Windows AD 認證
登入 RedHat 系統時,可使用 Windows AD 帳號。
RedHat 7/8 (不加入網域)
這個方式需要先建立相同名稱的本機帳號,通常這個會違反資安規範。
安裝需要的套件
yum install sssd sssd-tools krb5-workstation krb5-libs
新增本地帳號與 AD 帳號同名
useradd AD_user
編輯 /etc/nsswitch.conf
# Add 'sss' for AD authentication
passwd: files sss systemd
shadow: files sss
group: files sss systemd
編輯 /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
# Change this as required
default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
# Change this as required
EXAMPLE.COM = {
kdc = ad.example.com
dmin_server = ad.example.com
}
[domain_realm]
# Change this as required
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
新增 /etc/sssd/sssd.conf
[sssd]
services = nss, pam
domains = EXAMPLE.COM
[domain/EXAMPLE.COM]
id_provider = files
auth_provider = krb5
krb5_realm = EXAMPLE.COM
krb5_server = ad.example.com
設定檔權限
chmod 0600 /etc/sssd/sssd.conf
啟動 sssd 服務
systemctl start sssd
systemctl enable sssd
編輯 /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
# AD Authentication
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
# AD Authentication
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type$
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
# AD Authentication
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
# AD Authentication
session optional pam_sss.so
編輯 /etc/pam.d/password-auth
,內容與上述的一樣。
驗證AD登入
本機驗證
#> kinit AD_user
Password for AD_user@EXAMPLE.COM:
#> klist
Ticket cache: KEYRING:persistent:0:0
Default principal: AD_user@EXAMPLE.COM
Valid starting Expires Service principal
11/02/20 04:16:38 11/02/20 14:16:38 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 18/02/20 04:16:34
遠端 SSH 驗證
遠端使用 AD_user ( 不需加 @example.com
)登入 SSH。
其他指令
Displaying user authorization details
sssctl user-checks -a acct -s sshd AD_user
Display a list of available domains
sssctl domain-list
RedHat 7/8 (加入網域)
- How to join a Linux system to an Active Directory domain | Enable Sysadmin (redhat.com)
- Windows Integration Guide Red Hat Enterprise Linux 7 | Red Hat Customer Portal
安裝需要套件
yum install sssd realmd oddjob oddjob-mkhomedir adcli \
samba-common samba-common-tools krb5-workstation \
openldap-clients policycoreutils-python
使用 realmd 將 Linux 主機加入 AD 網域
realm discover ad.example.com
realm join ad.example.com -U user
realm list
編輯 /etc/sssd/sssd.conf
[sssd]
domains = example.com
config_file_version = 2
services = nss, pam
[domain/example.com]
ad_domain = example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
simple_allow_users =
simple_allow_groups = IT
Optional: 主機退出 AD 網域
# 預設需要 AD 的 Administrator 密碼
realm leave ad.example.com
# 或者使用指定的帳密
realm leave ad.example.com -U 'EXAMPLE.COM\user'
登入存取控制
預設,網域所有帳號都可以登入主機
realm list
realm deny --all
realm permit user@example.com
realm permit --groups IT
reaalm permit 'EXAMPLE.COM\user'