When domain control is used to restrict user rights, it is often necessary to add linux to the windows domain. After all, the AD domain of windows is super powerful. The user name can be managed by Windows, which is convenient for office use. The following briefly describes how to configure it.
Linux : CentOS Linux release 7.2.1511 (Core)
Windows: Windows 2008 R2 Enterprise DataCenter full installation
How to configure a Windows AD domain is not described. Please Baidu. Simple.
The domain name of windows is sumoning.com The server ip is 10.2.84.84
Configure CentOS7's yum and dns below
1 mv /etc/yum.repos.d /etc/yum.repos.d.bak 2 mkdir /etc/yum.repos.d 3 cd /etc/yum.repos.d 4 wget http://mirrors.163.com/.help/CentOS7-Base-163.repo 5 yum makecahce 6 echo "nameserver 10.2.48.84" >> /etc/resolv.conf
Install the necessary packages
1 yum install -y krb5-workstation realmd sssd samba-common adcli oddjob oddjob-mkhomedir samba samba-common-tools
SSSD is a newly added daemon process in Red Hat Enterprise Linux6, which can be used to access various authentication servers, such as LDAP, Kerberos, etc., and provide authorization.
Discover Domain Controller Servers
1 realm discover sumoning.com
Join the domain controller server
1 realm join sumoning.com
If the password is entered correctly, it will be as follows
List Domain Controller Servers
1 realm list
The user in the domain control server is test, and the following two methods can be used to log in
1 su - [email protected] 2 su - sumoning\\test
Use root user to switch to other users without entering a password
Modify the configuration file so that users can log in without a domain name
vim /etc/sssd/sssd.conf
1 [sssd] 2 domains = sumoning.com 3 config_file_version = 2 4 services = nss, pam 5 6 [domain/sumoning.com] 7 ad_domain = sumoning.com 8 krb5_realm = SUMONING.COM 9 realmd_tags = manages-system joined-with-samba 10 cache_credentials = True 11 id_provider = ad 12 krb5_store_password_if_offline = True 13 default_shell = /bin/bash #登陆时的默认shell 14ldap_id_mapping = True 15 use_fully_qualified_names = False # Change True to False 16 fallback_homedir = /home/%u@% d # Home directory 17 access_provider = ad
restart sssd service
1 systemctl restart sssd
Now you can happily use the ms account to log in to Linux.
A brief introduction to several ways to use realm
1.realm discover -v [realm-name] Discover available realm 2.realm join -v [-U user] realm-name Enroll this machine in a realm 3.realm leave -v [-U user] [realm-name] Unenroll this machine from a realm 加入域 4.realm list List known realms List realms 5.realm permit [-ax] [-R realm] user ... Permit user logins allow certain domain users or domain group users to log in 6.realm deny --all [-R realm] Deny user logins does not allow domain logins