碼上快樂

相關內容    簡體    繁體

linux服務器加入AD域(sssd)~ 通過域用戶ssh登錄加域的linux服務器

本文轉載自   查看原文   2020-11-17 14:31   1222    運維工具

搭建域控:參考 https://www.cnblogs.com/taosiyu/p/12009120.html

域控計算機全名: WIN-3PLKM2PLE6E.zhihu.test.com

域:zhihu.test.com

域控管理員:kingsoft

普通用戶:zhangmingda

普通組:dev

IP:192.168.3.3

注: 域控同時做DNS服務器

 

Linux服務器:

[root@vm192-168-8-27 zhangmingda]# cat /etc/redhat-release 
CentOS Linux release 7.7.1908 (Core)

操作步驟:

安裝所需包文件:

yum install -y krb5-workstation realmd sssd samba-common adcli oddjob oddjob-mkhomedir samba samba-common-tools

編輯/etc/resolve.conf文件,將DNS指向DC

[root@vm192-168-8-27 zhangmingda]# cat /etc/resolv.conf 
; generated by /usr/sbin/dhclient-script
nameserver 192.168.3.3
nameserver 198.18.254.31
[root@vm192-168-8-27 zhangmingda]#

編輯/etc/hosts文件,添加DC的IP及域的對應關系

[root@vm192-168-8-27 zhangmingda]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.3.3 WIN-3PLKM2PLE6E.zhihu.test.com
[root@vm192-168-8-27 zhangmingda]#

將Linux機器加入域

# realm join WIN-3PLKM2PLE6E.zhihu.test.com -U kingsoft
Password for kingsoft:

發現可以成功發現域了

[root@vm192-168-8-27 zhangmingda]# realm list
zhihu.test.com
  type: kerberos
  realm-name: ZHIHU.TEST.COM
  domain-name: zhihu.test.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U
  login-policy: allow-realm-logins
[root@vm192-168-8-27 zhangmingda]#

將組dev加入域

[root@vm192-168-8-27 zhangmingda]# realm permit -g dev@zhihu.test.com
[root@vm192-168-8-27 zhangmingda]#

可以看到用戶kingsoft,zhangmingda可以被成功發現

[root@vm192-168-8-27 zhangmingda]# id zhangmingda@zhihu.test.com
uid=1724201104(zhangmingda) gid=1724200513(domain users) groups=1724200513(domain users)
[root@vm192-168-8-27 zhangmingda]# id zhudong@zhihu.test.com
uid=1724201108(zhudong) gid=1724200513(domain users) groups=1724200513(domain users)
[root@vm192-168-8-27 zhangmingda]# id kingsoft@zhihu.test.com
uid=1724201000(kingsoft) gid=1724200513(domain users) groups=1724200513(domain users)
[root@vm192-168-8-27 zhangmingda]# id administrator@zhihu.test.com
uid=1724200500(administrator) gid=1724200513(domain users) groups=1724200513(domain users),1724200520(group policy creator owners),1724200519(enterprise admins),1724200512(domain admins),1724200572(denied rodc password replication group),1724200518(schema admins)
[root@vm192-168-8-27 zhangmingda]#

為使用戶不需用帶域名就可以被識別,需要修改配置文件/etc/sssd/sssd.conf,將use_fully_qualified_names行的True值修改為False

[root@vm192-168-8-27 zhangmingda]# cat /etc/sssd/sssd.conf 

[sssd]
domains = zhihu.test.com
config_file_version = 2
services = nss, pam

[domain/zhihu.test.com]
ad_server = win-3plkm2ple6e.zhihu.test.com
ad_domain = zhihu.test.com
krb5_realm = ZHIHU.TEST.COM
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False 
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = dev@zhihu.test.com, ops@zhihu.test.com
[root@vm192-168-8-27 zhangmingda]#

重啟sssd服務,重新列出預控信息

[root@vm192-168-8-27 zhangmingda]# systemctl restart sssd
[root@vm192-168-8-27 zhangmingda]# realm list
[root@vm192-168-8-27 zhangmingda]# realm list
zhihu.test.com
  type: kerberos
  realm-name: ZHIHU.TEST.COM
  domain-name: zhihu.test.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U
  login-policy: allow-permitted-logins
  permitted-logins: 
  permitted-groups: dev@zhihu.test.com, ops@zhihu.test.com
[root@vm192-168-8-27 zhangmingda]#

發現不加域信息,Linux服務器也可以識別域用戶

[root@vm192-168-8-27 zhangmingda]# id zhangmingda
uid=1724201104(zhangmingda) gid=1724200513(domain users) groups=1724200513(domain users)
[root@vm192-168-8-27 zhangmingda]#

使用域用戶ssh登錄服務器

[root@vm192-168-8-27 zhangmingda]# ssh zhangmingda@192.168.8.27
zhangmingda@192.168.8.27's password: 
Last login: Tue Nov 17 13:07:03 2020 from 192.168.8.27
[zhangmingda@vm192-168-8-27 ~]$ ls
[zhangmingda@vm192-168-8-27 ~]$  sudo su - root  

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for zhangmingda: 
zhangmingda is not in the sudoers file.  This incident will be reported.
[zhangmingda@vm192-168-8-27 ~]$

編輯 /etc/sudoers.d/waagent 文件,將需要root權限的用戶加入到其下

[zhangmingda@vm192-168-8-27 ~]$ sudo cat /etc/sudoers.d/waagent
ltsstone ALL=(ALL) ALL
zhangmingda ALL=(ALL) ALL
[zhangmingda@vm192-168-8-27 ~]$
[zhangmingda@vm192-168-8-27 ~]$ sudo su - root
Last login: Tue Nov 17 14:28:41 CST 2020 on pts/1
[root@vm192-168-8-27 ~]#

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 linux服務器加入AD域(sssd) Linux服務器加入到域的方法 Linux服務器加入到域的方法 解決服務器SID引起虛擬機不能加入AD域用戶,無法遠程登錄的問題 AD域服務器的部署【3】—搭建AD域 AD 域控服務器搭建 AD域控服務器搭建 AD域服務器的部署 【1】— AD域介紹 linux之DNS主域,從域,緩存服務器的架設 Linux 服務器加入Windows AD
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM