碼上快樂

相關內容    簡體    繁體

Ubuntu 20 加入windows AD 域控

本文轉載自   查看原文   2020-11-25 18:03   1423    windowsAD/ openldap|windowsAD

Ubuntu Join in Active Directory Domain
轉載自https://www.server-world.info/en/note?os=Ubuntu_20.04&p=realmd
這是一個優秀的網站,https://www.server-world.info/en,並且好像是一個日本人做的網站,
做的很認真,為此點個贊,推薦大家收藏

除了上面的鏈接,本文也有參考:https://computingforgeeks.com/join-ubuntu-debian-to-active-directory-ad-domain/

推薦大家去原鏈接查看,本文,只為個人收藏用途

ubuntu Join in Active Directory Domain

Join in Windows Active Directory Domain with Realmd.
This tutorial needs Windows Active Directory Domain Service in your LAN.
This example shows to configure on the environment below.
Domain Server : Windows Server 2019
NetBIOS Name : FD3S01
Domain Name : srv.world
Realm : SRV.WORLD
Hostname : fd3s.srv.world
[1] Install some required packages.

root@dlp:~# sudo apt -y install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

[2] Join in Windows Active Directory Domain.

# change DNS settings to refer to AD
root@dlp:~# vi /etc/netplan/01-netcfg.yaml
    nameservers:
        addresses: [10.0.0.100]

root@dlp:~# netplan apply
# discover Active Directory domain
root@dlp:~# realm discover SRV.WORLD
srv.world
  type: kerberos
  realm-name: SRV.WORLD
  domain-name: srv.world
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin

# join in Active Directory domain
root@dlp:~# realm join SRV.WORLD
Password for Administrator:   # AD Administrator password
# verify it's possible to get an AD user info or not
root@dlp:~# id Serverworld@srv.world
uid=199601103(serverworld@srv.world) gid=199600513(domain users@srv.world) groups=199600513(domain users@srv.world)

# change setting if you need
root@dlp:~# vi /etc/pam.d/common-session
# add to the end (create Home Dir automatically when initial login)
session optional        pam_mkhomedir.so skel=/etc/skel umask=077

# verify it's possible to switch to an AD user or not
root@dlp:~# su - Serverworld@srv.world
Creating directory '/home/serverworld@srv.world'.
serverworld@srv.world@dlp:~$     # just switched

[3] If you'd like to omit domain name for AD user, configure like follows.

root@dlp:~# vi /etc/sssd/sssd.conf ##如果想彰顯公司的名稱,可以不修改這個
# line 16: change
use_fully_qualified_names = False
root@dlp:~# systemctl restart sssd
root@dlp:~# id Administrator
uid=199600500(administrator) gid=199600513(domain users) groups=199600513(domain users),199600572(denied rodc password replication group),199600519(enterprise admins),199600518(schema admins),199600520(group policy creator owners),199600512(domain admins)

Configure Sudo Access
By default Domain users won’t have permission to escalate privilege to root. Users have to be granted access based on usernames or groups.
默認域的用戶或者組沒有權限獲取sudo權限
Let’s first create sudo permissions grants file.

$ sudo vi /etc/sudoers.d/domain_admins

Add single user:

user1@srv.world ALL=(ALL) ALL

Add another user:

user1@srv.world     ALL=(ALL)   ALL
user2@srv.world     ALL=(ALL)   ALL

Add group

%group1@srv.world ALL=(ALL) ALL
Add group with two or three names.

%security\ users@srv.world       ALL=(ALL)       ALL
%system\ super\ admins@srv.world ALL=(ALL)       ALL

GUI 登陸遇到點故障,不清楚具體原因
可以繼續參考
https://www.unixmen.com/how-to-join-an-ubuntu-desktop-into-an-active-directory-domain/

常用ubuntu軟件

sudo apt install dnsutils openssh-server net-tools vim -y

sudoer visudo命令詳解
一般用戶賦權設置:

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root	ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
testuser   ALL=(root) /usr/sbin/useradd         //新增加用戶testuser行
%testgroup ALL=(ALL:ALL) NOPASSWD:ALL          //新增加組testgroup行

說明:
第一個字段:root為能使用sudo命令的用戶;
第二個字段:第一個ALL為允許使用sudo的主機,第二個括號里的ALL為使用sudo后以什么身份(目的用戶身份)來執行命令;
第三個字:ALL為以sudo命令允許執行的命令;

上列解釋: test ALL=(root) /usr/sbin/useradd
表示允許test用戶從任何主機登錄,以root的身份執行/usr/sbin/useradd命令。

%ubuntu ALL=(ALL:ALL) NOPASSWD:ALL,!/bin/bash,!/bin/tcsh,!/bin/su,!/usr/bin/passwd [A-Za-z]*,!/usr/bin/passwd root,!cat /etc/sudoers,!/bin/vi /etc/sudoers,!/bin/vim /etc/sudoers,!/usr/bin/vim /etc/sudoers,!/usr/sbin/visudo,!/usr/bin/sudo -i

如上的指令,創建一個ubuntu用戶組,並讓組內用戶擁有sudo權限,但是不讓他亂改別人密碼和亂改sudoer配置

sudo usermod -a -G adm,cdrom,sudo,dip,plugdev,lpadmin,lxd,sambashare testuser
把用戶testuser加入到一些組內

刪除多余的本地管理用戶,在刪之前,需要修改root密碼,並且記住root密碼


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 公司 桌面版 ubuntu 加入公司Windows AD 域控 詳解 mac電腦配置windows AD 蘋果電腦 加入 域控 mac電腦配置windows AD 蘋果電腦 加入 域控 Windows Server 2019 AD域控搭建 Windows Server 2019 AD域控搭建 Windows Server 2019 AD域控搭建 linux 加入到WINDOWS ad域 59) linux加入windows AD 域服務 Hyper-V 2012 R2 故障轉移群集之建立域控(AD DS)與加入域 AD域的搭建與加入
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM