linux服务器加入AD域（sssd）~ 通过域用户ssh登录加域的linux服务器

搭建域控：参考 https://www.cnblogs.com/taosiyu/p/12009120.html

域控计算机全名： WIN-3PLKM2PLE6E.zhihu.test.com

域：zhihu.test.com

域控管理员：kingsoft

普通用户：zhangmingda

普通组：dev

IP：192.168.3.3

注： 域控同时做DNS服务器

Linux服务器：

[root@vm192-168-8-27 zhangmingda]# cat /etc/redhat-release 
CentOS Linux release 7.7.1908 (Core)

操作步骤：

安装所需包文件：

yum install -y krb5-workstation realmd sssd samba-common adcli oddjob oddjob-mkhomedir samba samba-common-tools

编辑/etc/resolve.conf文件，将DNS指向DC

[root@vm192-168-8-27 zhangmingda]# cat /etc/resolv.conf 
; generated by /usr/sbin/dhclient-script
nameserver 192.168.3.3
nameserver 198.18.254.31
[root@vm192-168-8-27 zhangmingda]# 

编辑/etc/hosts文件，添加DC的IP及域的对应关系

[root@vm192-168-8-27 zhangmingda]# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.3.3 WIN-3PLKM2PLE6E.zhihu.test.com
[root@vm192-168-8-27 zhangmingda]# 

将Linux机器加入域

# realm join WIN-3PLKM2PLE6E.zhihu.test.com -U kingsoft

Password for kingsoft: 

发现可以成功发现域了

[root@vm192-168-8-27 zhangmingda]# realm list
zhihu.test.com
  type: kerberos
  realm-name: ZHIHU.TEST.COM
  domain-name: zhihu.test.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U
  login-policy: allow-realm-logins
[root@vm192-168-8-27 zhangmingda]# 

将组dev加入域

[root@vm192-168-8-27 zhangmingda]# realm permit -g dev@zhihu.test.com
[root@vm192-168-8-27 zhangmingda]# 

可以看到用户kingsoft,zhangmingda可以被成功发现

[root@vm192-168-8-27 zhangmingda]# id zhangmingda@zhihu.test.com
uid=1724201104(zhangmingda) gid=1724200513(domain users) groups=1724200513(domain users)
[root@vm192-168-8-27 zhangmingda]# id zhudong@zhihu.test.com
uid=1724201108(zhudong) gid=1724200513(domain users) groups=1724200513(domain users)
[root@vm192-168-8-27 zhangmingda]# id kingsoft@zhihu.test.com
uid=1724201000(kingsoft) gid=1724200513(domain users) groups=1724200513(domain users)
[root@vm192-168-8-27 zhangmingda]# id administrator@zhihu.test.com
uid=1724200500(administrator) gid=1724200513(domain users) groups=1724200513(domain users),1724200520(group policy creator owners),1724200519(enterprise admins),1724200512(domain admins),1724200572(denied rodc password replication group),1724200518(schema admins)
[root@vm192-168-8-27 zhangmingda]#

为使用户不需用带域名就可以被识别，需要修改配置文件/etc/sssd/sssd.conf，将use_fully_qualified_names行的True值修改为False

[root@vm192-168-8-27 zhangmingda]# cat /etc/sssd/sssd.conf 

[sssd]
domains = zhihu.test.com
config_file_version = 2
services = nss, pam

[domain/zhihu.test.com]
ad_server = win-3plkm2ple6e.zhihu.test.com
ad_domain = zhihu.test.com
krb5_realm = ZHIHU.TEST.COM
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False 
fallback_homedir = /home/%u@%d
access_provider = simple
simple_allow_groups = dev@zhihu.test.com, ops@zhihu.test.com
[root@vm192-168-8-27 zhangmingda]# 

重启sssd服务，重新列出预控信息

[root@vm192-168-8-27 zhangmingda]# systemctl restart sssd
[root@vm192-168-8-27 zhangmingda]# realm list
[root@vm192-168-8-27 zhangmingda]# realm list
zhihu.test.com
  type: kerberos
  realm-name: ZHIHU.TEST.COM
  domain-name: zhihu.test.com
  configured: kerberos-member
  server-software: active-directory
  client-software: sssd
  required-package: oddjob
  required-package: oddjob-mkhomedir
  required-package: sssd
  required-package: adcli
  required-package: samba-common-tools
  login-formats: %U
  login-policy: allow-permitted-logins
  permitted-logins: 
  permitted-groups: dev@zhihu.test.com, ops@zhihu.test.com
[root@vm192-168-8-27 zhangmingda]#

发现不加域信息，Linux服务器也可以识别域用户

[root@vm192-168-8-27 zhangmingda]# id zhangmingda
uid=1724201104(zhangmingda) gid=1724200513(domain users) groups=1724200513(domain users)
[root@vm192-168-8-27 zhangmingda]#

使用域用户ssh登录服务器

[root@vm192-168-8-27 zhangmingda]# ssh zhangmingda@192.168.8.27
zhangmingda@192.168.8.27's password: 
Last login: Tue Nov 17 13:07:03 2020 from 192.168.8.27
[zhangmingda@vm192-168-8-27 ~]$ ls
[zhangmingda@vm192-168-8-27 ~]$  sudo su - root  

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for zhangmingda: 
zhangmingda is not in the sudoers file.  This incident will be reported.
[zhangmingda@vm192-168-8-27 ~]$

编辑 /etc/sudoers.d/waagent 文件，将需要root权限的用户加入到其下

[zhangmingda@vm192-168-8-27 ~]$ sudo cat /etc/sudoers.d/waagent
ltsstone ALL=(ALL) ALL
zhangmingda ALL=(ALL) ALL
[zhangmingda@vm192-168-8-27 ~]$

[zhangmingda@vm192-168-8-27 ~]$ sudo su - root
Last login: Tue Nov 17 14:28:41 CST 2020 on pts/1
[root@vm192-168-8-27 ~]#