl restart oddjobd.service #rhel7
service oddjobd restart #rhel6

echo -e "\e[01;33m Creating /etc/sudoers.d/winadmins \e[00m"
echo -e "# Active Directory Integration sudoers\n# Note that you can use a combination of local and remote users and groups.\n\nUser_Alias LINUXADMINS = %LinuxAdmins\nUser_Alias SOMEGROUP = %CAMSAdmins\n### By default, allow both sets of admins to run all commands as root.\nLINUXADMINS ALL=(ALL) ALL\n" >> /etc/sudoers.d/winadmins

echo -e "\e[01;33m Updating PAM \e[00m"
cp /etc/pam.d/sshd /root/sshd.BAK
echo -e "auth sufficient pam_winbind.so" >> /etc/pam.d/sshd

echo -e "\e[01;33m Updating /etc/sudoers\e[00m"
mv -f /etc/sudoers /root/sudoers.BAK
echo -e 'Defaults requiretty\nDefaults !visiblepw\nDefaults always_set_home\nDefaults env_reset\nDefaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"\nDefaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"\nDefaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"\nDefaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"\nDefaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"\nDefaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin\n## Allows people in group wheel to run all commands\nroot ALL=(ALL) ALL\n%wheel ALL=(ALL) ALL\n#This is the Systems Team\n%LinuxAdmins ALL=(ALL) ALL\n' >> /etc/sudoers
chmod 440 /etc/sudoers* #set the file back to the default permissions

echo -e "\e[01;33m Updating /etc/security/access.conf \e[00m"
mv -f /etc/security/access.conf /root/access.conf.BAK
echo -e '#further restrict who can logon to the server\n#users must be a member of the listed groups to logon\n##https://access.redhat.com/solutions/70472 - for more information\n\n+ : LinuxAdmins : ALL\n+ : SOMEGROUP : ALL\n+ : root : ALL\n- : ALL : ALL' >> /etc/security/access.conf

reboot

7 years here and no [code][/code] tags?

Oh the shame of it

Actually the part that would worry me is if NTP isn't configured inside the kerebos realm and this machine hasn't synched to it, it's just going to lock out. I'm not sure, but it might be unrecoverable at that point (the pam_krb5 is... worrisome.).
Still, nice script, thanks