Ubuntu Join in Active Directory Domain
转载自https://www.server-world.info/en/note?os=Ubuntu_20.04&p=realmd
这是一个优秀的网站,https://www.server-world.info/en,并且好像是一个日本人做的网站,
做的很认真,为此点个赞,推荐大家收藏
除了上面的链接,本文也有参考:https://computingforgeeks.com/join-ubuntu-debian-to-active-directory-ad-domain/
推荐大家去原链接查看,本文,只为个人收藏用途
ubuntu Join in Active Directory Domain
Join in Windows Active Directory Domain with Realmd.
This tutorial needs Windows Active Directory Domain Service in your LAN.
This example shows to configure on the environment below.
Domain Server : Windows Server 2019
NetBIOS Name : FD3S01
Domain Name : srv.world
Realm : SRV.WORLD
Hostname : fd3s.srv.world
[1] Install some required packages.
root@dlp:~# sudo apt -y install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit
[2] Join in Windows Active Directory Domain.
# change DNS settings to refer to AD
root@dlp:~# vi /etc/netplan/01-netcfg.yaml
nameservers:
addresses: [10.0.0.100]
root@dlp:~# netplan apply
# discover Active Directory domain
root@dlp:~# realm discover SRV.WORLD
srv.world
type: kerberos
realm-name: SRV.WORLD
domain-name: srv.world
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
# join in Active Directory domain
root@dlp:~# realm join SRV.WORLD
Password for Administrator: # AD Administrator password
# verify it's possible to get an AD user info or not
root@dlp:~# id Serverworld@srv.world
uid=199601103(serverworld@srv.world) gid=199600513(domain users@srv.world) groups=199600513(domain users@srv.world)
# change setting if you need
root@dlp:~# vi /etc/pam.d/common-session
# add to the end (create Home Dir automatically when initial login)
session optional pam_mkhomedir.so skel=/etc/skel umask=077
# verify it's possible to switch to an AD user or not
root@dlp:~# su - Serverworld@srv.world
Creating directory '/home/serverworld@srv.world'.
serverworld@srv.world@dlp:~$ # just switched
[3] If you'd like to omit domain name for AD user, configure like follows.
root@dlp:~# vi /etc/sssd/sssd.conf ##如果想彰显公司的名称,可以不修改这个
# line 16: change
use_fully_qualified_names = False
root@dlp:~# systemctl restart sssd
root@dlp:~# id Administrator
uid=199600500(administrator) gid=199600513(domain users) groups=199600513(domain users),199600572(denied rodc password replication group),199600519(enterprise admins),199600518(schema admins),199600520(group policy creator owners),199600512(domain admins)
Configure Sudo Access
By default Domain users won’t have permission to escalate privilege to root. Users have to be granted access based on usernames or groups.
默认域的用户或者组没有权限获取sudo权限
Let’s first create sudo permissions grants file.
$ sudo vi /etc/sudoers.d/domain_admins
Add single user:
user1@srv.world ALL=(ALL) ALL
Add another user:
user1@srv.world ALL=(ALL) ALL
user2@srv.world ALL=(ALL) ALL
Add group
%group1@srv.world ALL=(ALL) ALL
Add group with two or three names.
%security users@srv.world ALL=(ALL) ALL
%system super admins@srv.world ALL=(ALL) ALL
GUI 登陆遇到点故障,不清楚具体原因
可以继续参考
https://www.unixmen.com/how-to-join-an-ubuntu-desktop-into-an-active-directory-domain/
常用ubuntu软件
sudo apt install dnsutils openssh-server net-tools vim -y
sudoer visudo命令详解
一般用户赋权设置:
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
testuser ALL=(root) /usr/sbin/useradd //新增加用户testuser行
%testgroup ALL=(ALL:ALL) NOPASSWD:ALL //新增加组testgroup行
说明:
第一个字段:root为能使用sudo命令的用户;
第二个字段:第一个ALL为允许使用sudo的主机,第二个括号里的ALL为使用sudo后以什么身份(目的用户身份)来执行命令;
第三个字:ALL为以sudo命令允许执行的命令;
上列解释: test ALL=(root) /usr/sbin/useradd
表示允许test用户从任何主机登录,以root的身份执行/usr/sbin/useradd命令。
%ubuntu ALL=(ALL:ALL) NOPASSWD:ALL,!/bin/bash,!/bin/tcsh,!/bin/su,!/usr/bin/passwd [A-Za-z]*,!/usr/bin/passwd root,!cat /etc/sudoers,!/bin/vi /etc/sudoers,!/bin/vim /etc/sudoers,!/usr/bin/vim /etc/sudoers,!/usr/sbin/visudo,!/usr/bin/sudo -i
如上的指令,创建一个ubuntu用户组,并让组内用户拥有sudo权限,但是不让他乱改别人密码和乱改sudoer配置
sudo usermod -a -G adm,cdrom,sudo,dip,plugdev,lpadmin,lxd,sambashare testuser
把用户testuser加入到一些组内
删除多余的本地管理用户,在删之前,需要修改root密码,并且记住root密码