ad认证方式有很多种,nslcd,realmd,windbind,这里选择nslcd方式,轻量级简单。
ad和ldap认证配置方式一模一样,只是ad域的时候nslcd文件需要做少许属性修改,ldap直接使用默认文件就行
参考文章:
- https://www.cnblogs.com/swordfall/p/12119010.html
- https://www.cnblogs.com/dufeixiang/p/11624210.html
- https://linux.die.net/man/5/nslcd.conf
安装openldap客户端和nslcd sssd服务
yum install -y openldap openldap-clients sssd nss-pam-ldapd
使用nslcd认证,vim /etc/nslcd.conf
# This is the configuration file for the LDAP nameservice
# switch library's nslcd daemon. It configures the mapping
# between NSS names (see /etc/nsswitch.conf) and LDAP
# information in the directory.
# See the manual page nslcd.conf(5) for more information.
# The user and group nslcd should run as.
uid nslcd
gid ldap
# The uri pointing to the LDAP server to use for name lookups.
# Multiple entries may be specified. The address that is used
# here should be resolvable without using LDAP (obviously).
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
#uri ldap://x.x.x.x/ #ldap服务器
uri ldap://x.x.x.x/ #ad服务器
# The LDAP version to use (defaults to 3
# if supported by client library)
#ldap_version 3
# The distinguished name of the search base.
base dc=sietium,dc=com
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
binddn cn=administrator,cn=users,dc=sietium,dc=com
#binddn cn=admin,dc=sietium,dc=com
# The credentials to bind with.
# Optional: default is no credentials.
# Note that if you set a bindpw you should check the permissions of this file.
#bindpw xxxx
bindpw xxxx
# The distinguished name to perform password modifications by root by.
#rootpwmoddn CN=Administrator,CN=Users,DC=sietium,DC=com
#rootpwmoddn cn=admin,dc=sietium,dc=com
# The default search scope.
scope sub
#scope one
#scope base
# Customize certain database lookups.
#base group ou=Groups,dc=example,dc=com
#base passwd ou=People,dc=example,dc=com
#base shadow ou=People,dc=example,dc=com
#scope group onelevel
#scope hosts sub
# Bind/connect timelimit.
#bind_timelimit 30
# Search timelimit.
#timelimit 30
# Idle timelimit. nslcd will close connections if the
# server has not been contacted for the number of seconds.
#idle_timelimit 3600
# Use StartTLS without verifying the server certificate.
#ssl start_tls
#tls_reqcert never
# CA certificates for server certificate verification
tls_cacertdir /etc/openldap/cacerts
#tls_cacertfile /etc/ssl/ca.cert
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# Mappings for Services for UNIX 3.5
#filter passwd (objectClass=User)
#map passwd uid msSFU30Name
#map passwd userPassword msSFU30Password
#map passwd homeDirectory msSFU30HomeDirectory
#map passwd homeDirectory msSFUHomeDirectory
#filter shadow (objectClass=User)
#map shadow uid msSFU30Name
#map shadow userPassword msSFU30Password
#filter group (objectClass=Group)
#map group member msSFU30PosixMember
# Mappings for Services for UNIX 2.0
#filter passwd (objectClass=User)
#map passwd uid msSFUName
#map passwd userPassword msSFUPassword
#map passwd homeDirectory msSFUHomeDirectory
#map passwd gecos msSFUName
#filter shadow (objectClass=User)
#map shadow uid msSFUName
#map shadow userPassword msSFUPassword
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=Group)
#map group member posixMember
# ad域固定配置
# Mappings for Active Directory
#pagesize 1000
#referrals off
#idle_timelimit 800
#filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map passwd uid sAMAccountName
#map passwd homeDirectory unixHomeDirectory
#map passwd gecos displayName
#filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
#map shadow uid sAMAccountName
#map shadow shadowLastChange pwdLastSet
#filter group (objectClass=group)
# ad域可选配置
# Alternative mappings for Active Directory
# (replace the SIDs in the objectSid mappings with the value for your domain)
pagesize 1000
referrals off
idle_timelimit 800
# ad域具体获取的属性
filter passwd (&(objectClass=user)(objectClass=person)(!(objectClass=computer)))
map passwd uid sAMAccountName
#map passwd uidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
map passwd uidNumber uidNumber
#map passwd gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
map passwd gidNumber gidNumber
#map passwd homeDirectory "/home/$sAMAccountName" #可以使用homeDirectory属性
map passwd homeDirectory "/home/$sAMAccountName" #可以设置获取sAMAccountName变量昨为家目录
map passwd gecos displayName
#map passwd loginShell "/bin/bash" #可以选择默认值shell终端
map passwd loginShell loginShell #使用ad的属性loginShell
filter group (|(objectClass=group)(objectClass=person))
map group gidNumber objectSid:S-1-5-21-3623811015-3361044348-30300820
# Mappings for AIX SecureWay
#filter passwd (objectClass=aixAccount)
#map passwd uid userName
#map passwd userPassword passwordChar
#map passwd uidNumber uid
#map passwd gidNumber gid
#filter group (objectClass=aixAccessGroup)
#map group cn groupName
#map group gidNumber gid
# This comment prevents repeated auto-migration of settings.
ssl no
需要注意的问题
配置ad域固定配置的时候:
- 必须有unixHomeDirectory属性,创建用户家目录
配置ad域可选属性的时候:
- 所有用户必须有uidNumber(唯一id),gidNumber(组id),homeDirectory(家目录),loginShell(登录终端)属性
- 属性编辑参考:https://jingyan.baidu.com/article/a3a3f8112520e38da3eb8a44.html
配置/etc/nsswitch.conf
#passwd: files sss
#shadow: files sss
#group: files sss
#initgroups: files sss
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns myhostname
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: nisplus sss
publickey: nisplus
automount: files nisplus sss
aliases: files nisplus
配置/etc/sssd/sssd.conf,使用以下命令生成文件。也可以手动创建
authconfig --enableldap --enableldapauth --ldapserver=10.100.110.6 --ldapbasedn="dc=sietium,dc=com" --enablemkhomedir --update
[domain/sietium]
autofs_provider = ldap
ldap_schema = rfc2307bis
krb5_realm = REDPEAK.COM
ldap_search_base = dc=sietium,dc=com
krb5_server = 10.100.110.6
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://10.100.110.6/
ldap_id_use_start_tls = False
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, pam, autofs
domains = sietium
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
修改sssd.conf文件权限
chmod 600 /etc/sssd/sssd.conf
ssh登录配置,使用pam动态认证账号,配置/etc/ssh/sshd_config
PasswordAuthentication yes
UsePAM yes
修改配置文件/etc/pam.d/sshd,以确认调用pam认证文件
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
#加入此行后确保登录成功后创建用户的home目录
session required pam_mkhomedir.so
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
配置/etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
#auth sufficient pam_sss.so forward_pass
auth sufficient pam_ldap.so forward_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
#password sufficient pam_sss.so use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
#session optional pam_sss.so
session optional pam_ldap.so
修改配置文件/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
#auth sufficient pam_sss.so forward_pass
auth sufficient pam_ldap.so forward_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
#account [default=bad success=ok user_unknown=ignore] pam_sss.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
#password sufficient pam_sss.so use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
#session optional pam_sss.so
session optional pam_ldap.so
重启ssh、sssd和nslcd
systemctl restart sshd
systemctl restart sssd
systemctl enable sssd
systemctl restart nslcd
systemctl enable nslcd
查看同步的账号
getent passwd
lyman:*:5003:2000:测试:/home/lyman:
切换账号
[root@xa-tw-ops-gemmirror-10-34]# su lyman
sh-4.2$ id
uid=5003(lyman) gid=2000 groups=2000
sh-4.2$ cd
sh-4.2$ pwd
/home/lyman
验证SSH登录
[root@svn ~]# ssh lyman@10.10.10.34
The authenticity of host '10.10.10.34 (10.10.10.34)' can't be established.
ECDSA key fingerprint is SHA256:6vlwTqHZ7ZKAKiOUPSVh8kTtCckVY0DvyMQE6MAJp/w.
ECDSA key fingerprint is MD5:57:a1:15:51:dd:73:dd:84:13:86:4d:1c:9c:99:db:3c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.10.34' (ECDSA) to the list of known hosts.
lyman@10.10.10.34's password:
Last login: Wed Sep 13 10:18:08 2023
/usr/bin/id: cannot find name for group ID 2000
-sh-4.2$ id
uid=5003(lyman) gid=2000 groups=2000
-sh-4.2$ cd
-sh-4.2$ pwd
/home/lyman
给ad用户配置sudo权限,默认是没有sudo权限的,
vim /etc/pam.d/sudo 加配置
auth sufficient pam_sss.so
account sufficient pam_sss.so
vim /etc/sudoers 添加适当的条目以授予AD用户或组sudo权限
lyman ALL=(ALL) ALL
登录实验
[root@xa-tw-ops-gemmirror-10-34 etc]# su lyman
sh-4.2$ sudo -i
[sudo] password for lyman:
[root@xa-tw-ops-gemmirror-10-34 ~]#
配置ad用户自动添加sudo权限
编辑/etc/pam.d/sudo文件,并确保它至少包含以下行:
session required pam_exec.so stdout /usr/local/bin/ad_sudo.sh
创建ad_sudo.sh脚本:在/usr/local/bin/目录中创建一个名为ad_sudo.sh的脚本文件,并添加以下内容:
#!/bin/bash
if id -nG "$PAM_USER" | grep -qw "your_group"; then
exec sudo -H -S -p '' <<< "${PAM_USER}:${PAM_AUTHTOK}"
fi
将 your_group 替换为希望自动获得sudo权限的AD组名称。
保存并关闭该文件,然后确保其可执行权限(例如,使用chmod +x /usr/local/bin/ad_sudo.sh命令)。
重新启动SSSD服务:
systemctl restart sssd
现在,当AD用户登录时,他们将自动具有sudo权限。请注意,确保在AD中正确配置了组,并在ad_sudo.sh脚本中指定了正确的组名。