背景信息:
Windows AD Version: Windows Server 2012 R2 zh-cn
計算機全名:hlm12r2n1.hlm.com
域:hlm.com
域控管理員:stone
普通用戶:abc; bcd
普通組:hlmgroup,用戶bcd在該組下
IP:10.0.0.6
Linux服務器:
具有root權限的用戶:ltsstone
操作步驟:
安裝所需包文件:
yum install -y krb5-workstation realmd sssd samba-common adcli oddjob oddjob-mkhomedir samba samba-common-tools
編輯/etc/resolve.conf文件,將DNS指向DC
[root@hlmcen75n2 ~]# cat /etc/resolv.conf ; generated by /usr/sbin/dhclient-script search lqvi3agp2gsunp1mlkwv0vudne.ax.internal.chinacloudapp.cn nameserver 10.0.0.6
編輯/etc/hosts文件,添加DC的IP及域的對應關系
[root@hlmcen75n2 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.0.0.6 hlm12r2n1.hlm.com
將Linux機器加入域
[root@hlmcen75n2 ~]# realm join hlm12r2n1.hlm.com -U stone Password for stone:
發現可以成功發現域了
[root@hlmcen75n2 ~]# realm list hlm.com type: kerberos realm-name: HLM.COM domain-name: hlm.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U@hlm.com login-policy: allow-permitted-logins permitted-logins: permitted-groups: hlmgroup@hlm.com
將組hlmgroup加入域
[root@hlmcen75n2 sudoers.d]# realm permit -g hlmgroup@hlm.com
可以看到用戶stone,abc,bcd可以被成功發現
[root@hlmcen75n2 ~]# id stone@hlm.com uid=1744400500(stone) gid=1744400513(domain users) groups=1744400513(domain users),1744400520(group policy creator owners),1744400512(domain admins),1744400518(schema admins),1744400572(denied rodc password replication group),1744400519(enterprise admins) [root@hlmcen75n2 ~]# id abc@hlm.com uid=1744401605(abc) gid=1744400513(domain users) groups=1744400513(domain users) [root@hlmcen75n2 ~]# id bcd@hlm.com uid=1744401608(bcd) gid=1744400513(domain users) groups=1744400513(domain users),1744401602(hlmgroup)
為使用戶不需用帶域名就可以被識別,需要修改配置文件/etc/sssd/sssd.conf,將use_fully_qualified_names行的True值修改為False
[root@hlmcen75n2 ~]# cat /etc/sssd/sssd.conf [sssd] domains = hlm.com config_file_version = 2 services = nss, pam [domain/hlm.com] ad_server = hlm12r2n1.hlm.com ad_domain = hlm.com krb5_realm = HLM.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u@%d access_provider = simple simple_allow_groups = hlmgroup@hlm.com
重啟sssd服務,重新列出預控信息
[root@hlmcen75n2 ~]# systemctl restart sssd [root@hlmcen75n2 ~]# realm list hlm.com type: kerberos realm-name: HLM.COM domain-name: hlm.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U login-policy: allow-permitted-logins permitted-logins: permitted-groups: hlmgroup@hlm.com
發現不加域信息,Linux服務器也可以識別域用戶
[root@hlmcen75n2 ~]# id stone uid=1744400500(stone) gid=1744400513(domain users) groups=1744400513(domain users),1744400520(group policy creator owners),1744400512(domain admins),1744400518(schema admins),1744400572(denied rodc password replication group),1744400519(enterprise admins) [root@hlmcen75n2 ~]# id abc uid=1744401605(abc) gid=1744400513(domain users) groups=1744400513(domain users) [root@hlmcen75n2 ~]# id bcd uid=1744401608(bcd) gid=1744400513(domain users) groups=1744400513(domain users),1744401602(hlmgroup)
嘗試切換到域用戶,發現無法進入root管理員權限,提示
[root@hlmcen75n2 ~]# su - abc
Last login: Mon Sep 17 07:53:38 UTC 2018 on pts/0
[abc@hlmcen75n2 ~]$ sudo su - root
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for abc:
abc is not in the sudoers file. This incident will be reported.
[abc@hlmcen75n2 ~]$
編輯 /etc/sudoers.d/waagent 文件,將需要root權限的用戶加入到其下
[root@hlmcen75n2 ~]# vim /etc/sudoers.d/waagent [root@hlmcen75n2 ~]# cat /etc/sudoers.d/waagent ltsstone ALL=(ALL) ALL abc ALL=(ALL) ALL
重新嘗試切換root用戶,發現已經可以
[root@hlmcen75n2 ~]# sudo su - abc Last login: Tue Sep 18 02:26:30 UTC 2018 on pts/0 [abc@hlmcen75n2 ~]$ sudo su - root [sudo] password for abc: Last login: Tue Sep 18 02:25:50 UTC 2018 on pts/0 [root@hlmcen75n2 ~]#
備注:
執行命令:realm join hlm12r2n1.hlm.com -U stone,messages日志發現加入域的認證過程如下:
Sep 17 09:16:53 hlmcen75n2 realmd: * Resolving: _ldap._tcp.hlm12r2n1.hlm.com Sep 17 09:16:53 hlmcen75n2 realmd: * Resolving: hlm12r2n1.hlm.com Sep 17 09:16:53 hlmcen75n2 realmd: * Performing LDAP DSE lookup on: 10.0.0.6 Sep 17 09:16:53 hlmcen75n2 realmd: * Successfully discovered: hlm.com Sep 17 09:16:58 hlmcen75n2 realmd: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli Sep 17 09:16:58 hlmcen75n2 realmd: * LANG=C /usr/sbin/adcli join --verbose --domain hlm.com --domain-realm HLM.COM --domain-controller 10.0.0.6 --login-type user --login-user stone --stdin-password Sep 17 09:16:58 hlmcen75n2 realmd: * Using domain name: hlm.com Sep 17 09:16:58 hlmcen75n2 realmd: * Calculated computer account name from fqdn: HLMCEN75N2 Sep 17 09:16:58 hlmcen75n2 realmd: * Using domain realm: hlm.com Sep 17 09:16:58 hlmcen75n2 realmd: * Sending netlogon pings to domain controller: cldap://10.0.0.6 Sep 17 09:16:58 hlmcen75n2 realmd: * Received NetLogon info from: hlm12r2n1.hlm.com Sep 17 09:16:58 hlmcen75n2 realmd: * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-zqaVb2/krb5.d/adcli-krb5-conf-N3Soi1 Sep 17 09:16:58 hlmcen75n2 realmd: * Authenticated as user: stone@HLM.COM Sep 17 09:16:58 hlmcen75n2 realmd: * Looked up short domain name: HLM Sep 17 09:16:58 hlmcen75n2 realmd: * Using fully qualified name: hlmcen75n2 Sep 17 09:16:58 hlmcen75n2 realmd: * Using domain name: hlm.com Sep 17 09:16:58 hlmcen75n2 realmd: * Using computer account name: HLMCEN75N2 Sep 17 09:16:58 hlmcen75n2 realmd: * Using domain realm: hlm.com Sep 17 09:16:58 hlmcen75n2 realmd: * Calculated computer account name from fqdn: HLMCEN75N2 Sep 17 09:16:58 hlmcen75n2 realmd: * Generated 120 character computer password Sep 17 09:16:58 hlmcen75n2 realmd: * Using keytab: FILE:/etc/krb5.keytab Sep 17 09:16:58 hlmcen75n2 realmd: * Found computer account for HLMCEN75N2$ at: CN=HLMCEN75N2,CN=Computers,DC=hlm,DC=com Sep 17 09:16:58 hlmcen75n2 realmd: * Sending netlogon pings to domain controller: cldap://10.0.0.6 Sep 17 09:17:00 hlmcen75n2 realmd: * Received NetLogon info from: hlm12r2n1.hlm.com Sep 17 09:17:00 hlmcen75n2 realmd: * Set computer password Sep 17 09:17:00 hlmcen75n2 realmd: * Retrieved kvno '4' for computer account in directory: CN=HLMCEN75N2,CN=Computers,DC=hlm,DC=com Sep 17 09:17:00 hlmcen75n2 realmd: * Modifying computer account: userAccountControl Sep 17 09:17:00 hlmcen75n2 realmd: * Modifying computer account: operatingSystemVersion, operatingSystemServicePack Sep 17 09:17:00 hlmcen75n2 realmd: * Modifying computer account: userPrincipalName Sep 17 09:17:00 hlmcen75n2 realmd: ! Couldn't set service principals on computer account CN=HLMCEN75N2,CN=Computers,DC=hlm,DC=com: 00002083: AtrErr: DSID-03151337, #1: Sep 17 09:17:00 hlmcen75n2 realmd: #0110: 00002083: DSID-03151337, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90303 (servicePrincipalName) Sep 17 09:17:00 hlmcen75n2 realmd: Sep 17 09:17:00 hlmcen75n2 realmd: * Discovered which keytab salt to use Sep 17 09:17:00 hlmcen75n2 realmd: * Added the entries to the keytab: HLMCEN75N2$@HLM.COM: FILE:/etc/krb5.keytab Sep 17 09:17:00 hlmcen75n2 realmd: * Added the entries to the keytab: host/HLMCEN75N2@HLM.COM: FILE:/etc/krb5.keytab Sep 17 09:17:01 hlmcen75n2 realmd: * Added the entries to the keytab: host/hlmcen75n2@HLM.COM: FILE:/etc/krb5.keytab Sep 17 09:17:01 hlmcen75n2 realmd: * Added the entries to the keytab: RestrictedKrbHost/HLMCEN75N2@HLM.COM: FILE:/etc/krb5.keytab Sep 17 09:17:01 hlmcen75n2 realmd: * Added the entries to the keytab: RestrictedKrbHost/hlmcen75n2@HLM.COM: FILE:/etc/krb5.keytab Sep 17 09:17:01 hlmcen75n2 realmd: * /usr/bin/systemctl enable sssd.service Sep 17 09:17:01 hlmcen75n2 realmd: Created symlink from /etc/systemd/system/multi-user.target.wants/sssd.service to /usr/lib/systemd/system/sssd.service. Sep 17 09:17:01 hlmcen75n2 systemd: Reloading. Sep 17 09:17:01 hlmcen75n2 realmd: * /usr/bin/systemctl restart sssd.service Sep 17 09:17:01 hlmcen75n2 systemd: Starting System Security Services Daemon... Sep 17 09:17:01 hlmcen75n2 sssd: Starting up Sep 17 09:17:01 hlmcen75n2 sssd[be[hlm.com]]: Starting up Sep 17 09:17:02 hlmcen75n2 sssd[nss]: Starting up Sep 17 09:17:02 hlmcen75n2 sssd[pam]: Starting up Sep 17 09:17:02 hlmcen75n2 systemd: Started System Security Services Daemon. Sep 17 09:17:02 hlmcen75n2 realmd: * /usr/bin/sh -c /usr/sbin/authconfig --update --enablesssd --enablesssdauth --enablemkhomedir --nostart && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service Sep 17 09:17:02 hlmcen75n2 systemd: Reloading. Sep 17 09:17:03 hlmcen75n2 systemd: Reloading. Sep 17 09:17:03 hlmcen75n2 realmd: * Successfully enrolled machine in realm
執行命令:realm list列出域的相關信息,messages日志發現相應的記錄信息如下:
Sep 17 09:18:10 hlmcen75n2 dbus[531]: [system] Activating via systemd: service name='org.freedesktop.realmd' unit='realmd.service' Sep 17 09:18:10 hlmcen75n2 systemd: Starting Realm and Domain Configuration... Sep 17 09:18:10 hlmcen75n2 dbus[531]: [system] Successfully activated service 'org.freedesktop.realmd' Sep 17 09:18:10 hlmcen75n2 systemd: Started Realm and Domain Configuration.
執行命令:realm leave hlm.com,messages日志發現脫域的相關記錄如下:
Sep 17 09:26:39 hlmcen75n2 python: 2018/09/17 09:26:39.018384 INFO Event: name=WALinuxAgent, op=HeartBeat, message=, duration=0 Sep 17 09:26:51 hlmcen75n2 realmd: * Removing entries from keytab for realm Sep 17 09:26:52 hlmcen75n2 realmd: * /usr/sbin/sss_cache --users --groups --netgroups --services --autofs-maps Sep 17 09:26:52 hlmcen75n2 realmd: * Removing domain configuration from sssd.conf Sep 17 09:26:52 hlmcen75n2 realmd: * /usr/sbin/authconfig --update --disablesssdauth --nostart Sep 17 09:26:53 hlmcen75n2 systemd: Reloading. Sep 17 09:26:53 hlmcen75n2 realmd: * /usr/bin/systemctl disable sssd.service Sep 17 09:26:53 hlmcen75n2 realmd: Removed symlink /etc/systemd/system/multi-user.target.wants/sssd.service. Sep 17 09:26:53 hlmcen75n2 systemd: Reloading. Sep 17 09:26:53 hlmcen75n2 realmd: * /usr/bin/systemctl stop sssd.service Sep 17 09:26:53 hlmcen75n2 systemd: Stopping System Security Services Daemon... Sep 17 09:26:53 hlmcen75n2 sssd[nss]: Shutting down Sep 17 09:26:53 hlmcen75n2 sssd[be[hlm.com]]: Shutting down Sep 17 09:26:53 hlmcen75n2 sssd[pam]: Shutting down Sep 17 09:26:53 hlmcen75n2 systemd: Stopped System Security Services Daemon. Sep 17 09:26:53 hlmcen75n2 realmd: * Successfully unenrolled machine from realm
在測試時,發現加域的命令為 "realm join hlm.com -U stone" 時,可以成功加入域,但無法設別DC下的用戶,需要在域名前加上DC的主機名,正確加域的命令為 "realm join hlm12r2n1.hlm.com -U stone"