Ubuntu 20.4.3 加域
运行环境
1、Ubuntu Server 20.4.3
2、AD域 :bj.cn
3、域控IP:192.168.1.1
具体步骤
1、修改DNS
user@ubuntu:~$ sudo mv /etc/resolv.conf /etc/resolv.conf.bak
user@ubuntu:~$ sudo vi /etc/systemd/resolved.conf
[Resolve]
DNS=192.168.1.1 #取消注释,填写域控IP
#FallbackDNS=
#Domains=
#LLMNR=no
#MulticastDNS=no
#DNSSEC=no
#DNSOverTLS=no
#Cache=no-negative
#DNSStubListener=yes
#ReadEtcHosts=yes
user@ubuntu:~$ sudo systemctl restart systemd-resolved
user@ubuntu:~$ sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
user@ubuntu:~$ cat /etc/resolv.conf
nameserver 192.168.1.1
2、安装加域软件包:
user@ubuntu:~$ sudo apt install realmd sssd-ad sssd-tools adcli -y
3、搜索需要加入的AD域
user@ubuntu:~$ sudo realm discover -v bj.cn
bj.cn
type: kerberos
realm-name: BJ.CN
domain-name: bj.cn
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
4、加入AD域,默认使用administrator 账号认证;也可使用具有管理员身份的账号认证
# 默认administrator认证
# -v 可展示完整的步骤信息
user@ubuntu:~$ sudo realm join -v bj.cn
* Resolving: _ldap._tcp.bj.cn
* Performing LDAP DSE lookup on: 192.168.1.1
* Successfully discovered: bj.cn
Password for Administrator:
....................................................
* /usr/sbin/update-rc.d sssd enable
* /usr/sbin/service sssd restart
* Successfully enrolled machine in realm
- 使用具有管理员身份的账号认证,例如: -U sz@bj.cn
user@ubuntu:~$ sudo realm join -v bj.cn -U sz@bj.cn
* Resolving: _ldap._tcp.bj.cn
* Performing LDAP DSE lookup on: 192.168.1.1
* Successfully discovered: bj.cn
Password for sz:
5、通过搜索域账号,查看加域是否成功
user@ubuntu:~$ id sz@bj.cn
uid=1854401236(sz@bj.cn) gid=1854400363(domain users) groups=1854400363(domain users)
6、修改sssd.conf,使域账号登录不用输入@后缀;同时赋予sssd.conf 600权限和变更所有者为root,否则重启后进程会启动失败
user@ubuntu:~$ sudo vi /etc/sssd/sssd.conf
fallback_homedir = /home/%u
use_fully_qualified_names = False
user@ubuntu:~$ sudo chmod 600 /etc/sssd/sssd.conf
user@ubuntu:~$ sudo chown root:root /etc/sssd/sssd.conf
user@ubuntu:~$ sudo systemctl restart sssd
beken@wifisz:~$ id sz
uid=1854401236(sz) gid=1854400363(domain users) groups=1854400363(domain users)
- 补充配置sssd.conf,对IT组和单独用户sz进行登录授权;
ad_server = domain.bj.cn
ad_domain = bj.cn
krb5_realm = BJ.CN
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash #指定bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = simple
simple_allow_groups = IT #允许IT组成员登录
simple_allow_users = sz #允许单独的用户sz登录
7、第一次使用域账号登录时,自动创建用户目录
user@ubuntu:~$ sudo pam-auth-update --enable mkhomedir
8、赋予域账号sudo权限
user@ubuntu:~$ sudo visudo
%domain\ users ALL=(ALL) ALL
故障问题处理
1、GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
user@ubuntu:~$ sudo vi /etc/krb5.conf
[libdefaults]
default_realm = bj.cn
rdns = false
2、PIDFile= references a path below legacy directory /var/run/, updating /var/run/sssd.pid
# 删除sssd.pid
user@ubuntu:~$ sudo rm /run/sssd.pid
#清除sssd缓存
user@ubuntu:~$ sudo sss_cache -E
优化
1、因为安装了adcli包,SSSD 会自动续订 AD 环境中的 Kerberos 主机密钥表文件。守护程序每天检查计算机帐户密码是否早于配置的值,并在必要时续订密码。默认续订间隔为 30 天。
详细信息可参阅 Redhat 文献资料:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/sssd-auto-keytab-renewal
user@ubuntu:~$ sudo vi /etc/sssd/sssd.conf
ad_maximum_machine_account_password_age = value_in_days
# 要禁用自动 Kerberos 主机密钥表续订,添加此行
ad_maximum_machine_account_password_age = 0
2、登录加入Active Directory域的系统时,将默认尝试应用组策略。在某些情况下,如果缺少特定策略,登录将被拒绝。
user@ubuntu:~$ sudo vi /etc/sssd/sssd.conf
# 不强制应用组策略
ad_gpo_access_control = permissive