背景信息:
Windows AD Version: Windows Server 2012 R2 zh-cn
计算机全名:hlm12r2n1.hlm.com
域:hlm.com
域控管理员:stone
普通用户:abc; bcd
普通组:hlmgroup,用户bcd在该组下
IP:10.0.0.6
Linux服务器:
具有root权限的用户:ltsstone
操作步骤:
安装所需包文件:
yum install -y krb5-workstation realmd sssd samba-common adcli oddjob oddjob-mkhomedir samba samba-common-tools
编辑/etc/resolve.conf文件,将DNS指向DC
[root@hlmcen75n2 ~]# cat /etc/resolv.conf ; generated by /usr/sbin/dhclient-script search lqvi3agp2gsunp1mlkwv0vudne.ax.internal.chinacloudapp.cn nameserver 10.0.0.6
编辑/etc/hosts文件,添加DC的IP及域的对应关系
[root@hlmcen75n2 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.0.0.6 hlm12r2n1.hlm.com
将Linux机器加入域
[root@hlmcen75n2 ~]# realm join hlm12r2n1.hlm.com -U stone Password for stone:
发现可以成功发现域了
[root@hlmcen75n2 ~]# realm list hlm.com type: kerberos realm-name: HLM.COM domain-name: hlm.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %[email protected] login-policy: allow-permitted-logins permitted-logins: permitted-groups: [email protected]
将组hlmgroup加入域
[root@hlmcen75n2 sudoers.d]# realm permit -g [email protected]
可以看到用户stone,abc,bcd可以被成功发现
[root@hlmcen75n2 ~]# id [email protected] uid=1744400500(stone) gid=1744400513(domain users) groups=1744400513(domain users),1744400520(group policy creator owners),1744400512(domain admins),1744400518(schema admins),1744400572(denied rodc password replication group),1744400519(enterprise admins) [root@hlmcen75n2 ~]# id [email protected] uid=1744401605(abc) gid=1744400513(domain users) groups=1744400513(domain users) [root@hlmcen75n2 ~]# id [email protected] uid=1744401608(bcd) gid=1744400513(domain users) groups=1744400513(domain users),1744401602(hlmgroup)
为使用户不需用带域名就可以被识别,需要修改配置文件/etc/sssd/sssd.conf,将use_fully_qualified_names行的True值修改为False
[root@hlmcen75n2 ~]# cat /etc/sssd/sssd.conf [sssd] domains = hlm.com config_file_version = 2 services = nss, pam [domain/hlm.com] ad_server = hlm12r2n1.hlm.com ad_domain = hlm.com krb5_realm = HLM.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u@%d access_provider = simple simple_allow_groups = [email protected]
重启sssd服务,重新列出预控信息
[root@hlmcen75n2 ~]# systemctl restart sssd [root@hlmcen75n2 ~]# realm list hlm.com type: kerberos realm-name: HLM.COM domain-name: hlm.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U login-policy: allow-permitted-logins permitted-logins: permitted-groups: [email protected]
发现不加域信息,Linux服务器也可以识别域用户
[root@hlmcen75n2 ~]# id stone uid=1744400500(stone) gid=1744400513(domain users) groups=1744400513(domain users),1744400520(group policy creator owners),1744400512(domain admins),1744400518(schema admins),1744400572(denied rodc password replication group),1744400519(enterprise admins) [root@hlmcen75n2 ~]# id abc uid=1744401605(abc) gid=1744400513(domain users) groups=1744400513(domain users) [root@hlmcen75n2 ~]# id bcd uid=1744401608(bcd) gid=1744400513(domain users) groups=1744400513(domain users),1744401602(hlmgroup)
尝试切换到域用户,发现无法进入root管理员权限,提示