Ubuntu Server Guide
SSSD and Active Directory
Download 1.23 Mb. Pdf ko'rish
|
ubuntu-server-guide (1)
- Bu sahifa navigatsiya:
- Prerequisites, Assumptions, and Requirements
- Software Installation Install the following packages: sudo apt i n s t a l l s s s d −ad s s s d −t o o l s realmd a d c l i Join the domain
|
SSSD and Active Directory
This section describes the use of sssd to authenticate user logins against an Active Directory via using sssd’s “ad” provider. At the end, Active Directory users will be able to login on the host using their AD credentials. Group membership will also be maintained. Prerequisites, Assumptions, and Requirements • This guide does not explain Active Directory, how it works, how to set one up, or how to maintain it. • This guide assumes that a working Active Directory domain is already configured and you have access to the credentials to join a machine to that domain. • The domain controller is acting as an authoritative DNS server for the domain. • The domain controller is the primary DNS resolver (check with systemd−resolve −−status) • System time is correct and in sync, maintained via a service like chrony or ntp • The domain used in this example is ad1.example.com . Software Installation Install the following packages: sudo apt i n s t a l l s s s d −ad s s s d −t o o l s realmd a d c l i Join the domain We will use the realm command, from the realmd package, to join the domain and create the sssd configu- ration. Let’s verify the domain is discoverable via DNS: $ sudo realm −v d i s c o v e r ad1 . example . com * R e s o l v i n g : _ldap . _tcp . ad1 . example . com * P e r f o r m i n g LDAP DSE lookup on : 1 0 . 5 1 . 0 . 5 * S u c c e s s f u l l y d i s c o v e r e d : ad1 . example . com ad1 . example . com type : k e r b e r o s realm−name : AD1 .EXAMPLE.COM domain−name : ad1 . example . com c o n f i g u r e d : no s e r v e r −s o f t w a r e : a c t i v e −d i r e c t o r y c l i e n t −s o f t w a r e : s s s d r e q u i r e d −package : s s s d −t o o l s r e q u i r e d −package : s s s d r e q u i r e d −package : l i b n s s −s s s r e q u i r e d −package : libpam−s s s r e q u i r e d −package : a d c l i r e q u i r e d −package : samba−common−b i n This performs several checks and determines the best software stack to use with sssd. sssd can install the missing packages via packagekit, but we installed them already previously. Now let’s join the domain: 225 $ sudo realm j o i n ad1 . example . com Password f o r A d m i n i s t r a t o r : That was quite uneventful. If you want to see what it was doing, pass the −v option: $ sudo realm j o i n −v ad1 . example . com * R e s o l v i n g : _ldap . _tcp . ad1 . example . com * P e r f o r m i n g LDAP DSE lookup on : 1 0 . 5 1 . 0 . 5 * S u c c e s s f u l l y d i s c o v e r e d : ad1 . example . com Password f o r A d m i n i s t r a t o r : * U n c o n d i t i o n a l l y c h e c k i n g p a c k a g e s * R e s o l v i n g r e q u i r e d p a c k a g e s * LANG=C / u s r / s b i n / a d c l i j o i n −−v e r b o s e −−domain ad1 . example . com −−domain− realm AD1 .EXAMPLE.COM −−domain−c o n t r o l l e r 1 0 . 5 1 . 0 . 5 −−l o g i n −type u s e r −− l o g i n −u s e r A d m i n i s t r a t o r −−s t d i n −password * Using domain name : ad1 . example . com * C a l c u l a t e d computer a c c o u n t name from fqdn : AD−CLIENT * Using domain realm : ad1 . example . com * Sending NetLogon p i n g t o domain c o n t r o l l e r : 1 0 . 5 1 . 0 . 5 * R e c e i v e d NetLogon i n f o from : SERVER1 . ad1 . example . com * Wrote out krb5 . c o n f s n i p p e t t o / var / c a c h e / realmd / a d c l i −krb5−hUfTUg/ krb5 . d/ a d c l i −krb5−conf −h v 2 k z i * A u t h e n t i c a t e d a s u s e r : Administrator@AD1 .EXAMPLE.COM * Looked up s h o r t domain name : AD1 * Looked up domain SID : S−1−5−21−2660147319−831819607−3409034899 * Using f u l l y q u a l i f i e d name : ad−c l i e n t . ad1 . example . com * Using domain name : ad1 . example . com * Using computer a c c o u n t name : AD−CLIENT * Using domain realm : ad1 . example . com * C a l c u l a t e d computer a c c o u n t name from fqdn : AD−CLIENT * Generated 120 c h a r a c t e r computer password * Using keytab : FILE : / e t c / krb5 . keytab * Found computer a c c o u n t f o r AD−CLIENT$ a t : CN=AD−CLIENT,CN=Computers ,DC=ad1 , DC=example ,DC=com * Sending NetLogon p i n g t o domain c o n t r o l l e r : 1 0 . 5 1 . 0 . 5 * R e c e i v e d NetLogon i n f o from : SERVER1 . ad1 . example . com * S e t computer password * R e t r i e v e d kvno ’ 3 ’ f o r computer a c c o u n t i n d i r e c t o r y : CN=AD−CLIENT,CN= Computers ,DC=ad1 ,DC=example ,DC=com * Checking R e s t r i c t e d K r b H o s t /ad−c l i e n t . ad1 . example . com * Added R e s t r i c t e d K r b H o s t /ad−c l i e n t . ad1 . example . com * Checking R e s t r i c t e d K r b H o s t /AD−CLIENT * Added R e s t r i c t e d K r b H o s t /AD−CLIENT * Checking h o s t /ad−c l i e n t . ad1 . example . com * Added h o s t /ad−c l i e n t . ad1 . example . com * Checking h o s t /AD−CLIENT * Added h o s t /AD−CLIENT * D i s c o v e r e d which keytab s a l t t o u s e * Added t h e e n t r i e s t o t h e keytab : AD−CLIENT$@AD1 .EXAMPLE.COM: FILE : / e t c / krb5 . keytab * Added t h e e n t r i e s t o t h e keytab : h o s t /AD−CLIENT@AD1 .EXAMPLE.COM: FILE : / e t c / krb5 . keytab * Added t h e e n t r i e s t o t h e keytab : h o s t /ad−c l i e n t . ad1 . example . com@AD1 .EXAMPLE .COM: FILE : / e t c / krb5 . keytab * Added t h e e n t r i e s t o t h e keytab : R e s t r i c t e d K r b H o s t /AD−CLIENT@AD1.EXAMPLE. 226 COM: FILE : / e t c / krb5 . keytab * Added t h e e n t r i e s t o t h e keytab : R e s t r i c t e d K r b H o s t /ad−c l i e n t . ad1 . example . com@AD1 .EXAMPLE.COM: FILE : / e t c / krb5 . keytab * / u s r / s b i n / update−r c . d s s s d e n a b l e * / u s r / s b i n / s e r v i c e s s s d r e s t a r t * S u c c e s s f u l l y e n r o l l e d machine i n realm By default, realm will use the Administrator account of the domain to request the join. If you need to use another account, pass it to the tool with the −U option. Another popular way of joining a domain is using an OTP, or One Time Password, token. For that, use the −−one−time−password option. Download 1.23 Mb. Do'stlaringiz bilan baham: 
|