Skip to main content

Windows AD 認證

登入 RedHat 系統時,使用 Windows AD 帳號。

RedHat 7/8 (不加入網域)

安裝需要的套件

yum install sssd krb5-workstation krb5-libs

新增本地帳號與 AD 帳號同名

useradd AD_user

編輯 /etc/nsswitch.conf

# Add 'sss' for AD authentication
passwd:     files sss systemd
shadow:     files sss
group:      files sss systemd

編輯 /etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
# Change this as required
 default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
# Change this as required
EXAMPLE.COM = {
    kdc = ad.example.com
    dmin_server = ad.example.com
}

[domain_realm]
# Change this as required
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

新增 /etc/sssd/sssd.conf

[sssd]
    services = nss, pam
    domains = EXAMPLE.COM

[domain/EXAMPLE.COM]
    id_provider = files
    auth_provider = krb5
    krb5_realm = EXAMPLE.COM
    krb5_server = ad.example.com

設定設定檔權限

chmod 0600 /etc/sssd/sssd.conf

啟動 sssd 服務

systemctl start sssd
systemctl enable sssd

編輯 /etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
# AD Authentication
auth        sufficient    pam_sss.so forward_pass

auth        required      pam_deny.so


account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
# AD Authentication
account     [default=bad success=ok user_unknown=ignore] pam_sss.so

account     required      pam_permit.so


password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type$
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
# AD Authentication
password    sufficient    pam_sss.so use_authtok

password    required      pam_deny.so


session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
# AD Authentication
session     optional      pam_sss.so

編輯 /etc/pam.d/password-auth ,內容與上述的一樣。

驗證AD登入

本機驗證

#> kinit AD_user
Password for AD_user@EXAMPLE.COM:

#> klist
Ticket cache: KEYRING:persistent:0:0
Default principal: AD_user@EXAMPLE.COM

Valid starting     Expires            Service principal
11/02/20 04:16:38  11/02/20 14:16:38  krbtgt/EXAMPLE.COM@EXAMPLE.COM
	renew until 18/02/20 04:16:34

遠端 SSH 驗證

遠端使用 AD_user ( 不需加 @example.com )登入 SSH。