linux服务器加入AD域(sssd)~ 通过域用户ssh登录加域的linux服务器 |
您所在的位置:网站首页 › windows登陆域 › linux服务器加入AD域(sssd)~ 通过域用户ssh登录加域的linux服务器 |
|
搭建域控:参考 https://www.cnblogs.com/taosiyu/p/12009120.html 域控计算机全名: WIN-3PLKM2PLE6E.zhihu.test.com 域:zhihu.test.com 域控管理员:kingsoft 普通用户:zhangmingda 普通组:dev IP:192.168.3.3 注: 域控同时做DNS服务器
Linux服务器: [root@vm192-168-8-27 zhangmingda]# cat /etc/redhat-release CentOS Linux release 7.7.1908 (Core)操作步骤: 安装所需包文件: yum install -y krb5-workstation realmd sssd samba-common adcli oddjob oddjob-mkhomedir samba samba-common-tools编辑/etc/resolve.conf文件,将DNS指向DC [root@vm192-168-8-27 zhangmingda]# cat /etc/resolv.conf ; generated by /usr/sbin/dhclient-script nameserver 192.168.3.3 nameserver 198.18.254.31 [root@vm192-168-8-27 zhangmingda]#编辑/etc/hosts文件,添加DC的IP及域的对应关系 [root@vm192-168-8-27 zhangmingda]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.3.3 WIN-3PLKM2PLE6E.zhihu.test.com [root@vm192-168-8-27 zhangmingda]#将Linux机器加入域 # realm join WIN-3PLKM2PLE6E.zhihu.test.com -U kingsoft Password for kingsoft:发现可以成功发现域了 [root@vm192-168-8-27 zhangmingda]# realm list zhihu.test.com type: kerberos realm-name: ZHIHU.TEST.COM domain-name: zhihu.test.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U login-policy: allow-realm-logins [root@vm192-168-8-27 zhangmingda]#将组dev加入域 [root@vm192-168-8-27 zhangmingda]# realm permit -g [email protected] [root@vm192-168-8-27 zhangmingda]#可以看到用户kingsoft,zhangmingda可以被成功发现 [root@vm192-168-8-27 zhangmingda]# id [email protected] uid=1724201104(zhangmingda) gid=1724200513(domain users) groups=1724200513(domain users) [root@vm192-168-8-27 zhangmingda]# id [email protected] uid=1724201108(zhudong) gid=1724200513(domain users) groups=1724200513(domain users) [root@vm192-168-8-27 zhangmingda]# id [email protected] uid=1724201000(kingsoft) gid=1724200513(domain users) groups=1724200513(domain users) [root@vm192-168-8-27 zhangmingda]# id [email protected] uid=1724200500(administrator) gid=1724200513(domain users) groups=1724200513(domain users),1724200520(group policy creator owners),1724200519(enterprise admins),1724200512(domain admins),1724200572(denied rodc password replication group),1724200518(schema admins) [root@vm192-168-8-27 zhangmingda]#为使用户不需用带域名就可以被识别,需要修改配置文件/etc/sssd/sssd.conf,将use_fully_qualified_names行的True值修改为False [root@vm192-168-8-27 zhangmingda]# cat /etc/sssd/sssd.conf [sssd] domains = zhihu.test.com config_file_version = 2 services = nss, pam [domain/zhihu.test.com] ad_server = win-3plkm2ple6e.zhihu.test.com ad_domain = zhihu.test.com krb5_realm = ZHIHU.TEST.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u@%d access_provider = simple simple_allow_groups = [email protected], [email protected] [root@vm192-168-8-27 zhangmingda]#重启sssd服务,重新列出预控信息 [root@vm192-168-8-27 zhangmingda]# systemctl restart sssd [root@vm192-168-8-27 zhangmingda]# realm list [root@vm192-168-8-27 zhangmingda]# realm list zhihu.test.com type: kerberos realm-name: ZHIHU.TEST.COM domain-name: zhihu.test.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U login-policy: allow-permitted-logins permitted-logins: permitted-groups: [email protected], [email protected] [root@vm192-168-8-27 zhangmingda]#发现不加域信息,Linux服务器也可以识别域用户 [root@vm192-168-8-27 zhangmingda]# id zhangmingda uid=1724201104(zhangmingda) gid=1724200513(domain users) groups=1724200513(domain users) [root@vm192-168-8-27 zhangmingda]#使用域用户ssh登录服务器 [root@vm192-168-8-27 zhangmingda]# ssh [email protected] [email protected]'s password: Last login: Tue Nov 17 13:07:03 2020 from 192.168.8.27 [zhangmingda@vm192-168-8-27 ~]$ ls [zhangmingda@vm192-168-8-27 ~]$ sudo su - root We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for zhangmingda: zhangmingda is not in the sudoers file. This incident will be reported. [zhangmingda@vm192-168-8-27 ~]$编辑 /etc/sudoers.d/waagent 文件,将需要root权限的用户加入到其下 [zhangmingda@vm192-168-8-27 ~]$ sudo cat /etc/sudoers.d/waagent ltsstone ALL=(ALL) ALL zhangmingda ALL=(ALL) ALL [zhangmingda@vm192-168-8-27 ~]$ [zhangmingda@vm192-168-8-27 ~]$ sudo su - root Last login: Tue Nov 17 14:28:41 CST 2020 on pts/1 [root@vm192-168-8-27 ~]#
|
今日新闻 |
推荐新闻 |
| CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |