티스토리 뷰
반응형
1. pkg install
# yum install realmd oddjob oddjob-mkhomedir sssd adcli openldap-clients policycoreutils-python samba-common samba-common-tools krb5-workstation
2. realm list check
realm list
3. doamin discovery
# realm discover ad.example.com
ad.example.com
type: kerberos
realm-name: AD.EXAMPLE.COM
domain-name: ad.example.com
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
4. join domain
# realm join ad.example.com
Password for Administrator:
realm: Joined ad.example.com domain
5. /etc/krb5.conf
# cat /etc/krb5.conf
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default = DOMAIN.EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc=true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = DOMAIN.EXAMPLE.COM
[realms]
AD.EXAMPLE.COM = {
}
[domain_realm]
.domain.example.com = DOMAIN.EXAMPLE.COM
domain.example.com = DOMAIN.EXAMPLE.COM
6. Verify /etc/sssd/sssd.conf to have below entries.
# cat /etc/sssd/sssd.conf
[sssd]
domains = domain.example.com
config_file_version = 2
services = nss, pam
[domain/domain.example.com]
ad_domain = domain.example.com
krb5_realm = DOMAIN.EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = Fales
fallback_homedir = /home/%u # %u%d 설정으로 변경하면 도메인까지 폴더명으로 생성된다.
access_provider = ad
7. Assign appropriate permission to sssd.conf.
# chown root:root /etc/sssd/sssd.conf
# chmod 0600 /etc/sssd/sssd.conf
# restorecon /etc/sssd/sssd.conf
# authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
# systemctl start sssd
8. user check
id user@domain.example.com
uid=1348601103(user@domain.example.com) gid=1348600513(domain users@domain.example.com) groups=1348600513(domain users@domain.example.com)
9. login check
# ssh user@domain.example.com@127.0.0.1
user@domain.example.com@127.0.0.1's password:
Creating home directory for user@domain.example.com.
$ pwd
/home/ad.example.com/user10. issue check
10-1 move computers Active Directory
10-2 인증 체크
Linux 서버가 Active Directory 도메인의 구성원이므로 몇 가지 테스트를 수행할 수 있습니다. 기본적으로 도메인의 사용자를 지정하려면 도메인 이름을 지정해야 합니다. 예를 들어 아래의 'id' 명령을 사용하면 'user'에 대해 아무 것도 반환되지 않지만 ' user@domain.example.com'은 계정의 UID와 Active Directory 도메인에서 계정이 구성원인 모든 그룹을 표시합니다.
[root@centos7 ~]# id user
id: administrator: no such user
[root@centos7 ~]# id user@example.com
uid=1829600500(user@domain.example.com) gid=1829600513(domain users@domain.example.com) groups=1829600513(domain users@domain.example.com),1829600512(domain admins@domain.example.com),1829600572(denied rodc password replication group@domain.example.com),1829600519(enterprise admins@domain.example.com),1829600518(schema admins@domain.example.com),1829600520(group policy creator owners@domain.example.com)
* We can change this behaviour by modifying the /etc/sssd/sssd.conf file, the following lines need to change
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d* To the below, which does not require the fully qualified domain name (FQDN) to be specified. This also modifies the user directory in /home from having the FQDN specified after the username.
use_fully_qualified_names = False
fallback_homedir = /home/%u* To apply these changes, restart sssd.
[root@centos7 ~]# systemctl restart sssdNow we should be able to find user accounts without specifying the domain, as shown below this now works where it did not previously.
[root@centos7 ~]# id administrator
uid=1829600500(administrator) gid=1829600513(domain users) groups=1829600513(domain users),1829600512(domain admins),1829600572(denied rodc password replication group),1829600520(group policy creator owners),1829600519(enterprise admins),1829600518(schema admins)반응형
'linux' 카테고리의 다른 글
| 날짜 이름의 파일 생성하는 방법 (0) | 2021.10.21 |
|---|---|
| Allow domain group ssh access & sudoers set (0) | 2021.10.15 |
| Disabling NUMA (0) | 2021.09.03 |
| jmeter 설치 및 사용법 (0) | 2021.08.19 |
| centos 7 cgroup limit 해제 (0) | 2021.08.19 |
공지사항
최근에 올라온 글
최근에 달린 댓글
- Total
- Today
- Yesterday
TAG
- dl20
- 윈도우 cmd 계정 관리
- DL20 GEN9 장비에 CentOS 7
- ansible network
- oracle linux8 kernel
- ipmi
- 윈도우서버 계정 관려
- cmd로 계정 생성
- chrony
- ios ansible
- 특정 문구 치환
- ansible ios
- ISCSI 볼륨 RAC
- shell connmad log
- ILO
- windows.old 강제삭제
- nutanix rac
- cisco ansible
- 리눅스 커맨드 로그남기기
- cmd로 윈도우 계정 관리
- dl20 centos7
- kernel 변경
- linux command log
- dl20 g9 centos7 설치
- nxos ansible
- cgroup
- vm rac
- centos7 ntp
- CentOS 7 GUI
- 특정 라인삭제
| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | |||||
| 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| 10 | 11 | 12 | 13 | 14 | 15 | 16 |
| 17 | 18 | 19 | 20 | 21 | 22 | 23 |
| 24 | 25 | 26 | 27 | 28 | 29 | 30 |
글 보관함