如何将CentOS 8/RHEL 8系统加入Active Directory(AD)域
时间:2020-02-23 14:31:22 来源:igfitidea点击:
问题:如何将CentOS 8/RHEL 8系统加入Windows Active Directory域?在本指南中,将很好地讨论如何使用realmd系统将CentOS 8/RHEL 8服务器或者工作站加入Active Directory域。 Realmd提供了一种清晰简单的方法来发现和加入身份域以实现直接域集成。
在大多数企业环境中,Active Directory域用作存储用户信息的中央集线器。在此集成中,realmd将基础Linux系统服务(例如SSSD或者Winbind)配置为连接到域。 Linux系统连接到Active Directory,以提取用于身份验证请求的用户信息。
本指南将说明如何配置SSSD以从同一Active Directory资源林中的域检索信息。如果我们使用多个AD目录林,则本指南可能不适合我们。
安装必需的软件包
CentOS 8/RHEL 8 AD集成需要许多软件包。通过运行以下命令在系统上安装它们:
sudo dnf install realmd sssd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation authselect-compat
接受安装提示。
Last metadata expiration check: 0:19:18 ago on Fri 27 Sep 2019 09:45:40 PM EAT. Package realmd-0.16.3-16.el8.x86_64 is already installed. Package sssd-2.0.0-43.el8_0.3.x86_64 is already installed. Package adcli-0.8.2-2.el8.x86_64 is already installed. Package samba-common-4.9.1-8.el8.noarch is already installed. Dependencies resolved. =================================================================================================================================================== Package Arch Version Repository Size =================================================================================================================================================== Installing: oddjob x86_64 0.34.4-7.el8 AppStream 83 k oddjob-mkhomedir x86_64 0.34.4-7.el8 AppStream 52 k samba-common-tools x86_64 4.9.1-8.el8 BaseOS 461 k Installing dependencies: samba-libs x86_64 4.9.1-8.el8 BaseOS 177 k Transaction Summary =================================================================================================================================================== Install 4 Packages Total download size: 773 k Installed size: 1.7 M Is this ok [y/N]: y
在新的RHEL 8机器上,我们需要注册它才能安装软件包。
$sudo subscription-manager register Registering to: subscription.rhsm.redhat.com:443/subscription Username: Password: The system has been registered with ID: d39d60a7-3236-4287-b361-53264159f5d1 The registered system name is: master.example.com $sudo subscription-manager attach --auto Installed Product Current Status: Product Name: Red Hat Enterprise Linux for x86_64 Status: Subscribed
在CentOS 8/RHEL 8上发现Active Directory域
在进行AD集成之前,请确保CentOS/RHEL 8机器可以解析和发现AD域。
验证DNS设置。
$cat /etc/resolv.conf
检查AD域发现是否成功。
$realm discover example.com example.com type: kerberos realm-name: EXAMPLE.COM domain-name: example.com configured: no server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools
在Active Directory域中加入CentOS 8/RHEL 8 Linux计算机
要将CentOS 8/RHEL 8计算机与Windows Active Directory域集成在一起,需要一个AD管理用户帐户。
确保我们具有管理员用户名和密码。然后运行以下命令将CentOS 8/RHEL 8 Linux系统加入Active Directory域。
$realm join example.com -U Administrator Password for Administrator:
用AD管理员帐户替换"管理员",然后在询问时输入密码。确认加入成功。
$sudo realm list example.com type: kerberos realm-name: EXAMPLE.COM domain-name: example.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %theitroad@localhost login-policy: allow-realm-logins
连接机器后,请运行以下命令。
sudo authselect select sssd sudo authselect select sssd with-mkhomedir
sssd.conf配置文件应如下所示,
$cat /etc/sssd/sssd.conf [sssd] domains = example.com config_file_version = 2 services = nss, pam default_domain_suffix = example.com [nss] homedir_substring = /home [pam] [domain/example.com] ad_domain = example.com krb5_realm = EXAMPLE.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%theitroad@localhost%d access_provider = ad
在配置文件中进行更改时,需要重新启动服务。
sudo systemctl restart sssd
状态应该正在运行。
$systemctl status sssd
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2019-09-27 22:30:25 EAT; 37min ago
Main PID: 32474 (sssd)
CGroup: /system.slice/sssd.service
├─32474 /usr/sbin/sssd -i --logger=files
├─32478 /usr/libexec/sssd/sssd_be --domain example.com --uid 0 --gid 0 --logger=files
├─32479 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
└─32480 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
................................................................
如果集成正常,应该可以获取AD用户信息。
$id jmutai uid=1783929917(theitroad@localhost) gid=1784800513(domain theitroad@localhost) groups=1783870513(domain theitroad@localhost)
控制对用户/组的访问限制
通过仅允许特定的用户和组,可以限制对注册服务器的访问。
限制用户
要允许用户通过SSH和控制台访问,请使用以下命令:
$realm permit theitroad@localhost $realm permit theitroad@localhost theitroad@localhost
允许访问组示例
$ream permit -g sysadmins $realm permit -g 'Security Users' $realm permit 'Domain Users' 'admin users'
这将修改sssd.conf文件。
相反,如果我们希望允许所有用户访问,请运行:
$sudo realm permit --all
要拒绝所有域用户访问,请使用:
$sudo realm deny --all
配置Sudo访问
默认情况下,域用户将无权将特权升级为root。必须根据用户名或者组授予用户访问权限。
首先让我们创建sudo权限授予文件。
$sudo vi /etc/sudoers.d/domain_admins
添加单个用户:
theitroad@localhost ALL=(ALL) ALL
添加其他用户:
theitroad@localhost ALL=(ALL) ALL theitroad@localhost ALL=(ALL) ALL
新增群组
%theitroad@localhost ALL=(ALL) ALL
添加具有两个或者三个名称的组。
%security\ theitroad@localhost ALL=(ALL) ALL %system\ super\ theitroad@localhost ALL=(ALL) ALL
测试SSH访问
以允许登录的AD用户身份远程访问服务器。
$ssh theitroad@localhost The authenticity of host 'localhost (::1)' can't be established. ECDSA key fingerprint is SHA256:wmWcLi/lijm4zWbQ/Uf6uLMYzM7g1AnBwxzooqpB5CU. ECDSA key fingerprint is MD5:10:0c:cb:22:fd:28:34:c6:3e:d7:68:15:02:f9:b4:e9. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
