zoukankan      html  css  js  c++  java

  • Ubuntu 20 加入windows AD 域控

    Ubuntu Join in Active Directory Domain
    转载自https://www.server-world.info/en/note?os=Ubuntu_20.04&p=realmd
    这是一个优秀的网站,https://www.server-world.info/en,并且好像是一个日本人做的网站,
    做的很认真,为此点个赞,推荐大家收藏

    除了上面的链接,本文也有参考:https://computingforgeeks.com/join-ubuntu-debian-to-active-directory-ad-domain/

    推荐大家去原链接查看,本文,只为个人收藏用途

    ubuntu Join in Active Directory Domain

    Join in Windows Active Directory Domain with Realmd.
    This tutorial needs Windows Active Directory Domain Service in your LAN.
    This example shows to configure on the environment below.
    Domain Server : Windows Server 2019
    NetBIOS Name : FD3S01
    Domain Name : srv.world
    Realm : SRV.WORLD
    Hostname : fd3s.srv.world
    [1] Install some required packages.

    root@dlp:~# sudo apt -y install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

    [2] Join in Windows Active Directory Domain.

    # change DNS settings to refer to AD
root@dlp:~# vi /etc/netplan/01-netcfg.yaml
    nameservers:
        addresses: [10.0.0.100]

root@dlp:~# netplan apply
# discover Active Directory domain
root@dlp:~# realm discover SRV.WORLD
srv.world
  type: kerberos
  realm-name: SRV.WORLD
  domain-name: srv.world
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin

# join in Active Directory domain
root@dlp:~# realm join SRV.WORLD
Password for Administrator:   # AD Administrator password
# verify it's possible to get an AD user info or not
root@dlp:~# id Serverworld@srv.world
uid=199601103(serverworld@srv.world) gid=199600513(domain users@srv.world) groups=199600513(domain users@srv.world)

# change setting if you need
root@dlp:~# vi /etc/pam.d/common-session
# add to the end (create Home Dir automatically when initial login)
session optional        pam_mkhomedir.so skel=/etc/skel umask=077

# verify it's possible to switch to an AD user or not
root@dlp:~# su - Serverworld@srv.world
Creating directory '/home/serverworld@srv.world'.
serverworld@srv.world@dlp:~$     # just switched

    [3] If you'd like to omit domain name for AD user, configure like follows.

    root@dlp:~# vi /etc/sssd/sssd.conf ##如果想彰显公司的名称,可以不修改这个
# line 16: change
use_fully_qualified_names = False
root@dlp:~# systemctl restart sssd
root@dlp:~# id Administrator
uid=199600500(administrator) gid=199600513(domain users) groups=199600513(domain users),199600572(denied rodc password replication group),199600519(enterprise admins),199600518(schema admins),199600520(group policy creator owners),199600512(domain admins)

    Configure Sudo Access
    By default Domain users won’t have permission to escalate privilege to root. Users have to be granted access based on usernames or groups.
    默认域的用户或者组没有权限获取sudo权限
    Let’s first create sudo permissions grants file.

    $ sudo vi /etc/sudoers.d/domain_admins

    Add single user:

    user1@srv.world ALL=(ALL) ALL

    Add another user:

    user1@srv.world     ALL=(ALL)   ALL
user2@srv.world     ALL=(ALL)   ALL

    Add group

    %group1@srv.world ALL=(ALL) ALL
    Add group with two or three names.

    %security users@srv.world       ALL=(ALL)       ALL
%system super admins@srv.world ALL=(ALL)       ALL

    GUI 登陆遇到点故障,不清楚具体原因
    可以继续参考
    https://www.unixmen.com/how-to-join-an-ubuntu-desktop-into-an-active-directory-domain/

    常用ubuntu软件

    sudo apt install dnsutils openssh-server net-tools vim -y

    sudoer visudo命令详解
    一般用户赋权设置:

    #
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root	ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
testuser   ALL=(root) /usr/sbin/useradd         //新增加用户testuser行
%testgroup ALL=(ALL:ALL) NOPASSWD:ALL          //新增加组testgroup行

    说明:
第一个字段:root为能使用sudo命令的用户;
第二个字段:第一个ALL为允许使用sudo的主机,第二个括号里的ALL为使用sudo后以什么身份(目的用户身份)来执行命令;
第三个字:ALL为以sudo命令允许执行的命令;

    上列解释: test ALL=(root) /usr/sbin/useradd
    表示允许test用户从任何主机登录,以root的身份执行/usr/sbin/useradd命令。

    %ubuntu ALL=(ALL:ALL) NOPASSWD:ALL,!/bin/bash,!/bin/tcsh,!/bin/su,!/usr/bin/passwd [A-Za-z]*,!/usr/bin/passwd root,!cat /etc/sudoers,!/bin/vi /etc/sudoers,!/bin/vim /etc/sudoers,!/usr/bin/vim /etc/sudoers,!/usr/sbin/visudo,!/usr/bin/sudo -i

    如上的指令,创建一个ubuntu用户组,并让组内用户拥有sudo权限,但是不让他乱改别人密码和乱改sudoer配置

    sudo usermod -a -G adm,cdrom,sudo,dip,plugdev,lpadmin,lxd,sambashare testuser
    把用户testuser加入到一些组内

    删除多余的本地管理用户,在删之前,需要修改root密码,并且记住root密码
  • 相关阅读:
    js高级教程阅读笔记 第一章-js的简介
    angular.element方法汇总
    AngularJS第六课(路由)
    AngularJS第五课(模块,动画,依赖注入)
    javascript基础整理(面试必备)
    Google工具page-speed使用教程(网站性能检测)
    常见前端面试题及答案
    css之布局那些事
    jquery之全屏滚动插件fullPage.js
    Git远程操作详解
  • 原文地址:https://www.cnblogs.com/faberbeta/p/14037574.html
Copyright © 2011-2022 走看看