1- windows server domain information
OS: Windows 2016 Datacenter
IP: 10.0.0.1
the DNS: 10.0.0.1
domain controller address: leman.cn
domain administrator: admin (or Administrator) Password: Password @ 1
domain user / password:
- c101/Password@1
- c102/Password@2
- u101/Password@1
- u102/Password@2
Domain Services Default Port: 3268 and 389
Was added and AD 2- ssh to a domain user [manner using realm]
2.1 package must be installed
CentOS7:
yum install -y realmd sssd adcli oddjob oddjob-mkhomedir sambasamba-common-tools
Ubuntu18:
apt install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit -y
SSSD in Red Hat Enterprise Linux6 newly added a daemon, the process can be used to access multiple authentication servers, such as LDAP, Kerberos, and to provide authorization.
2.2-discovery domain controller
realm discover-v leman.cn
2.3 join a domain controller server
hostname centos-1 # 不可用localhost
realm join leman.cn -U admin #没有-U参数,默认使用Adminstrator用户
2.4-check the results added
[root@centos-1 ~]# realm list
leman.cn
type: kerberos
realm-name: LEMAN.CN
domain-name: leman.cn
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-realm-logins
2.5 users do not need to log in with a domain name
[root@centos-1 ~]# cat /etc/sssd/sssd.conf -n
1
2 [sssd]
3 domains = leman.cn
4 config_file_version = 2
5 services = nss, pam
6
7 [domain/leman.cn]
8 ad_domain = leman.cn
9 krb5_realm = LEMAN.CN
10 realmd_tags = manages-system joined-with-samba
11 cache_credentials = True
12 id_provider = ad
13 krb5_store_password_if_offline = True
14 default_shell = /bin/bash
15 ldap_id_mapping = True
16 use_fully_qualified_names = False #True改成False
17 fallback_homedir = /home/%u #家目录 默认是/home/%u@%d,表示用户名加域名
18 access_provider = ad
[root@centos-1 ~]#
2.6 Restart sssd service [[complete]]
systemctl restart sssd
2.7 query Windows domain account information
[root@centos-1 ~]# id [email protected]
uid=1037201105(admin) gid=1037200513(domain users) groups=1037200513(domain users)
3- Troubleshooting
3.1 Home directory created to solve the problem
(Login or flash back, the fundamental problem is to create a Home directory)
vim /etc/pam.d/common-session
在(session required pam_unix.so)下一行添加下面内容
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
3.2- plus domain fails
Insufficient permissions to join the domain
given the information as follows:
Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm)
adcli: couldn't connect to streamcomputing.com domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm)
Insufficient permissions to join the domain
The problem with the DNS (reverse DNS resolution) related to temporary workaround:
创建/etc/krb5.conf(如果没有),并确保如下配置:
[libdefaults]
default_realm = alphabook.cn
rdns = false
Several methods using 4- realm
- realm discover -v [ad_name] # discovery domain
- realm join -v [-U user] realm-name #加入域
- realm list # listed domain
- realm permit [-ax] [-R realm] user ... # allowing certain users or domain groups domain user login
- realm deny --all [-R realm] # allowed domain login
- realm leave -v [-U user] [realm-name] #退出域