如何将运行 Ubuntu 17.04 的笔记本电脑加入 Windows 域?我正在寻找最简单的方法,因为我对 Ubuntu 了解有限。我们将其视为台式电脑的 Windows 替代品。我需要的是操作指南(屏幕截图会很有帮助),因为我有 30 台笔记本电脑需要设置,然后是 30 个工作站以及 IT 套件(如果笔记本电脑正常工作的话)。
答案1
一般的
正如你提到的要集成大量主机,我建议你使用某种配置管理工具。我用的是Ansible针对此类事情。手动尝试一次,当一切正常时,将其自动化。
正如您提到在公司环境中执行此操作一样,我建议使用 Ubuntu 16.04 而不是 17.04,因为 17.04 不是长期支持版本,因此仅支持到 2018 年 1 月。
此外,这个问题似乎很适合服务器故障。
操作方法
官方文档就是一个很好的起点:https://help.ubuntu.com/lts/serverguide/sssd-ad.html。我还发现这个教程非常有用(并且它有很多截图):http://www.wolffhaven45.com/blog/linux/join_ubuntu_workstation_windows_domain/。
Ansible 剧本
根据上述操作方法(以及许多其他方法),我创建了一个Ansible 角色使这个过程自动化。目录结构如下:
ansible/
├── adIntegration.yaml
└── roles
└── ad-integration
├── handlers
│ └── main.yaml
├── tasks
│ └── main.yaml
└── templates
├── etc
│ ├── krb5.conf.jinja2
│ ├── realmd.conf.jinja2
│ └── sssd
│ └── sssd.conf.jinja2
└── usr
└── share
└── lightdm
└── lightdm.conf.d
└── 50-ubuntu.conf.jinja2
(我喜欢将文件放在类似于目标结构的目录结构中)
下面是一些文件,请根据您的需要进行调整:
adintegration.yaml
---
# execute like:
# ansible-playbook ~/ansible/adIntegration.yaml --inventory ~/ansible/production.hosts
# or
# ansible-playbook ~/ansible/adIntegration.yaml -i ~/ansible/production.hosts
- hosts: "ad-integration"
remote_user: "admin" # change to whatever user you have with sudo rights
become: yes
vars_prompt: # the vars are later used for the join
- name: "ad_admin_name"
prompt: "username for AD join"
private: no
- name: "ad_admin_password"
prompt: "password for AD"
private: yes
confirm: yes
roles:
- role: "ad-integration"
...
main.yaml(处理人员)
---
- name: "restart sssd"
service:
name: "sssd"
state: "restarted"
listen: "sssd needs restart"
...
main.yaml(任务)
---
- name: "install needed packages"
apt:
name: "{{ item }}"
state: "present"
with_items:
- "adcli"
- "krb5-user"
- "libnss-sss"
- "libpam-sss"
- "libwbclient-sssd"
- "realmd"
- "sssd"
- "sssd-tools"
- "samba-common"
# copy this from a working one
- name: "template krb5.conf"
template:
src: "etc/krb5.conf.jinja2"
dest: "/etc/krb5.conf"
owner: "root"
group: "root"
mode: "0644"
backup: yes
- name: "template realmd.conf"
template:
src: "etc/realmd.conf.jinja2"
dest: "/etc/realmd.conf"
owner: "root"
group: "root"
mode: "0644"
backup: yes
- name: "join domain"
shell: "echo '{{ ad_admin_password }}' | realm join COMPANY.COM -U '{{ ad_admin_name }}' --install=/ -v" # --install=/ needed because of realm bug in package detection
register: "realm_join"
changed_when: "'Successfully enrolled machine in realm' in realm_join.stderr"
failed_when: "'Couldn\\'t join realm' in realm_join.stderr"
- name: "template sssd.conf"
template:
src: "etc/sssd/sssd.conf.jinja2"
dest: "/etc/sssd/sssd.conf"
owner: "root"
group: "root"
mode: "0600"
backup: yes
notify: "sssd needs restart"
- name: "activate automatic creation of home directories"
lineinfile:
dest: "/etc/pam.d/common-session"
line: "session optional pam_mkhomedir.so "
state: "present"
insertbefore: "# end of pam-auth-update config"
backup: yes
- name: "create lightdm directories"
file:
path: "/usr/share/lightdm/lightdm.conf.d/"
state: "directory"
owner: "root"
group: "root"
mode: "0755"
# the important part here is to add greeter-show-manual-login=true under [SeatDefaults]
- name: "activate username on login window"
template:
src: "usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf.jinja2"
dest: "/usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf"
owner: "root"
group: "root"
mode: "0644"
backup: yes
...
realmd.conf.jinja2
[active-directory]
default-client = sssd
os-name = {{ ansible_distribution }}
os-version = {{ ansible_distribution_version }}
[service]
automatic-install = no
[users]
default-home = /home/%D/%U
default-shell = /bin/bash
[company.com]
fully-qualified-names = no
automatic-id-mapping = yes
user-principal = yes
manage-system = no
enumerate = yes
sssd.conf.jinja2
[sssd]
domains = company.com
config_file_version = 2
services = nss, pam
[domain/company.com]
realmd_tags = manages-system joined-with-adcli
ad_domain = company.com
krb5_realm = COMPANY.COM
id_provider = ad
cache_credentials = True
krb5_store_password_if_offline = True
enumerate = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
default_shell = /bin/bash
# maybe needed for older AD schemes
#ldap_id_mapping = False
#ldap_schema = ad
#ldap_user_object_class = person
#ldap_user_name = msSFU30Name
#ldap_user_uid_number = msSFU30UidNumber
#ldap_user_gid_number = msSFU30GidNumber
#ldap_user_home_directory = msSFU30HomeDirectory
#ldap_user_shell = msSFU30LoginShell
#ldap_user_gecos = displayName
#ldap_group_object_class = group
#ldap_group_name = msSFU30Name
#ldap_group_gid_number = msSFU30GidNumber