linux服务器加入AD域（sssd）~ 通过域用户ssh登录加域的linux服务器

心存善念必有后报 發表於 2020-11-17 14:31:00

linux服务器加入AD域（sssd）~ 通过域用户ssh登录加域的linux服务器

搭建域控：参考 https://www.cnblogs.com/taosiyu/p/12009120.html
域控计算机全名： WIN-3PLKM2PLE6E.zhihu.test.com
域：zhihu.test.com
域控管理员：kingsoft
普通用户：zhangmingda
普通组：dev
IP：192.168.3.3
注：域控同时做DNS服务器
 
Linux服务器：
<div class="cnblogs_code">
<pre># cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)</pre>
</div>
操作步骤：
安装所需包文件：
<div class="cnblogs_code">
<pre>yum install -y krb5-workstation realmd sssd samba-common adcli oddjob oddjob-mkhomedir samba samba-common-tools</pre>
</div>
编辑/etc/resolve.conf文件，将DNS指向DC
<div class="cnblogs_code">
<pre># cat /etc/resolv.conf
; generated by /usr/sbin/dhclient-script
nameserver 192.168.3.3
nameserver 198.18.254.31
# </pre>
</div>
编辑/etc/hosts文件，添加DC的IP及域的对应关系
<div class="cnblogs_code">
<pre># cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.3.3 WIN-3PLKM2PLE6E.zhihu.test.com
# </pre>
</div>
将Linux机器加入域
<div class="cnblogs_code">
<pre># realm join WIN-3PLKM2PLE6E.zhihu.test.com -U kingsoft</pre>
<pre>Password for kingsoft: </pre>
</div>
发现可以成功发现域了
<div class="cnblogs_code">
<pre># realm list
zhihu.test.com
type: kerberos
realm-name: ZHIHU.TEST.COM
domain-name: zhihu.test.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-realm-logins
# </pre>
</div>
将组dev加入域
<div class="cnblogs_code">
<pre># realm permit -g dev@zhihu.test.com
# </pre>
</div>
可以看到用户kingsoft,zhangmingda可以被成功发现
<div class="cnblogs_code">
<pre># id zhangmingda@zhihu.test.com
uid=1724201104(zhangmingda) gid=1724200513(domain users) groups=1724200513(domain users)
# id zhudong@zhihu.test.com
uid=1724201108(zhudong) gid=1724200513(domain users) groups=1724200513(domain users)
# id kingsoft@zhihu.test.com
uid=1724201000(kingsoft) gid=1724200513(domain users) groups=1724200513(domain users)
# id administrator@zhihu.test.com
uid=1724200500(administrator) gid=1724200513(domain users) groups=1724200513(domain users),1724200520(group policy creator owners),1724200519(enterprise admins),1724200512(domain admins),1724200572(denied rodc password replication group),1724200518(schema admins)
#</pre>
</div>
为使用户不需用带域名就可以被识别，需要修改配置文件/etc/sssd/sssd.conf，将use_fully_qualified_names行的True值修改为False
<div class="cnblogs_code">
<pre># cat /etc/sssd/sssd.conf

domains = zhihu.test.com
config_file_version = 2
services = nss, pam

ad_server = win-3plkm2ple6e.zhihu.test.com
ad_domain = zhihu.test.com
krb5_realm = ZHIHU.TEST.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = dev@zhihu.test.com, ops@zhihu.test.com
# </pre>
</div>
重启sssd服务，重新列出预控信息
<div class="cnblogs_code">
<pre># systemctl restart sssd
# realm list
# realm list
zhihu.test.com
type: kerberos
realm-name: ZHIHU.TEST.COM
domain-name: zhihu.test.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-permitted-logins
permitted-logins:
permitted-groups: dev@zhihu.test.com, ops@zhihu.test.com
#</pre>
</div>
发现不加域信息，Linux服务器也可以识别域用户
<div class="cnblogs_code">
<pre># id zhangmingda
uid=1724201104(zhangmingda) gid=1724200513(domain users) groups=1724200513(domain users)
#</pre>
</div>
使用域用户ssh登录服务器
<div class="cnblogs_code">
<pre># ssh zhangmingda@192.168.8.27
zhangmingda@192.168.8.27's password: 
Last login: Tue Nov 17 13:07:03 2020 from 192.168.8.27
$ ls
$sudo su - root

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

[sudo] password for zhangmingda:
zhangmingda is not in the sudoers file.This incident will be reported.
$</pre>
</div>
编辑 /etc/sudoers.d/waagent 文件，将需要root权限的用户加入到其下
<div class="cnblogs_code">
<pre>$ sudo cat /etc/sudoers.d/waagent
ltsstone ALL=(ALL) ALL
zhangmingda ALL=(ALL) ALL
$</pre>
</div>
<div class="cnblogs_code">
<pre>$ sudo su - root
Last login: Tue Nov 17 14:28:41 CST 2020 on pts/1
# </pre>
</div>
  
来源：https://www.cnblogs.com/zhangmingda/p/13994027.html

頁: [1]

琼殿技术论坛's Archiver

linux服务器加入AD域（sssd）~ 通过域用户ssh登录加域的linux服务器