使用Realmd将centos7加入windows AD域——将centos配置为AD客户端
Realmd提供了一种发现和加入身份域的简单方法。它配置Linux系统服务(例如sssd或winbind)以进行实际的网络身份验证和用户帐户查找。在CentOS / RHEL 7发行版中,完全支持realmd,可将其用于加入IdM,AD或Kerberos领域。使用realmd的主要优点是能够提供简单的单行命令以注册到域以及配置网络身份验证。例如,realmd可以轻松配置:PAM Stack、NSS Layer、Kerberos、SSSD、Winbind。
一、环境
一台Windows Server 2012 R2服务器安装AD作为域控制器(域名testadgroup.com)同时也作为DNS服务器
一台CentOS7.6服务器
二、目标
把这台CentOS7.6加入域控。
三、软件包安装
在CentOS上安装软件包
软件名称 | 软件功能 |
---|---|
adcli | Active Directory域控命令行工具 |
krb5-workstation | krb5工作站 |
oddjob | 是一个采用 Java 语言开发的作业调度工具 |
oddjob-mkhomedir | |
realmd | 实现域控集成的工具 |
samba | |
samba-common | |
samba-common-tools | |
sssd | SSSD是一个守护进程,用来访问多种验证服务器,如LDAP、Kerberos等,并提供授权。 |
yum install -y adcli krb5-workstation oddjob oddjob-mkhomedir realmd samba samba-common samba-common-tools sssd
四、配置过程
1)修改DNS
(以下过程仅适用于RHEL7系列,RHEL6需要修改/etc/resolv.conf)
1.1)查询网络连接
[root@centos7 ~]# nmcli connection show
NAME UUID TYPE DEVICE
ens160 7f58b689-fca1-43a2-97ba-447f1746fabd ethernet ens160
virbr0 35d14f96-c2e4-42ba-a2c3-ff74dff1414a bridge virbr0
1.2)修改特定网卡的DNS配置
[root@centos7 ~]# nmcli con mod ens160 ipv4.dns 192.168.100.1,8.8.8.8
1.3)激活网卡使配置生效
[root@centos7 ~]# nmcli con up ens160
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/5)
1.4)确认修改后的DNS配置
此时查看/etc/resolv.conf内容,可看到已生效
[root@centos7 ~]# cat /etc/resolv.conf
Generated by NetworkManager
search testadgroup.com
nameserver 192.168.100.1
nameserver 8.8.8.8
2)修改主机名
编辑/etc/hosts文件,添加以下内容:
172.24.2.20 centos7.testadgroup.com
修改主机名(仅适用于RHEL7系列,RHEL6重启)
[root@centos7 ~]# hostnamectl set-hostname centos7.testadgroup.com
执行hostname可查看修改后的主机名
3)加入域控
3.1)发现域控
realm discover testadgroup
实际的执行结果
[root@localhost ~]# realm discover testadgroup
testadgroup
type: kerberos
realm-name: testadgroup
domain-name: testadgroup
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
3.2)加入域控
[root@centos7 ~]# realm join -U admin testadgroup
//admin是具有域管理权限的域用户
此时CentOS7.6已登入域,尝试切换成其他域用户
[root@centos7 ~]# su - stos@testadgroup.com
Creating home directory for stos@testadgroup.com.
[chaosy@foogroup.com@centos7 ~]$
4) 重启centos7机器,再在windows AD控制器上确认centos7机器是否已经在域内。
五、修改kerberose配置文件/etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default = DOMAIN.EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc=true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = DOMAIN.EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
AD.EXAMPLE.COM = {
kdc = [hostname_of_server].domain.example.com:88
admin_server = domain.example.com
}
[domain_realm]
.domain.example.com = DOMAIN.EXAMPLE.COM
domain.example.com = DOMAIN.EXAMPLE.COM
六、修改sssd配置文件/etc/sssd/sssd.conf
[sssd]
domains = domain.example.com
config_file_version = 2
services = nss, pam
[domain/domain.example.com]
ad_server = domain.example.com
ad_domain = domain.example.com
krb5_realm = DOMAIN.EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
enumeration = True
设置sssd.conf相关权限
# chown root:root /etc/sssd/sssd.conf
# chmod 0600 /etc/sssd/sssd.conf
# restorecon /etc/sssd/sssd.conf
# authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
# systemctl start sssd
七、连接域内用户
# id user@domain.example.com
# ssh user@domain.example.com
示例:
# id user@ad.example.com
uid=1348601103(user@ad.example.com) gid=1348600513(domain users@ad.example.com) groups=1348600513(domain users@ad.example.com)
# ssh user@ad.example.com@127.0.0.1
user@ad.example.com@127.0.0.1's password:
Creating home directory for user@ad.example.com.
$ pwd
/home/ad.example.com/user