#!/usr/bin/env bash
#
#   Script name: ubdomain-client
#   Description: Script for configure domain client
#   GitLab: https://gitlab.ublinux.ru/
#   Author: Dmitry Razumov asmeron@ublinux.ru
#   Contributors: asmeron@ublinux.ru
#
#   Copyright (c) 2021-2022 UBLinux Development Team <support@ublinux.ru>
#
#   This program is free software; you can redistribute it and/or modify
#   it under the terms of the GNU General Public License as published by
#   the Free Software Foundation; either version 2 of the License, or
#   (at your option) any later version.
#
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program.  If not, see <http://www.gnu.org/licenses/>.

VERSION_SCRIPT="1.1"

# Exit Immediately if a command fails
#set -o errexit

#################################
###   :::   C O L O R S   :::   #
#################################
set_color(){
#http://abload.de/img/bash-color-chartmxjbp.png
    export BBC=$'\e[1;34m'
    export RBC=$'\e[1;31m'
    export WBC=$'\e[1m'
    export EC=$'\e[0m'

    export txtblk='\033[0;30m' # Black - Regular
    export txtred='\033[0;31m' # Red			# prompt: error color
    export txtgrn='\033[0;32m' # Green			# prompt: success color
    export txtylw='\033[0;33m' # Yellow			# prompt: waring color
    export txtblu='\033[0;34m' # Blue			
    export txtpur='\033[0;35m' # Purple
    export txtcyn='\033[0;36m' # Cyan			# prompt: info color
    export txtwht='\033[0;37m' # White
    export bldblk='\033[1;30m' # Black - Bold
    export bldred='\033[1;31m' # Red			# prompt: bold error color
    export bldgrn='\033[1;32m' # Green			# prompt: bold success color
    export bldylw="\033[1;33m" # Yellow                 # prompt: bold warning color
    export bldblu='\033[1;34m' # Blue				
    export bldpur='\033[1;35m' # Purple
    export bldcyn="\033[1;36m" # Cyan                   # prompt: bold info color
    export bldwht="\033[1;37m" # White			# prompt: bold default color

    export undblk='\033[4;30m' # Black - Underline
    export undred='\033[4;31m' # Red

    export bakblk='\033[40m'   # Black - Background
    export bakred='\033[41m'   # Red
    export badgrn='\033[42m'   # Green

    export txtrst='\033[0m'    # Text Reset		# prompt: default color
}


#######################################
###   :::   F U N C T I O N S   :::   #
#######################################

check_root(){
    if [[ ${EUID:-$(id -u)} > 0 ]]; then
	case ${1} in
	    -w  | --warning)	  prompt -w "Please run as root! ${@/#-w/}" && return 1 ;;
	    -wq | --warning-quit) prompt -wq "Please run as root!" ;;
    	    *) 			  prompt -wq "Please run as root!" ;;
        esac
    fi
}

# Check command availability
has_command(){ command -v $1 &> /dev/null; }

# echo like ... with flag type and display message colors
prompt(){
    [[ -n ${QUIET} ]] && return
    case ${1} in
	-s  | --success)	echo -e "${bldgrn}${@/#-s/}${txtrst}" ;;    			# print success message
	-sq | --success-quit)	echo -e "${bldgrn}${@/#-sq/}${txtrst}" && exit 1 ;;    		# print success message
	-e  | --error)   	echo -e "${bldred}ERROR:${@/#-e/}${txtrst}" ;;   		# print error message
	-eq | --error-quit)   	echo -e "${bldred}ERROR:${@/#-eq/}${txtrst}" && exit 1 ;;	# print error message
	-w  | --warning) 	echo -e "${bldylw}WARNING:${bldwht}${@/#-w/}${txtrst}" ;; 	# print warning message
	-wq | --warning-quit) 	echo -e "${bldylw}WARNING:${bldwht}${@/#-wq/}${txtrst}" && exit 1 ;; # print warning message
	-i  | --info)    	echo -e "${bldcyn}INFO:${txtcyn}${@/#-i/}${txtrst}" ;;    	# print info message
	-iq | --info-quit)    	echo -e "${bldcyn}INFO:${txtcyn}${@/#-iq/}${txtrst}" && exit 1 ;;  # print info message
	*)    			echo -e "$@" ;;							# print all message
    esac
}


usage(){
    printf "%s  %s\n" "${0##*/}" "version: ${VERSION_SCRIPT}"
    cat <<EOF
Configure connect to domain

Usage:  ${0##*/} {COMMAND} [OPTIONS...] ...
	${0##*/} list
	${0##*/} discover [--dns DNS] [--domain DOMAIN] [--domain_server DOMAIN_SERVER]
	${0##*/} join 	  [--dns DNS] [--user USER] [--password PASSWORD] --domain DOMAIN
	${0##*/} leave    [--dns DNS] [--user USER] [--password PASSWORD] [--domain DOMAIN]
	${0##*/} configure [--dns DNS]
	${0##*/} 
	${0##*/} permit [-ax] [-R realm] user ...
	${0##*/} deny --all [-R realm]

Commands:
  list 			List of known domains | Список известных доменов
  discover 		Discover available domain | Обнаружить домен
  join	   		Register a machine in a domain | Зарегистрировать машину в домене
  leave			Leave the machine from the domain | Вывести машину из домена
  configure		Only configure PAM, SSSD, KRD5, NSS
  ubconfigure		Only ubconfigure PAM, SSSD, KRD5, NSS
Meta Commands:
  help          	Show this help

Options:
  -n, --noconfigure	Do not configure PAM, SSSD, KRD5, NSS
  -u, --user=<USER>	A domain user who has rights to register machines | Пользователь домена, имеющие права на регистрацию машин
  -p, --password  	Password a user
  -d, --domain=<DOMAIN>	Domain name | Имя домена
      --domain_server=<SERVER>
    			Domain Kerberos/AD server | Сервер Kerberos/AD домена, отключит автопоиск сервера и задаст статический
        %SERVER_NAME%	Полное имя сервера, которое знает DNS
    	%SERVER_IP%	Адресс IP сервера
      --domain_client=<CLIENT>	
    			Клиент для подключения к домену
      * realmd_sssd	Клиент sssd
        realmd_winbind	Клиент winbind
        samba		Клиент samba
        none		Отключить клиента или автоматически определить
      --dns=DNS		DNS server that knows about the server Kerberos/AD
    			DNS сервер который опознает имя сервере Kerberos/AD, необходимо если в сети по DHCP получен другой домен и не определяет автопоиск
  -a, --authpam_opt=<PROFILE_OPT1>,<PROFILE_OPTn>
			Дополнительные опции профиля адентификации
			Возможные опции:
	wth-altfiles with-ecryptfs with-faillock with-files-access-provider with-files-domain with-pamaccess with-silent-lastlog with-sudo with-systemd-homed with-time without-nullok
        with-fingerprint with-pam-u2f with-pam-u2f-2fa without-nullokwithout-pam-u2f-nouserok.
        with-smartcard with-smartcard-lock-on-removal with-smartcard-required.
        with-mdns4 with-mdns6 with-mkhomedir with-mkhomedir-simple with-nispwquality
  -q, --quiet		Quiet mode
  -h, --help		Show this help
  -V, --version		Show package version

Examples:
${0##*/} discover --domain ubdc.ru
${0##*/} join --user Администратор --password PASS --domain ubdc.ru
${0##*/} leave --user Администратор --password PASS --domain ubdc.ru
EOF
    exit 0
}
arguments(){
# Pre-process options to:
# - expand -xyz into -x -y -z
# - expand --longopt=arg into --longopt arg
    local ARGV=()
    local END_OF_OPT=
    while [[ $# -gt 0 ]]; do
	arg="$1"; shift
	case "${END_OF_OPT}${arg}" in
	    --) ARGV+=("$arg"); END_OF_OPT=1 ;;
	    --*=*)ARGV+=("${arg%%=*}" "${arg#*=}") ;;
	    --*) ARGV+=("$arg") ;;
	    -*) for i in $(seq 2 ${#arg}); do ARGV+=("-${arg:i-1:1}"); done ;;
	    *) ARGV+=("$arg") ;;
	esac
    done
# Apply pre-processed options
    set -- "${ARGV[@]}"
# Parse options
    local END_OF_OPT=
    local POSITIONAL_ARGS=()
    [[ -z $@ ]] && usage && exit 0
    while [[ $# -gt 0 ]]; do
	case "${END_OF_OPT}${1}" in
	    list)		  COMMAND=list ;;
	    discover)		  COMMAND=discover ;;
	    join)		  COMMAND=join ;;
	    leave)		  COMMAND=leave ;;
	    configure)	  	  COMMAND=configure ;;
	    unconfigure)	  COMMAND=unconfigure ;;
	    -n | --noconfigure)	  NOCONFIGURE=1 ;;
	    -u | --user)	  shift; MUSER=$1 ;;
	    -p | --password)	  shift; MPASSWORD=$1 ;;
	    -d | --domain)	  shift; DOMAIN=$1 ;;
		 --domain_client) shift; DOMAIN[client]=$1 ;;
		 --domain_server) shift; DOMAIN[server]=$1 ;;
	    -a | --authpam_opt)	  shift; AUTHPAM_OPT=$1 ;;
		 --dns)		  shift; DOMAIN[dns]=$1 ;;
	    -h | --help | help)	  usage ;;
	    -q | --quiet)     	  QUIET=1; QUIET_ARG="-q" ;;
	    -V | --version)	  echo "Version: ${VERSION_SCRIPT}"; exit 0 ;;
	    --stdin)        	  READ_STDIN=1 ;;
	    --)             	  END_OF_OPT=1 ;;
	    -*|--*)         	  prompt -w "Unrecognized argument, skiped: $1" >&2  ;;
	    *)              	  POSITIONAL_ARGS+=("$1") ;;
	esac
	shift
    done
# Restore positional parameters
    set -- "${POSITIONAL_ARGS[@]}"
}
set_authpam(){
    select_authpam(){
	local AUTHPAM_PROFILE
	local AUTHPAM_OPT
	[[ -n $1 && -n $2 ]] || return 1
	AUTHPAM_PROFILE=$1
	AUTHPAM_OPT=$2
	AUTHPAM_CURRENT_PROFILE=$(authselect current --raw)
	[[ $? == 0 ]] && AUTHPAM_CURRENT_PROFILE=${AUTHPAM_CURRENT_PROFILE%% *} || unset AUTHPAM_CURRENT_PROFILE
	PROFILE_FEATURE=$(tr ',;' " " <<< ${AUTHPAM_OPT})
	if [[ ${AUTHPAM_CURRENT_PROFILE} == "" ]]; then
	    authselect select ${AUTHPAM_PROFILE} ${PROFILE_FEATURE} --force --nobackup --quiet 2>/dev/null \
    	        || prompt -w "Failed authselect select ${AUTHPAM_PROFILE} ${PROFILE_FEATURE}"
	else
	    if [[ ${AUTHPAM_PROFILE} == ${AUTHPAM_CURRENT_PROFILE} ]]; then
		for PROFILE_FEATURE_ITEM in ${PROFILE_FEATURE}; do
		    authselect enable-feature ${PROFILE_FEATURE_ITEM} --quiet 2>/dev/null \
			|| prompt -w "Failed authselect enable-feature ${PROFILE_FEATURE_ITEM}"
		done
	    else
		authselect select ${AUTHPAM_PROFILE} ${PROFILE_FEATURE} --force --nobackup --quiet 2>/dev/null \
		    || prompt -w "Failed authselect select ${AUTHPAM_PROFILE} ${PROFILE_FEATURE}"
	    fi
	fi
    }
    if [[ ${DOMAIN[client]} == "realmd_sssd" ]]; then
	[[ -n ${AUTHPAM_OPT} ]] && select_authpam sssd ${AUTHPAM_OPT} \
	|| select_authpam sssd ${DEFAULT_AUTHPAM_SSSD}
	ubconfig -q set config "AUTHPAM[sssd]=${DEFAULT_AUTHPAM_SSSD}"
    elif [[ ${DOMAIN[client]} == "realmd_winbind" ]]; then
	[[ -n ${AUTHPAM_OPT} ]] && select_authpam winbind ${AUTHPAM_OPT} \
	|| select_authpam winbind ${DEFAULT_AUTHPAM_WINBIND}
	ubconfig -q set config "AUTHPAM[winbind]=${DEFAULT_AUTHPAM_WINBIND}"
    elif [[ ${DOMAIN[client]} == "samba" ]]; then
	[[ -n ${AUTHPAM_OPT} ]] && select_authpam winbind ${AUTHPAM_OPT} \
	|| select_authpam winbind ${DEFAULT_AUTHPAM_WINBIND}
	ubconfig -q set config "AUTHPAM[winbind]=${DEFAULT_AUTHPAM_WINBIND}"
    fi
}
set_dns(){
    if ! nmcli --get-values ip4.dns device show | grep -q "${DOMAIN[dns]}" 2>/dev/null; then
    	for CONNECTION_UUID in $(nmcli --get-values uuid connection show); do
    	    nmcli connection modify uuid ${CONNECTION_UUID} +ipv4.dns "${DOMAIN[dns]}" \
    	        || prompt -w "Failed assign DNS ${DOMAIN[dns]} to connection uuid ${CONNECTION_UUID}"
    	    nmcli connection up uuid ${CONNECTION_UUID} \
    	        || prompt -w "Failed restart connection uuid ${CONNECTION_UUID}"
    	    ubconfig set network DOMAIN[dns]="${DOMAIN[dns]}"
    	done
    fi
}
prepare_config(){
    if [[ ${DOMAIN[client]} == "realmd_sssd" ]]; then
	local DOMAIN_UP=${DOMAIN^^}
	local DOMAIN_SERVER_UP=${DOMAIN[server]^^}
	[[ ${DOMAIN} == "" ]] && prompt -w " DOMAIN[server] not set, unable to configure system"
	[[ ${DOMAIN[server]} == "" ]] && prompt -w " DOMAIN not set, unable to configure system"
	local KRB5_REALM=$(cat <<EOF
   ${DOMAIN_UP} = {
      kdc = ${DOMAIN_SERVER_UP}
      admin_server = ${DOMAIN_SERVER_UP}
      default_domain = ${DOMAIN_UP}
   }
   ${DOMAIN_UP%%.*} = {      
      kdc = ${DOMAIN_SERVER_UP}
      admin_server = ${DOMAIN_SERVER_UP}
      default_domain = ${DOMAIN_UP}
   }
EOF
)
	local KRB5_DOMAIN_REALMS=$(cat <<EOF
    .${DOMAIN} = ${DOMAIN_UP}
    ${DOMAIN} = ${DOMAIN_UP}
EOF
)
	local REALMD_CONF=$(cat <<EOF
[active-directory]
os-name = ${OS_NAME}
os-version = ${OS_VERSION}
EOF
)
	cp -f "${FILE_KRB5}" "${PATH_CONF_KRB5}/"
	cp -f "${FILE_REALM_SNIPPET_001}" "${PATH_CONF_SSSD}/"
	cp -f "${FILE_REALM_SNIPPET_010}" "${PATH_CONF_SSSD}/"
	sed "s/\(ad_hostname =\).*/\1 ${DOMAIN[hostname]}/" -i "${PATH_CONF_SSSD}/${FILE_REALM_SNIPPET_010##*/}"
	sed "s/\[domain\/\]/\[domain\/${DOMAIN}\]/" -i "${PATH_CONF_SSSD}/${FILE_REALM_SNIPPET_010##*/}"
	sed '/\[realms\]/r'<(echo "${KRB5_REALM}") -i "${PATH_CONF_KRB5}/${FILE_KRB5##*/}"
	sed '/\[domain_realm\]/r'<(echo "${KRB5_DOMAIN_REALMS}") -i "${PATH_CONF_KRB5}/${FILE_KRB5##*/}"
#	cat << EOF | sed '/^cdef$/ r /dev/stdin' input.txt
#line 1
#line 2
#EOF
#	date | sed '/^cdef$/ r /dev/stdin' input.txt
#	date | sed '/^cdef$/ {
#  	  r /dev/stdin
#         d
#       }' input.txt

    elif [[ ${DOMAIN[client]} == "realmd_winbind" ]]; then
	true
    elif [[ ${DOMAIN[client]} == "samba" ]]; then
	true
    fi
    echo "${REALMD_CONF}" > "${PATH_CONF_KRB5}/realmd.conf"
}
find_domain(){
    if [[ -n ${DOMAIN[server]} ]]; then 
	if egrep -qo '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$' <<< ${DOMAIN[server]}; then
	    DOMAIN[server_ip]=${DOMAIN[server]}
	    DOMAIN[server]=$(adcli info --domain-controller ${DOMAIN[server_ip]} 2>/dev/null | grep "domain-controller =" | cut -d= -f2 | xargs)
	fi
	[[ -n ${DOMAIN} ]] || DOMAIN=$(adcli info --domain-controller ${DOMAIN[server]} 2>/dev/null | grep "domain-name =" | cut -d= -f2 | xargs)
    fi
    [[ -n ${DOMAIN} ]] || DOMAIN=$(realm discover 2>/dev/null | awk '/domain-name: / { print $2 ; exit }')
    [[ -n ${DOMAIN} ]] || DOMAIN=$(hostname -d)
    [[ -n ${DOMAIN} && ${DOMAIN} != "(none)" ]] || prompt -eq "domain not found, unable to get domain"
}
get_domain_server(){
    if [[ ${DOMAIN[server]} != "" ]]; then
	if egrep -qo '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$' <<< ${DOMAIN[server]}; then
	    DOMAIN[server_ip]=${DOMAIN[server]}
	    DOMAIN[server]=$(adcli info --domain-controller ${DOMAIN[server_ip]} 2>/dev/null | grep "domain-controller =" | cut -d= -f2 | xargs)
	fi
    fi
    [[ ${DOMAIN[server]} != "" ]] || DOMAIN[server]=$(adcli info --domain ${DOMAIN} 2>/dev/null | grep "domain-controller =" | cut -d= -f2 | xargs)
    [[ ${DOMAIN[server]} == "" ]] && prompt -eq " domain not found, unable to get domain controller name"
#echo "1:DOMAIN[server_ip]=${DOMAIN[server_ip]}"
    # Если не нашёл статус ОК    
#    [[ -n ${DOMAIN[server_ip]} ]] || DOMAIN[server_ip]=$(drill TXT ${DOMAIN[server]} | grep -i server: | egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
#echo "2:DOMAIN[server_ip]=${DOMAIN[server_ip]}"
    [[ -z ${DOMAIN[server_ip]} ]] && DOMAIN_SERVER_IP=$(nslookup -type=srv _ldap._tcp.${DOMAIN[server]} 2>/dev/null)
    [[ $? == 0 ]] && DOMAIN[server_ip]=$(grep -i server: <<< ${DOMAIN_SERVER_IP} | egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1 2>/dev/null)
#echo "3:DOMAIN[server_ip]=${DOMAIN[server_ip]}"
    [[ -z ${DOMAIN[server_ip]} ]] && DOMAIN_SERVER_IP=$(host ${DOMAIN[server]} 2>/dev/null)
    [[ $? == 0 ]] && DOMAIN[server_ip]=$(awk '/has address/ { print $4 ; exit }' <<< ${DOMAIN_SERVER_IP})
#echo "4:DOMAIN[server_ip]=${DOMAIN[server_ip]}"
    [[ -z ${DOMAIN[server_ip]} ]] && DOMAIN_SERVER_IP=$(nslookup ${DOMAIN[server]} 2>/dev/null)
    [[ $? == 0 ]] && DOMAIN[server_ip]=$(awk '/^Address: / { print $2 ; exit }' <<< ${DOMAIN_SERVER_IP} 2>/dev/null)
#echo "5:DOMAIN[server_ip]=${DOMAIN[server_ip]}"
    # Если не нашёл статус ОК    
#    [[ -n ${DOMAIN[server_ip]} ]] || DOMAIN[server_ip]=$(dig ${DOMAIN[server]} | egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)
#echo "6:DOMAIN[server_ip]=${DOMAIN[server_ip]}"
    [[ -n ${DOMAIN[server_ip]} ]] || DOMAIN[server_ip]=$(getent hosts ${DOMAIN[server]} | awk '{ print $1 ; exit }' 2>/dev/null)
#echo "7:DOMAIN[server_ip]=${DOMAIN[server_ip]}"
    [[ -n ${DOMAIN[server_ip]} ]] || DOMAIN[server_ip]=$(ping ${DOMAIN[server]} -c 1 -q 2>&1 | grep -Po "(\d{1,3}\.){3}\d{1,3}" 2>/dev/null) #"
#echo "8:DOMAIN[server_ip]=${DOMAIN[server_ip]}"
    [[ -n ${DOMAIN[server_ip]} ]] || prompt -eq "domain not found, unable to get domain controller ip address"
#echo "9:DOMAIN[server_ip]=${DOMAIN[server_ip]}"
}
discover_domain(){
    if [[ -n ${DOMAIN[server]} ]]; then 
	prompt -i "request information by domain server name: ${DOMAIN[server]}"
        adcli info --domain-controller ${DOMAIN[server]} 2>/dev/null
        [[ $? == 0 ]] || prompt -w "not found information by domain server name: ${DOMAIN[server]}"
    fi
    if [[ -n ${DOMAIN[server_ip]} ]];then 
	prompt -i "request information by domain server ip: ${DOMAIN[server_ip]}"
        adcli info --domain-controller ${DOMAIN[server_ip]} 2>/dev/null
        [[ $? == 0 ]] || prompt -w "not found information by domain server ip: ${DOMAIN[server_ip]}"
    fi
    if [[ -n ${DOMAIN} ]]; then 
	prompt -i "request information by domain realm: ${DOMAIN[server]}"
        adcli info --domain ${DOMAIN} 2>/dev/null
        [[ $? == 0 ]] || prompt -w "not found information by domain realm: ${DOMAIN[server]}"
    fi
    prompt -i "request global search for a domain in the network: ${DOMAIN}"
    realm discover ${DOMAIN}  2>/dev/null 
    [[ $? == 0 ]] || prompt -w "global domain not detected, timeout 30 seconds"
}
join_domain(){
    join_domain_sssd(){
	[[ -n ${MUSER} ]] && local MUSER="--user ${MUSER}"
	[[ -n ${MPASSWORD} ]] && local MPASSWORD="echo '${MPASSWORD}' |"
 	bash -c "LANG=C ${MPASSWORD} /usr/bin/realm join --verbose ${MUSER} --os-name '${OS_NAME}' --os-version ${OS_VERSION} ${DOMAIN}"
 	[[ $? -eq 0 ]] || return 1
    }
    if [[ ${DOMAIN[client]} == "realmd_sssd" ]]; then
	join_domain_sssd
	STATUS_JOIN=$?
    elif [[ ${DOMAIN[client]} == "realmd_winbind" ]]; then
	true
	STATUS_JOIN=$?
    elif [[ ${DOMAIN[client]} == "samba" ]]; then
	true
	STATUS_JOIN=$?
    fi
    [[ ${STATUS_JOIN} -eq 0 ]] || return 1
}
leave_domain(){
    leave_domain_sssd(){
	[[ -n ${MUSER} ]] && local MUSER="--user ${MUSER}"
	[[ -n ${MPASSWORD} ]] && local MPASSWORD="echo '${MPASSWORD}' |"
 	bash -c "LANG=C ${MPASSWORD} /usr/bin/realm leave --verbose --remove ${MUSER} ${DOMAIN}"
    }
    if [[ ${DOMAIN[client]} == "realmd_sssd" ]]; then
	leave_domain_sssd
    elif [[ ${DOMAIN[client]} == "realmd_winbind" ]]; then
	true
    elif [[ ${DOMAIN[client]} == "samba" ]]; then
	true
    fi
}

###############################
###   :::   M A I N   :::   ###
###############################

    PKGNAME=${0##*/}
    PATH_WORK=${PWD}
    set_color

    PATH_SHARE="/usr/share/ubdomain-client"
    PATH_CONF_KRB5="/etc"
#PATH_CONF_KRB5="/tmp/0/etc"
    PATH_CONF_SSSD="/etc/sssd/conf.d"
#PATH_CONF_SSSD="/tmp/0/etc/sssd/conf.d"
    FILE_KRB5="${PATH_SHARE}/krb5.conf"
    FILE_REALM_SNIPPET_001="${PATH_SHARE}/001-ubdomain-default.conf"
    FILE_REALM_SNIPPET_010="${PATH_SHARE}/010-ubdomain-domain.conf"
    DEFAULT_AUTHPAM_MINIMAL=with-faillock,with-time,with-systemd-homed,with-mkhomedir-simple
    DEFAULT_AUTHPAM_NIS=with-faillock,with-time,with-systemd-homed,with-mkhomedir-simple
    DEFAULT_AUTHPAM_SSSD=with-faillock,with-time,with-systemd-homed,with-mkhomedir-simple
    DEFAULT_AUTHPAM_WINBIND=with-faillock,with-time,with-systemd-homed,with-mkhomedir-simple
    
    SOURCE=/usr/lib/ublinux/os-config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
    SOURCE=${SYSCONF}/config; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null
    SOURCE=${SYSCONF}/network; [[ -f ${SOURCE} ]] && . ${SOURCE} 2>/dev/null

    [[ -z ${DOMAIN} ]] || IS_CONFIG_DOMAIN=${DOMAIN}
    [[ -z ${DOMAIN[server]} ]] || IS_CONFIG_DOMAIN_SERVER=${DOMAIN[server]}
    [[ -z ${DOMAIN[admanger]} ]] || MUSER=${DOMAIN[admanger]%%:*}
    [[ -z ${DOMAIN[admanger]} ]] || MPASSWORD=${DOMAIN[admanger]##*:} && MPASSWORD=$(base64 -d <<< ${MPASSWORD})
    [[ -n ${DOMAIN[hostname]} ]] || DOMAIN[hostname]=$(hostname -f)
    [[ -n ${DOMAIN[client]} ]] || DOMAIN[client]="realmd_sssd"
    [[ -n ${MUSER} ]] || MUSER="Administrator"
    OS_NAME=$(cat /usr/lib/os-release | grep "PRETTY_NAME=" | cut -d= -f2 | sed 's/"//g ; s/ [0-9]* / /')
    OS_VERSION=$(cat /usr/lib/os-release | grep "VERSION_ID=" | cut -d= -f2 | sed 's/"//g')
    MYIP=$(ifconfig | sed -En 's/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p') #'
    
    arguments $@

    if [[ ${MYIP} != "" && ${COMMAND} != unconfigure && ${COMMAND} != leave ]]; then
	[[ -n ${DOMAIN[dns]} ]] && set_dns
	[[ -n ${DOMAIN} ]] || find_domain
	[[ -n ${DOMAIN} ]] && get_domain_server
    fi

    if [[ ${COMMAND} == list ]]; then
	realm list
    elif [[ ${COMMAND} == discover ]]; then
	discover_domain
    elif [[ ${COMMAND} == join ]]; then
	if [[ -z ${NOCONFIGURE} ]] && check_root -w "the PAM, KRD5, NSS, SSSD is not configured. Root rights are required."; then
	    set_authpam
	    prepare_config
	fi
	join_domain
	if [[ $? -eq 0 ]]; then
	    ubconfig -q set network DOMAIN=${DOMAIN} DOMAIN[server]=${DOMAIN[server]}
	fi
    elif [[ ${COMMAND} == leave ]]; then
	leave_domain
        ubconfig -q remove network DOMAIN DOMAIN[server]
    elif [[ ${COMMAND} == configure && -z ${NOCONFIGURE} ]]; then
	check_root -wq " the PAM, KRB5, NSS, SSSD is not configured. Root rights are required."
	[[ ${DOMAIN} != ${IS_CONFIG_DOMAIN} ]] && ubconfig -q set network DOMAIN=${DOMAIN}
	[[ ${DOMAIN[server]} != ${IS_CONFIG_DOMAIN_SERVER} ]] && ubconfig -q set network DOMAIN[server]=${DOMAIN[server]}
#	ubconfig -q set config AUTHPAM[sssd]=${DEFAULT_AUTHPAM_SSSD}
	set_authpam
	prepare_config
    elif [[ ${COMMAND} == unconfigure && -z ${NOCONFIGURE} ]]; then
	check_root -wq " the PAM, KRB5, NSS, SSSD is not configured. Root rights are required."
#	ubconfig -q set config AUTHPAM[minimal]=${DEFAULT_AUTHPAM_MINIMAL}
	[[ -n ${DOMAIN} && ${PARENT} != "ubconfig" ]] && ubconfig -q remove network DOMAIN
	[[ -n ${DOMAIN[server]} ]] && ubconfig -q remove network DOMAIN[server]
	unset DOMAIN; unset DOMAIN DOMAIN[server]
	find /etc/ -maxdepth 1 -type f -name krb5.keytab -delete 2>/dev/null
	find /etc/sssd/ -type f -name "sssd.conf" -delete 2>/dev/null
	find /etc/sssd/ -type f -name "*-ubdomain-*.conf" -delete 2>/dev/null
	PATH_ROOTCOPY=$(find /memory/layer-base/*/ -maxdepth 1 -type d -name "rootcopy" | head -1)
	[[ -n ${PATH_ROOTCOPY} ]] || PATH_ROOTCOPY="$(find /memory/layer-base/*/ -maxdepth 1 -type f -name "ublinux-data*.sgn" | head -1 | xargs dirname)/rootcopy"
	if [[ -w ${PATH_ROOTCOPY} ]]; then
	    find ${PATH_ROOTCOPY}/etc/ -maxdepth 1 -type f -name krb5.conf -delete 2>/dev/null
	    find ${PATH_ROOTCOPY}/etc/ -maxdepth 1 -type f -name krb5.keytab -delete 2>/dev/null
	    find ${PATH_ROOTCOPY}/etc/ -maxdepth 1 -type f -name realmd.conf -delete 2>/dev/null
	    find ${PATH_ROOTCOPY}/etc/sssd/ -type f -name "*.conf" -delete 2>/dev/null
	fi
    fi
