AD管理linux客户端

https://www.jianshu.com/p/ecfc5a8c4237
AD1.xxx.corp: 是贵司Windows AD上xxx.corp这个域的全局主域控制器
LoginNO: 是贵司AD域xxx.corp中一个组
admin.win: 是贵司AD域xxx.corp中的一个具有管理员权限的用户
Daha.Ma: 是贵司AD域xxx.corp中的一个普通用户
SudoNO: 是贵司AD域xxx.corp中一个组
xxx.corp: 是贵司Windows AD上的主域名

组名: linux_group@ecwise.local

192.168.3.81

  1. centos7:

yum -y install realmd sssd oddjob \
oddjob-mkhomedir adcli samba-common;

realm join ad1.xxx.corp -U admin.win; # 这里需要输入admin.win的密码
realm permit -g LoginNO@xxx.corp; #这里以允许LoginNO组为例

visudo

添加这么一句:

%SudoNO@xxx.corp ALL=(ALL) ALL

sssd.conf

vim /etc/sssd/sssd.conf

修改两句如下:

use_fully_qualified_names = False
fallback_homedir = /home/%u

重启服务

systemctl restart sssd;

  1. centos6:

yum -y install sssd oddjob oddjob-mkhomedir adcli samba-common authconfig;
adcli join ecwise.local -U sql01_admin; # 这里需要输入密码

authconfig --enablesssd --enablesssdauth --enablemkhomedir --enablekrb5 --update;
yum install pam_krb5

service messagebus start;
chkconfig messagebus on;
service oddjobd start;
chkconfig oddjob on; # addjob用来自动建立用户的家目录

krb5.conf

vim /etc/krb5.conf

使得看起来像这样:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = xxx.corp
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
xxx.corp = {
kdc = AD1.xxx.corp
admin_server = AD1.xxx.corp
}

[domain_realm]
.example.com = xxx.corp
example.com = xxx.corp

sssd.conf

vim /etc/sssd/sssd.conf

修改内容如下:

[sssd]
services = nss, pam, ssh, autofs
config_file_version = 2
domains = xxx.corp

[domain/xxx.corp]
id_provider = ad
fallback_homedir = /home/%u
shell_fallback = /bin/bash
override_shell = /bin/bash
default_shell = /bin/bash
access_provider = simple
simple_allow_groups = LoginNO
simple_allow_users = Daha.Ma

chmod 600 sssd.conf
sudoer

visudo

添加这么一句:

%SudoNO@xxx.corp ALL=(ALL) ALL

现在的情况将是:

除了LoginNO组和Daha.Ma以外其他域账号不能登录

SudoNO组可以不用密码通过sudo执行任何命令

重启服务

systemctl restart sssd;

维护命令

id Daha.Ma@xxx.corp; # 从AD中获取域用户信息
id Daha.Ma; # 在/etc/sssh/sssd.conf中设置了use_fully_qualified_names为False的可以直接用
adcli delete-computer --domain=xxx.corp -U admin.win ; # 退出AD域

常见问题:

不能加入域

1.当前面adcli join xxxxxx时如果出错:

adcli: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)

的话,请尝试修改/etc/krb5.conf,在[libdefaults]这个区块下加一句:

rdns = false

然后重新再试,即可。

  1. 使用id查不到用户,那么在此加下域:
    adcli join ecwise.local -U sql01_admin; # 这里需要输入密码

  2. 验证不通过:
    Key version number for principal in key table is incorrect

[root@CDDevLnxVM03 etc]# klist -k 
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal


2 CDDEVLNXVM03$@ECWISE.LOCAL
2 CDDEVLNXVM03$@ECWISE.LOCAL
2 CDDEVLNXVM03$@ECWISE.LOCAL
2 CDDEVLNXVM03$@ECWISE.LOCAL
2 CDDEVLNXVM03$@ECWISE.LOCAL
2 CDDEVLNXVM03$@ECWISE.LOCAL
2 host/CDDEVLNXVM03@ECWISE.LOCAL
2 host/CDDEVLNXVM03@ECWISE.LOCAL
2 host/CDDEVLNXVM03@ECWISE.LOCAL
2 host/CDDEVLNXVM03@ECWISE.LOCAL
2 host/CDDEVLNXVM03@ECWISE.LOCAL
2 host/CDDEVLNXVM03@ECWISE.LOCAL
2 host/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
2 host/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
2 host/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
2 host/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
2 host/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
2 host/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
2 RestrictedKrbHost/CDDEVLNXVM03@ECWISE.LOCAL
2 RestrictedKrbHost/CDDEVLNXVM03@ECWISE.LOCAL
2 RestrictedKrbHost/CDDEVLNXVM03@ECWISE.LOCAL
2 RestrictedKrbHost/CDDEVLNXVM03@ECWISE.LOCAL
2 RestrictedKrbHost/CDDEVLNXVM03@ECWISE.LOCAL
2 RestrictedKrbHost/CDDEVLNXVM03@ECWISE.LOCAL
2 RestrictedKrbHost/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
2 RestrictedKrbHost/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
2 RestrictedKrbHost/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
2 RestrictedKrbHost/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
2 RestrictedKrbHost/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
2 RestrictedKrbHost/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
在次加域,然后仍然输入密码无法登陆,这次提示如下:
Access denied for user zdchen by PAM account configuration
然后注释掉这两个文件 system-auth/password-auth-ac的pam_krb5.so模块认证即可









本文转自chenzudao51CTO博客,原文链接:http://blog.51cto.com/victor2016/2054880 ,如需转载请自行联系原作者



上一篇:Windows Networking 4: CloudMonitor 引发的网络问题排查一则


下一篇:Zuul整合Swagger,使用ZuulFilter解决下游服务context-path