debian系统加入ADS域

Posted on by hackdl
1.debian 需要安装的软件:

apt install sssd sssd-ad sssd-ldap sssd-krb5 libnss-winbind libnss-sss libpam-sss realmd 

winbind ldap-utils libpam-ldap libnss-ldap sssd-tools sssd libnss-sss libpam-sss adcli oddjob oddjob-mkhomedir   

libnss-sss libpam-sss adcli sssd-tools sssd samba krb5-config krb5-user winbind libpam-winbind libnss-winbind

获取不到 Id 的bug
apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind

apt-get install krb5-kdc krb5-admin-server
debian加入 windows server的 ADS域,需要安装 windows server 并开启AD域的功能
采用PAM认证。

2.AD域配置如下:

AD域服务器域名:test-ads.local

AD域服务器地址:192.168.44.100

FQDN(完整域名,可理解为域服务器的完整名称Fully qualified domain name):ads1.test-ads.local

DNS 服务器:192.168.44.100 可以解析域控制器 IP 地址的 DNS 服务器 IP 地址。通常和AD域服务器地址或者FQDN一致,可以修改/etc/resolv.conf

在第一行写入此处配置的DNS 地址,要达到能Ping 通域名test-ads.local 和 FQDN ads1.test.local
但是私人搭建的AD域可能没有DNS服务器可修改/etc/hosts 内容如下

192.168.44.100  ads1.test-ads.local  test-ads.local
3.修改 /etc/sssd/sssd.conf 然后启动 systemctl start sssd

设置 开机启动systemctl enable sssd

[sssd]
domains = ug-ads.local  #名称对应如下配置[domain/ug-ads.local] 
config_file_version = 2
services = nss, pam

[domain/ug-ads.local] 
ad_server = test-ads.local
ad_domain = test-ads.local
krb5_realm = test-ads.local
realmd_tags = manages-system joined-with-adcli  
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = true#是否启用全名,待产品确认
fallback_homedir = /home/%u@%d # home目录位置,待产品确认%u=ug-ads,%d=域用户名
access_provider = simple
4.修改krb5配置

/etc/krb5.conf 如下

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

 [libdefaults]
default_realm =  TEST-ADS.LOCAL
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 86400
renew_lifetime = 604800
forwardable = true
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac
permitted_enctypes = rc4-hmac aes128-cts
#supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal
udp_preference_limit = 1
kdc_timeout = 6000
[realms]
 TEST-ADS.LOCAL = {
  kdc = 192.168.44.178
  admin_server = 192.168.44.178
 }
[domain_realm]
.test-ads.local = ug-ads.local
test-ads.local = ug-ads.local
5.修改 /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd:         files   sss winbind
group:          files   sss winbind
shadow:         files  sss winbind
gshadow:        files

hosts:          files mdns4_minimal [NOTFOUND=return] dns
networks:       files

protocols:      db files
services:       db files 
ethers:         db files
rpc:            db files

netgroup:       nis sss
automount:      sss
6./etc/samba/smb.conf 添加如下配置,
include = /etc/samba/smb-ads.conf 新增配置文件smb-ads.conf :
include = /etc/samba/smb-aaa.conf
smb-aaa.conf
include = /etc/samba/smb-ads.conf
或者
include = /etc/samba/smb-ldap.conf
security = ads
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
realm = TEST-ADS.LOCAL
template shell = /bin/bash
winbind offline logon = true
winbind enum users = Yes
winbind enum groups = Yes
winbind separator = /
idmap config * : range = 1000000-1999999
idmap config * : backend        = tdb
winbind use default domain = yes
winbind use krb5 enterprise principals = yes
winbind scan trusted domains = Yes

然后启动 systemctl start smbd

开机启动systemctl enable smbd

然后启动 systemctl start winbind

开机启动systemctl enable winbind

su test1@test-ads.local

7.pam-auth-update

命令 ,会修改 /etc/pam.d/common-auth 等文件
执行
pam-auth-update —enable mkhomedir
pam-auth-update —enable sss
pam-auth-update —enable winbind
pam-auth-update —remove mkhomedir

8.生成 /etc/krb5.keytab

有些机器可能报错没有 /etc/krb5.keytab

net ads keytab create -U administrator%Admin123 # 用户%密码

9.加入AD域先与服务器时间同步

ntpdate 192.168.44.100

10.加入ADS域

net ads join -U administrator%Admin123
或者
net ads join -S ads1.test-ads.local -W test-ads.local -U administrator%Admin123 -I 192.168.44.178

获取所有用户列表
wbinfo -u 获取 所有用户列表
wbinfo -g 获取 所有用户组列表
getent passwd 获取 所有用户id
getent group 获取 所有用户组id

11.离开AD域

net ads leave -U administrator%Admin123

12.Ldapsearch

ldapsearch -x -h ads1.ug-ads.local -p 389 -D “administrator@ug-ads.local” -w ‘Admin123’ -b “dc=ug-ads,dc=local “

13.其他命令 Realmd 和sssd 加入 ad域

realm join ug-ads.local -U ‘administrator@UG-ADS.LOCAL’
提示 realm: Couldn’t join realm: Necessary packages are not installed: sssd-tools sssd libnss-sss libpam-sss adcli oddjob oddjob-mkhomedir
libnss-sss libpam-sss adcli sssd-tools sssd samba krb5-config krb5-user winbind libpam-winbind libnss-winbind

realm discover ug-ads.local
realm list
realm leave

realm: Couldn’t join realm: Necessary packages are not installed: sssd-tools sssd libnss-sss libpam-sss adcli

获取不到Id的bug 缺少 libnss-winbind:
apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind

服务器托管,北京服务器托管,服务器租用,机房机柜带宽租用

服务器托管

咨询:董先生

电话13051898268 QQ/微信93663045!

上一篇:
下一篇: