我有两个域名:一个用于开发,一个用于公司。
由于可传递林信任,我可以将 Windows 计算机加入开发域并以公司用户身份登录。我可以将 Linux 计算机加入开发域(使用 realm join 或 adcli join),但我无法使用公司用户帐户通过 ssh 或控制台登录。有解决方案吗无需加入(使用 realm/adcli)corp 领域?他们不希望在公司广告服务器上有开发计算机对象。
echo "password" | realm join --user=user --computer-ou='OU=Linux_Servers,DC=dev,DC=domain,DC=com' --os-name='Linux' dev.domain.com
krb5
[libdefaults]
default_realm = DEV.DOMAIN.COM # domain specific parameter (full domain name)
clockskew = 300
ticket_lifetime = 1d
forwardable = true
proxiable = true
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
DEV.DOMAIN.COM = {
kdc = adserver.domain.com # domain specific parameter (domain controller name)
admin_server = adserver.domain.com # domain specific parameter (domain controller name)
default_domain = DEV.DOMAIN.COM # domain specific parameter (full domain name)
}
CORP.DOMAIN.COM = {
kdc = corpadserver.domain.com # domain specific parameter (domain controller name)
admin_server = corpadserver.domain.com # domain specific parameter (domain controller name)
default_domain = CORP.DOMAIN.COM # domain specific parameter (full domain name)
}
[domain_realm]
.dev.domain.com = DEV.DOMAIN.COM # domain specific parameter (domain name for dns names)
dev.domain.com = DEV.DOMAIN.COM # domain specific parameter (domain name for dns names)
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
retain_after_close = false
minimum_uid = 0
debug = false
ssd 的
[sssd]
domains = dev.domain.com, corp.domain.com
config_file_version = 2
services = nss, pam
default_domain_suffix = example.com
[nss]
homedir_substring = /home
[pam]
[domain/dev.domain.com]
ad_domain = dev.domain.com
krb5_realm = DEV.DOMAIN.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
基尼特
[root@vm ~]# kinit [email protected]
Password for [email protected]:
kinit: KDC reply did not match expectations while getting initial credentials
[root@gbr7testvmjuly ~]# kinit localdevadmin
Password for [email protected]:
[root@gbr7testvmjuly ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
07/14/2023 10:44:11 07/14/2023 20:44:11 krbtgt/[email protected]
renew until 07/14/2023 20:44:11
答案1
编辑#1-Ubuntu 更新:
我最终让它在 CentOS、RedHat 和 Ubuntu 上工作。Ubuntu 类似,但在软件包名称和创建主目录方面有一些差异。
使用 samba、winbind 和 net ads 加入:
dnf install samba samba-client samba-winbind samba-winbind-clients oddjob oddjob-mkhomedir
/etc/samba/smb.conf:
[global]
workgroup = DEV
realm = DEV.DOMAIN.COM
security = ads
idmap config * : backend = autorid
idmap config * : range = 100000-19999999
idmap config * : rangesize = 1000000
template homedir = /home/%D/%U
template shell = /bin/bash
winbind use default domain = false
winbind offline logon = true
log file = /var/log/samba/log.%m
max log size = 50
log level = 0
加入和停止/启动 winbind:
systemctl stop winbind
net ads join -U domainAdmin
systemctl enable winbind --now
现在我可以以公司用户的身份通过 ssh 连接到开发机器,但我必须在登录时指定公司域,否则它会默认为本地用户并失败:
ssh -l [email protected] 10.1.100.100
[CORP\username@hostnametest ~]$ whoami
CORP\username
[CORP\username@hostnametest ~]$ pwd
/home/CORP/username
有没有办法在登录尝试时默认添加 corp 域,或者理想情况下,添加另一个 samba 或 ssh 配置设置来处理它?
编辑 #1:Ubuntu 基本一样
apt -y install winbind libpam-winbind libnss-winbind krb5-config samba-dsdb-modules samba-vfs-modules
相同的 smb.conf
此外,我在 /etc/nsswitch.conf 和 /etc/pam.d/common-session 中添加了这些编辑
/etc/nsswitch.conf:
passwd: files systemd winbind
group: files systemd winbind
/etc/pam.d/common-session:
session optional pam_mkhomedir.so skel=/etc/skel umask=077
加入并重新启动 winbind。
我不需要更新 netplan 中的 DNS 设置,因为它已经有正确的名称服务器。