Windows AD 認證
登入 RedHat 系統時,可使用 Windows AD 帳號。
RedHat 7/8 (不加入網域)
這個方式需要先建立相同名稱的本機帳號,通常這個會違反資安規範。
安裝需要的套件
yum install sssd sssd-tools krb5-workstation krb5-libs
新增本地帳號與 AD 帳號同名
useradd AD_user
編輯 /etc/nsswitch.conf
# Add 'sss' for AD authentication
passwd: files sss systemd
shadow: files sss
group: files sss systemd
編輯 /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
# Change this as required
default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# Change this as required
EXAMPLE.COM = {
kdc = ad.example.com
dmin_server = ad.example.com
}
[domain_realm]
# Change this as required
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
新增 /etc/sssd/sssd.conf
[sssd]
services = nss, pam
domains = EXAMPLE.COM
[domain/EXAMPLE.COM]
id_provider = files
auth_provider = krb5
krb5_realm = EXAMPLE.COM
krb5_server = ad.example.com
設定檔權限
chmod 0600 /etc/sssd/sssd.conf
啟動 sssd 服務
systemctl start sssd
systemctl enable sssd
編輯 /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
# AD Authentication
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
# AD Authentication
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type$
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
# AD Authentication
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
# AD Authentication
session optional pam_sss.so
編輯 /etc/pam.d/password-auth
,內容與上述的一樣。
驗證AD登入
本機驗證
#> kinit AD_user
Password for AD_user@EXAMPLE.COM:
#> klist
Ticket cache: KEYRING:persistent:0:0
Default principal: AD_user@EXAMPLE.COM
Valid starting Expires Service principal
11/02/20 04:16:38 11/02/20 14:16:38 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 18/02/20 04:16:34
遠端 SSH 驗證
遠端使用 AD_user ( 不需加 @example.com
)登入 SSH。
其他指令
Displaying user authorization details
sssctl user-checks -a acct -s sshd AD_user
Display a list of available domains
sssctl domain-list
RedHat 7/8 (加入網域)
- How to join a Linux system to an Active Directory domain | Enable Sysadmin (redhat.com)
- Windows Integration Guide Red Hat Enterprise Linux 7 | Red Hat Customer Portal
安裝需要套件
yum install sssd realmd oddjob oddjob-mkhomedir adcli \
samba-common samba-common-tools krb5-workstation \
openldap-clients policycoreutils-python
使用 realmd 將 Linux 主機加入 AD 網域
NOTE: 建議先將 /etc/krb5.conf 恢復成初始值,如果曾經修改過。還有將 /etc/sssd/sssd.conf 移除。
加入 AD 網域時,需要有 AD 管理員或有足夠權限的 AD 帳號 例如 adm1。
一旦加入網域成功,系統會自動修改或建立這兩個檔案。
realm discover ad.example.com
realm join ad.example.com -U adm1
realm list
自動生成 /etc/sssd/sssd.conf
, /etc/krb5.conf
[sssd]
domains = example.com
config_file_version = 2
services = nss, pam
[domain/example.com]
ad_server = ad.example.com
ad_domain = example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = EXAMPLE.COM
[realms]
EXAMPLE.COM = {
}
[domain_realm]
example.com = EXAMPLE.COM
.example.com = EXAMPLE.COM
Optional: 主機退出 AD 網域
# 預設需要 AD 的 Administrator 密碼
realm leave ad.example.com
# 或者使用指定的帳密
realm leave ad.example.com -U 'EXAMPLE.COM\user'
登入存取控制
預設,網域所有帳號都可以登入主機;要限制可以存取主機的 AD 帳號或 AD 群組,需要修改 /etc/sssd/sssd.conf。
編輯 /etc/sssd/sssd.conf
# ACL for AD Login
#access_provider = ad
access_provider = simple
#simple_allow_users = ad-user1, ad-user2
simple_allow_groups = ad-group
重啟 sssd 服務
systemctl restart sssd
realm list
No Comments