Ubuntu 20.4.3加域 |
您所在的位置:网站首页 › 加入域不成功 › Ubuntu 20.4.3加域 |
|
Ubuntu 20.4.3 加域
运行环境
1、Ubuntu Server 20.4.3 2、AD域 :bj.cn 3、域控IP:192.168.1.1 具体步骤 1、修改DNS user@ubuntu:~$ sudo mv /etc/resolv.conf /etc/resolv.conf.bak user@ubuntu:~$ sudo vi /etc/systemd/resolved.conf [Resolve] DNS=192.168.1.1 #取消注释,填写域控IP #FallbackDNS= #Domains= #LLMNR=no #MulticastDNS=no #DNSSEC=no #DNSOverTLS=no #Cache=no-negative #DNSStubListener=yes #ReadEtcHosts=yes user@ubuntu:~$ sudo systemctl restart systemd-resolved user@ubuntu:~$ sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf user@ubuntu:~$ cat /etc/resolv.conf nameserver 192.168.1.1 2、安装加域软件包: user@ubuntu:~$ sudo apt install realmd sssd-ad sssd-tools adcli -y 3、搜索需要加入的AD域 user@ubuntu:~$ sudo realm discover -v bj.cn bj.cn type: kerberos realm-name: BJ.CN domain-name: bj.cn configured: no server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin 4、加入AD域,默认使用administrator 账号认证;也可使用具有管理员身份的账号认证 # 默认administrator认证 # -v 可展示完整的步骤信息 user@ubuntu:~$ sudo realm join -v bj.cn * Resolving: _ldap._tcp.bj.cn * Performing LDAP DSE lookup on: 192.168.1.1 * Successfully discovered: bj.cn Password for Administrator: .................................................... * /usr/sbin/update-rc.d sssd enable * /usr/sbin/service sssd restart * Successfully enrolled machine in realm 使用具有管理员身份的账号认证,例如: -U [email protected] user@ubuntu:~$ sudo realm join -v bj.cn -U [email protected] * Resolving: _ldap._tcp.bj.cn * Performing LDAP DSE lookup on: 192.168.1.1 * Successfully discovered: bj.cn Password for sz: 5、通过搜索域账号,查看加域是否成功 user@ubuntu:~$ id [email protected] uid=1854401236([email protected]) gid=1854400363(domain users) groups=1854400363(domain users) 6、修改sssd.conf,使域账号登录不用输入@后缀;同时赋予sssd.conf 600权限和变更所有者为root,否则重启后进程会启动失败 user@ubuntu:~$ sudo vi /etc/sssd/sssd.conf fallback_homedir = /home/%u use_fully_qualified_names = False user@ubuntu:~$ sudo chmod 600 /etc/sssd/sssd.conf user@ubuntu:~$ sudo chown root:root /etc/sssd/sssd.conf user@ubuntu:~$ sudo systemctl restart sssd beken@wifisz:~$ id sz uid=1854401236(sz) gid=1854400363(domain users) groups=1854400363(domain users) 补充配置sssd.conf,对IT组和单独用户sz进行登录授权; ad_server = domain.bj.cn ad_domain = bj.cn krb5_realm = BJ.CN realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash #指定bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u access_provider = simple simple_allow_groups = IT #允许IT组成员登录 simple_allow_users = sz #允许单独的用户sz登录 7、第一次使用域账号登录时,自动创建用户目录 user@ubuntu:~$ sudo pam-auth-update --enable mkhomedir 8、赋予域账号sudo权限 user@ubuntu:~$ sudo visudo %domain\ users ALL=(ALL) ALL 故障问题处理1、GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) user@ubuntu:~$ sudo vi /etc/krb5.conf [libdefaults] default_realm = bj.cn rdns = false2、PIDFile= references a path below legacy directory /var/run/, updating /var/run/sssd.pid # 删除sssd.pid user@ubuntu:~$ sudo rm /run/sssd.pid #清除sssd缓存 user@ubuntu:~$ sudo sss_cache -E 优化1、因为安装了adcli包,SSSD 会自动续订 AD 环境中的 Kerberos 主机密钥表文件。守护程序每天检查计算机帐户密码是否早于配置的值,并在必要时续订密码。默认续订间隔为 30 天。 详细信息可参阅 Redhat 文献资料:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-auto-keytab-renewal user@ubuntu:~$ sudo vi /etc/sssd/sssd.conf ad_maximum_machine_account_password_age = value_in_days # 要禁用自动 Kerberos 主机密钥表续订,添加此行 ad_maximum_machine_account_password_age = 02、登录加入Active Directory域的系统时,将默认尝试应用组策略。在某些情况下,如果缺少特定策略,登录将被拒绝。 user@ubuntu:~$ sudo vi /etc/sssd/sssd.conf # 不强制应用组策略 ad_gpo_access_control = permissive |
今日新闻 |
推荐新闻 |
| CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |