리눅스 Ad 조인 | Linux 시스템을 Active Directory에 연결하는 방법 (Ubuntu 20.04) 94 개의 정답

당신은 주제를 찾고 있습니까 “리눅스 ad 조인 – Linux 시스템을 Active Directory에 연결하는 방법 (Ubuntu 20.04)“? 다음 카테고리의 웹사이트 ppa.maxfit.vn 에서 귀하의 모든 질문에 답변해 드립니다: https://ppa.maxfit.vn/blog. 바로 아래에서 답을 찾을 수 있습니다. 작성자 Conda 이(가) 작성한 기사에는 조회수 36,074회 및 좋아요 493개 개의 좋아요가 있습니다.

리눅스 ad 조인 주제에 대한 동영상 보기

여기에서 이 주제에 대한 비디오를 시청하십시오. 주의 깊게 살펴보고 읽고 있는 내용에 대한 피드백을 제공하세요!

d여기에서 Linux 시스템을 Active Directory에 연결하는 방법 (Ubuntu 20.04) – 리눅스 ad 조인 주제에 대한 세부정보를 참조하세요

In this video, we talk about how to add an Ubuntu server to our existing Active Directory domain. This will allow the Linux machine to authenticate to the specified Kerberos realm from Active Directory. This allows us to SSH into our Ubuntu 20.04 server using credentials from the AD domain. We also discuss how to enable the creation of home directories on login, and sudo access defined by Active Directory groups.
Join my new Discord server: discord.gg/9CvTtHqWCX
Follow me on Twitter for updates: https://twitter.com/0xConda
If you found this video helpful and would like to support future creations, please considering visiting the following links:
Patreon: https://www.patreon.com/conda
Buy Me a Coffee: https://www.buymeacoffee.com/conda
Merch: https://conda.creator-spring.com/
Amazon affiliate link (anything purchased through this link will provide me with a small commission): https://amzn.to/3hsHzD2
Supporting article (not written by me): https://computingforgeeks.com/join-ubuntu-debian-to-active-directory-ad-domain/

리눅스 ad 조인 주제에 대한 자세한 내용은 여기를 참조하세요.

Linux 서버 Windows AD 조인 – Oops – IT

Linux 서버 Windows AD 조인. 김모우 2020. 11. 22. 13:58 … 리눅스 서버로는 Azure위에 구성해 LDAP연동을 한 Zabbix 서버를 사용하였습니다.

+ 더 읽기

Source: usheep91.tistory.com

Date Published: 5/30/2021

View: 2466

Linux VM을 도메인에 가입시키기 | 관리형 Microsoft AD 설명서

Ubuntu 16.04 LTS와 RHEL 8.2는 모두 realm 을 사용합니다. 다음 명령어를 실행합니다. realm join domain …

+ 여기에 보기

Source: cloud.google.com

Date Published: 10/27/2022

View: 9062

Join SQL Server on a Linux host to an Active Directory domain

This method joins the SQL Server host to an AD domain using realmd and sssd packages. … This is the preferred method of joining a Linux host to …

+ 여기를 클릭

Source: docs.microsoft.com

Date Published: 5/9/2022

View: 5108

CentOS 를 Windows의 Active Directory에 Join 시키기 – W’ page

출처 : http://social.technet.microsoft.com/wiki/contents/articles/25944.how-to-join-unix-linux-to-active-directory.aspx.

+ 여기를 클릭

Source: kanziw.com

Date Published: 11/12/2021

View: 9028

How to join a Linux system to an Active Directory domain

How to join a Linux system to an Active Directory domain · yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools …

+ 여기를 클릭

Source: www.redhat.com

Date Published: 7/19/2022

View: 3546

[Linux] SMB(SAMBA)를 이용한 AD Join ( AD LDAP)설정

[Linux] SMB(SAMBA)를 이용한 AD Join ( AD LDAP)설정. louky 2020. 8. 4. 14:53. 반응형. 환경. – OS : Centos 7.8. – Kernel : 3.10.0-1127.13.1.el7.x86_64.

+ 여기를 클릭

Source: louky0714.tistory.com

Date Published: 9/20/2022

View: 7534

Linux 인스턴스 수동 조인 – AWS Directory Service

Amazon EC2 Windows 인스턴스 외에도 특정 Amazon EC2 Linux 인스턴스를 조인할 수 있습니다.AWSMicrosoft Active Directory용 Directory Service 다음과 같은 Linux …

+ 여기에 표시

Source: docs.aws.amazon.com

Date Published: 3/24/2021

View: 9978

리눅스 SAMBA AD Join – delmaster blog

리눅스 SAMBA AD Join. delmaster 2015. 5. 13. 16:27. [winbind]. * yum install samba-winbind. * 구성(도메인명: delmaster.vm IP주소: 192.168.100.101)

+ 여기에 표시

Source: www.delmaster.net

Date Published: 5/7/2021

View: 6047

Active Directory를 사용하여 Linux 클라이언트 인증

여기서는 “Join Domain” 단추를 사용하지 마십시오. 컴퓨터를 도메인에 참가시키는 작업은 나중에 합니다. /etc/pam.d/system-auth 파일이 Windbind를 지원하도록 수정 …

+ 자세한 내용은 여기를 클릭하십시오

Source: dataonair.or.kr

Date Published: 11/4/2021

View: 6011

[Linux]Create AD in linux system and join domain in different …

Như chúng ta đã biết, active directory là dịch vụ quản lý thư mục được … [Linux]Create AD in linux system and join domain in different operating systems.

+ 여기를 클릭

Source: viblo.asia

Date Published: 3/12/2022

View: 8222

주제와 관련된 이미지 리눅스 ad 조인

주제와 관련된 더 많은 사진을 참조하십시오 Linux 시스템을 Active Directory에 연결하는 방법 (Ubuntu 20.04). 댓글에서 더 많은 관련 이미지를 보거나 필요한 경우 더 많은 관련 기사를 볼 수 있습니다.

Linux 시스템을 Active Directory에 연결하는 방법 (Ubuntu 20.04)
Linux 시스템을 Active Directory에 연결하는 방법 (Ubuntu 20.04)

주제에 대한 기사 평가 리눅스 ad 조인

  • Author: Conda
  • Views: 조회수 36,074회
  • Likes: 좋아요 493개
  • Date Published: 2021. 1. 18.
  • Video Url link: https://www.youtube.com/watch?v=3TPgxpjgYsU

Linux 서버 Windows AD 조인

SMALL

** Cloud Platform: Azure

** OS 환경: Windows Server 2016, ubuntu 18.04

– uk.com 도메인을 가진 AD 서버를 새로 구성하였습니다.

– 신규로 아래 계정 추가 하였습니다.

– 리눅스 서버로는 Azure위에 구성해 LDAP연동을 한 Zabbix 서버를 사용하였습니다.

1. Samba, Winbind 패키지 설치

: Ubuntu 12.04 버전 이하의 경우 likewise-open 이라는 패키지를 사용해도 되는거 같네요

# apt-get install samba krb5-config krb5-user winbind libpam-winbind libnss-winbind

: Kerberos 인증 설정을 위한 메세지가 표시가되면 아래와 같이 입력 해줍니다.

1. AD 도메인 이름 대문자 (ex. uk.com -> UK.COM)

2. AD 서버 호스트 이름

3. AD 서버 호스트 이름 한 번 더 입력

2. PAM 구성 업데이트

#pam-auth-update

: 아래 그림과 같이 Create home directory on login 선택

: AD 계정 신규 로그인 시 Home Direcotry가 자동으로 생성됩니다.

3. nssswitch.conf 구성 파일 편집

#vim /etc/nssswitch.conf

: 아래와 같이 수정

.

.

.

passwd: compat winbind

group: compat winbind

shadow: compat

gshadow: files

.

.

:wq

4. DNS 서버 등록

#vim /etc/resolv.conf

.

.

.

dnsnameserver [AD IP]

search [AD 이름]

.

.

.

:wq

** 아래와 같이 등록 후 서버를 재부팅 하니 resolv.conf 자동 초기화되는 현상 발생

– 해결방법

: reslovconf 패키지 인스톨

: resolvconf.d/head 밑에 DNS 정보 입력

.

.

.

dnsnameserver [AD IP]

search [AD 이름]

.

.

.

:wq

#service resolvconf restart

#vim /etc/resolvconf

: 정상적으로 설정이 반영되어 있는지 확인

5. hosts 파일 수정

#vim /etc/hosts

.

.

.

127.0.0.1 localhost

127.0.1.1 [hostname].[도메인 이름(ex. uk.com)] [hostname]

.

.

:wq

6. smb.conf 파일 수정

#vim /etc/samba/smb.conf

: 설정 맨 아래에 아래 내용 추가

.

.

[global]

security = ads

realm = [도메인 이름(ex. uk.com)]

workgroup = [도메인 BIOS ID(ex. UK)]

idmap uid = 10000-20000

idmap gid = 10000-20000

winbind enum users = yes

winbind enum group = yes

template homedir = /home/%D/%U template

shell = /bin/bash client use spnego = yes

client ntlmv2 auth = yes

encrypt passwords = yes

winbind use default domain = yes

restrict anonymous = 2

kerberos method = secrets and keytab

winbind refresh tickets = true

.

.

:wq

7. smbd 서비스 재 시작

#service smbd restart

8. krb5.conf 파일 수정

#vim /etc/krb5.conf

: 아래와 같이 내용 수정 및 추가

.

.

[libdefaults]

default_realm = [도메인 이름 대문자 (ex. UK.COM)]

dns_lookup_realm = true

dns_lookup_kdc = true

[realms] [도메인 이름 대문자 (ex. UK.COM)] = {

kdc = [AD 서버 Hostname]

admin_server = [AD 서버 Hostname]

}

[domain_realm]

.mydomain.com = [도메인 이름 대문자 (ex. UK.COM)]

mydomain.com = [도메인 이름 대문자 (ex. UK.COM)]

.

.

:wq

9. AD 도메인 가입

: Kerberos 티켓 시작

#sudo kinit [AD admin-user]

: 암호 입력

: 정상일 경우 아무 메세지 출력 없음

** Azure 의 기본 DNS쪽으로 Query를 먼저 하는 현상 발생

– 해결방법

: 아래와 같이 순서를 변경해줬습니다.

#vim /etc/hosts

.

.

.

127.0.1.1 [hostname].[도메인 이름(ex. uk.com)] [hostname]

127.0.0.1 localhost

.

.

:wq

: 티켓 정상 발급 확인

#klist

: 정상 발급되었을 경우 아래와 같이 출력

: Key stab 파일 생성 및 AD 조인

#net ads kytab create -U [AD admin-user]

#net ads join -U [AD admin-user]

10. Winbind 서비스 재 시작 및 접속 확인

#service winbind restart

: 접속 확인

: 정상 적으로 연동이 된 경우 AD 계정으로 접속이 가능하며 홈 디렉토리가 생성된다.

참조

URL: docs.vmware.com/kr/VMware-Horizon-7/7.8/linux-desktops-setup/GUID-F8F0CFCF-C4D6-4784-85FF-E7C6DF575F49.html

URL: growingsaja.tistory.com/162

LIST

빠른 시작: Linux VM을 도메인에 가입시키기

관리형 Microsoft AD 상호 운용성은 많은 Linux 배포 및 기타 연결 도구에서 작동합니다. 이 오픈소스 연결 도구 에 대해 알아보세요.

이 항목에서는 다음 Linux 배포판과 함께 SSSD(System Security Services Daemon)를 사용하여 Linux VM을 관리형 Microsoft AD 도메인에 가입시키는 방법을 보여줍니다.

realmd 를 설치하려면 다음 명령어를 실행하세요.

VM에 realmd 를 설치하세요. realm 에 대해 알아보세요.

Linux VM 만들기 4단계의 경우 공개 이미지 탭에서 적절한 배포판인 Ubuntu 16.04 LTS 또는 Red Hat Enterprise Linux 8 을 선택하세요.

빠른 시작: 도메인 만들기 에 설명된 대로 Active Directory 도메인을 만듭니다.

시작하기 전에 다음 태스크를 완료했는지 확인하세요.

Linux VM을 도메인에 가입시키기

Linux VM을 도메인에 가입시키려면 다음 단계를 완료하세요. Ubuntu 16.04 LTS와 RHEL 8.2는 모두 realm 을 사용합니다.

다음 명령어를 실행합니다. realm join domain-name -U ‘ username @ domain-name ‘ 자세한 출력의 경우 명령어 끝에 -v 플래그를 추가하세요. 프롬프트에 username @ domain-name 의 비밀번호를 입력합니다.

도메인 가입 성공을 알리는 메시지가 표시됩니다.

realm join 으로 계정 위치 지정

기본적으로 realm join 명령어는 다음 위치에 있는 머신 계정을 만듭니다.

CN= account-name ,OU=Computers,OU=Cloud,DC= machine ,DC= mid-level ,DC= extension

계정을 만들 위치를 지정하려면 –computer-ou 플래그를 사용하여 realm join 명령어의 경로를 제공하세요.

username @ domain-name 계정에는 지정된 OU에 계정을 만드는 데 필요한 권한이 있어야 합니다. 기본적으로 Cloud Service Domain Join Accounts 그룹의 구성원에게는 이 권한이 있습니다. 관리형 Microsoft AD에서 만든 그룹에 대해 알아보세요.

realm join domain-name –computer-ou=”OU= org-unit ,DC= machine ,DC= mid-level ,DC= extension ” -U ‘ username @ domain-name ‘

도메인에서 Linux VM 삭제

domain-name 도메인에서 Linux VM을 삭제하려면 다음 명령어를 실행합니다. Ubuntu 16.04 LTS와 RHEL 8.2는 모두 realm 을 사용합니다.

Join SQL Server on Linux to Active Directory – SQL Server

Table of contents

Join SQL Server on a Linux host to an Active Directory domain

Article

10/05/2021

9 minutes to read

12 contributors

In this article

Applies to: SQL Server (all supported versions) – Linux

This article provides general guidance on how to join a SQL Server Linux host machine to an Active Directory (AD) domain. There are two methods: use a built-in SSSD package or use third-party Active Directory providers. Examples of third-party domain join products are PowerBroker Identity Services (PBIS), One Identity, and Centrify. This guide includes steps to check your Active Directory configuration. However, it is not intended to provide instructions on how to join a machine to a domain when using third-party utilities.

Prerequisites

Before you configure Active Directory authentication, you need to set up an Active Directory domain controller, Windows, on your network. Then join your SQL Server on Linux host to an Active Directory domain.

Important The sample steps described in this article are for guidance only and refer to Ubuntu 16.04, Red Hat Enterprise Linux (RHEL) 7.x and SUSE Enterprise Linux (SLES) 12 operating systems. Actual steps may slightly differ in your environment depending on how your overall environment is configured and operating system version. For example, Ubuntu 18.04 uses netplan while Red Hat Enterprise Linux (RHEL) 8.x uses nmcli among other tools to manage and configure network. It is recommended to engage your system and domain administrators for your environment for specific tooling, configuration, customization, and any required troubleshooting. For information on configuring Active Directory with newer versions of Ubuntu, RHEL, or SLES, see Configure Active Directory authentication with SQL Server on Linux using adutil.

Reverse DNS (RDNS)

When you set up a computer running Windows Server as a domain controller, you might not have a RDNS zone by default. Ensure that an applicable RDNS zone exists for both the domain controller and the IP address of the Linux machine that will be running SQL Server.

Also ensure that a PTR record that points to your domain controllers exists.

Check the connection to a domain controller

Check that you can contact the domain controller by using both the short and the fully qualified names of the domain, and by using the hostname of the domain controller. The IP of the domain controller also should resolve to the FQDN of the domain controller:

ping contoso ping contoso.com ping dc1.contoso.com nslookup

Tip This tutorial uses contoso.com and CONTOSO.COM as example domain and realm names, respectively. It also uses DC1.CONTOSO.COM as the example fully qualified domain name of the domain controller. You must replace these names with your own values.

If any of these name checks fail, update your domain search list. The following sections provide instructions for Ubuntu, Red Hat Enterprise Linux (RHEL), and SUSE Linux Enterprise Server (SLES) respectively.

Ubuntu 16.04

Edit the /etc/network/interfaces file, so that your Active Directory domain is in the domain search list: # The primary network interface auto eth0 iface eth0 inet dhcp dns-nameservers **** dns-search **** Note The network interface, eth0 , might differ for different machines. To find out which one you’re using, run ifconfig. Then copy the interface that has an IP address and transmitted and received bytes. After editing this file, restart the network service: sudo ifdown eth0 && sudo ifup eth0 Next, check that your /etc/resolv.conf file contains a line like the following example: search contoso.com com nameserver ****

Ubuntu 18.04

Edit the [sudo vi /etc/netplan/******.yaml] file, so that your Active Directory domain is in the domain search list: network: ethernets: eth0: dhcp4: true dhcp6: true nameservers: addresses: [ ****] search: [****] version: 2 Note The network interface, eth0 , might differ for different machines. To find out which one you’re using, run ifconfig. Then copy the interface that has an IP address and transmitted and received bytes. After editing this file, restart the network service: sudo netplan apply Next, check that your /etc/resolv.conf file contains a line like the following example: search contoso.com com nameserver ****

RHEL 7.x

Edit the /etc/sysconfig/network-scripts/ifcfg-eth0 file, so that your Active Directory domain is in the domain search list. Or edit another interface config file as appropriate: PEERDNS=no DNS1=**** DOMAIN=”contoso.com com” After editing this file, restart the network service: sudo systemctl restart network Now check that your /etc/resolv.conf file contains a line like the following example: search contoso.com com nameserver **** If you still cannot ping the domain controller, find the fully qualified domain name and IP address of the domain controller. An example domain name is DC1.CONTOSO.COM. Add the following entry to /etc/hosts: **** DC1.CONTOSO.COM CONTOSO.COM CONTOSO

SLES 12

Edit the /etc/sysconfig/network/config file, so that your Active Directory domain controller IP is used for DNS queries and your Active Directory domain is in the domain search list: NETCONFIG_DNS_STATIC_SEARCHLIST=”” NETCONFIG_DNS_STATIC_SERVERS=”****” After editing this file, restart the network service: sudo systemctl restart network Next, check that your /etc/resolv.conf file contains a line like the following example: search contoso.com com nameserver ****

Join to the AD domain

After the basic configuration and connectivity with domain controller is verified, there are two options for joining a SQL Server Linux host machine with Active Directory domain controller:

Option 1: Use SSSD package to join AD domain

This method joins the SQL Server host to an AD domain using realmd and sssd packages.

Note This is the preferred method of joining a Linux host to an AD domain controller.

Use the following steps to join a SQL Server host to an Active Directory domain:

Use realmd to join your host machine to your AD Domain. You must first install both the realmd and Kerberos client packages on the SQL Server host machine using your Linux distribution’s package manager: RHEL: sudo yum install realmd krb5-workstation SLES 12: Note that these steps are specific for SLES 12, which is the only officially supported version of SUSE for Linux. sudo zypper addrepo https://download.opensuse.org/repositories/network/SLE_12/network.repo sudo zypper refresh sudo zypper install realmd krb5-client sssd-ad Ubuntu 16.04: sudo apt-get install realmd krb5-user software-properties-common python-software-properties packagekit Ubuntu 18.04: sudo apt-get install realmd krb5-user software-properties-common python3-software-properties packagekit sudo apt-get install adcli libpam-sss libnss-sss sssd sssd-tools If the Kerberos client package installation prompts you for a realm name, enter your domain name in uppercase. After you confirm that your DNS is configured properly, join the domain by running the following command. You must authenticate using an AD account that has sufficient privileges in AD to join a new machine to the domain. This command creates a new computer account in AD, creates the /etc/krb5.keytab host keytab file, configures the domain in /etc/sssd/sssd.conf, and updates /etc/krb5.conf. Because of an issue with realmd, first set the machine hostname to the FQDN instead of to the machine name. Otherwise, realmd might not create all required SPNs for the machine and DNS entries won’t automatically update, even if your domain controller supports dynamic DNS updates. sudo hostname .contoso.com After running the above command, your /etc/hostname file should contain .contoso.com. sudo realm join contoso.com -U ‘[email protected]’ -v You should see the message, Successfully enrolled machine in realm . The following table lists some error messages that you could receive and suggestions on resolving them: Error message Recommendation Necessary packages are not installed Install those packages using your Linux distribution’s package manager before running the realm join command again. Insufficient permissions to join the domain Check with a domain administrator that you have sufficient permissions to join Linux machines to your domain. KDC reply did not match expectations You may not have specified the correct realm name for the user. Realm names are case-sensitive, usually uppercase, and can be identified with the command realm discover contoso.com. SQL Server uses SSSD and NSS for mapping user accounts and groups to security identifiers (SIDs). SSSD must be configured and running for SQL Server to create AD logins successfully. realmd usually does this automatically as part of joining the domain, but in some cases, you must do this separately. For more information, see how to configure SSSD manually, and configure NSS to work with SSSD. Verify that you can now gather information about a user from the domain, and that you can acquire a Kerberos ticket as that user. The following example uses id, kinit, and klist commands for this. id [email protected] uid=1348601103([email protected]) gid=1348600513(domain [email protected]) groups=1348600513(domain [email protected]) kinit [email protected] Password for [email protected]: klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: [email protected] Note If id [email protected] returns, No such user , make sure that the SSSD service started successfully by running the command sudo systemctl status sssd . If the service is running and you still see the error, try enabling verbose logging for SSSD. For more information, see the Red Hat documentation for Troubleshooting SSSD.

If kinit [email protected] returns, KDC reply did not match expectations while getting initial credentials , make sure you specified the realm in uppercase.

For more information, see the Red Hat documentation for Discovering and Joining Identity Domains.

Option 2: Use third-party openldap provider utilities

You can use third-party utilities such as PBIS, VAS, or Centrify. This article does not cover steps for each individual utility. You must first use one of these utilities to join the Linux host for SQL Server to the domain before continuing forward.

SQL Server does not use third-party integrator’s code or library for any AD-related queries. SQL Server always queries AD using openldap library calls directly in this setup. The third-party integrators are only used to join the Linux host to AD domain, and SQL Server does not have any direct communication with these utilities.

Important Please see the recommendations for using the mssql-conf network.disablesssd configuration option in the Additional configuration options section of the article Use Active Directory authentication with SQL Server on Linux.

Verify that your /etc/krb5.conf is configured correctly. For most third-party Active Directory providers, this configuration is done automatically. However, check /etc/krb5.conf for the following values to prevent any future issues:

[libdefaults] default_realm = CONTOSO.COM [realms] CONTOSO.COM = { } [domain_realm] contoso.com = CONTOSO.COM .contoso.com = CONTOSO.COM

Check that the reverse DNS is properly configured

The following command should return the fully qualified domain name (FQDN) of the host that runs SQL Server. An example is SqlHost.contoso.com.

host ****

The output of this command should be similar to ****.in-addr.arpa domain name pointer SqlHost.contoso.com . If this command does not return your host’s FQDN, or if the FQDN is incorrect, add a reverse DNS entry for your SQL Server on Linux host to your DNS server.

Next steps

This article covers the prerequisite of how to configure a SQL Server on a Linux host machine with Active Directory Authentication. To finish configuring SQL Server on Linux to support Active Directory accounts, follow the instructions at Use Active Directory authentication with SQL Server on Linux.

W’ page :: CentOS 를 Windows의 Active Directory에 Join 시키기

출처 : http://social.technet.microsoft.com/wiki/contents/articles/25944.how-to-join-unix-linux-to-active-directory.aspx

http://in-transit.me/data-center/ubuntu/active-directory-login/

http://arstechnica.com/civis/viewtopic.php?f=16&t=1187287

Add Ubuntu 14.04 LTS Server to a Windows Active Directory Domain – Fullest Integration

http://www.golinuxhub.com/2014/05/how-to-configure-linux-client-to-join.html

http://serverfault.com/questions/630746/pbis-open-ad-authentication-stops-working-on-ubuntu-with-errors-user-accout-ha

0. 사전 설치

CentOS 7 minimal 설치 및 준비

네트워크 설정. 특히 DNS 를 AD server로 두기

# nmcli c modify eth0 ipv4.dns 10.0.0.100

특별히 원하는 PC의 이름이 있다면 아래 파일을 수정하여 hostname을 변경하자.

# vi /etc/hostname

cli.kanziw.com

필요 PKG 설치 및 업데이트

# yum install -y ntp wget; yum update -y

# systemctl enable ntpd; systemctl start ntpd

1. 방화벽 해제 및 SELinux 해제

# systemctl stop firewalld

# systemctl disable firewalld

# vi /etc/sysconfig/selinux

7 SELINUX=disabled

SELinux 는 재시작 해야 풀린다.

# reboot

2. 프로그램 다운로드

http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True

위 페이지에 방문하여 자신의 OS 및 커널에 맞는 프로그램 다운로드 주소 복사하여 리눅스에 다운로드

# wget http://download.beyondtrust.com/PBISO/8.2.1/linux.rpm.x64/pbis-open-8.2.1.2979.linux.x86_64.rpm.sh

다운로드 한 파일에 실행 권한 부여

# chmod +x pbis-open-8.2.1.2979.linux.x86_64.rpm.sh

3. 설치

실행 권한 부연받은 스크립트 실행

# ./pbis-open-8.2.1.2979.linux.x86_64.rpm.sh

Creating directory pbis-open-8.2.1.2979.linux.x86_64.rpm

Verifying archive integrity… All good.

Uncompressing pbis-open-8.2.1.2979.linux.x86_64.rpm…………

Would you like to install package for legacy links? (i.e. /opt/likewise/bin/lw-find-user-by-name -> /opt/pbis/bin/find-user-by-name) (yes/no) yes

Would you like to install now? (yes/no) yes

Installing packages and old packages will be removed

. . .

Installing Packages was successful

New libraries and configurations have been installed for PAM and NSS.

Please reboot so that all processes pick up the new versions.

As root, run domainjoin-gui or domainjoin-cli to join a domain so you can log on

with Active Directory credentials. Example:

domainjoin-cli join MYDOMAIN.COM MyJoinAccount

4. Join

AD 의 도메인 및 Join 시 사용할 계정 명을 옵션으로 줘서 Join

# domainjoin-cli join kanziw.com administrator

Joining to AD Domain: kanziw.com

With Computer DNS Name: cli.kanziw.com

[email protected]’s password:

Warning: System restart required

Your system has been configured to authenticate to Active Directory for the

first time. It is recommended that you restart your system to ensure that all

applications recognize the new settings.

SUCCESS

계정들이 사용할 기본 쉘을 /bin/bash 로 변경

# /opt/pbis/bin/config LoginShellTemplate /bin/bash

Active Directory의 계정들이 CentOS 의 기본 도메인이 되도록 설정

# /opt/pbis/bin/config AssumeDefaultDomain true

Active Directory의 계정들이 sudo 명령어 사용할 수 있도록 하는 설정

그룹에 제한을 두고 싶으면 AD에서 따로 그룹을 만들어 진한 부분을 해당 그룹 명으로 바꿔주면 된다.

# echo “%domain^admins ALL=(ALL) ALL” >> /etc/sudoers

재부팅 하면 끗. 이제 AD의 계정으로 로그인이 가능하다..!

# reboot

login as: administrator

Using keyboard-interactive authentication.

Password:

[administrator@cent7 ~]$

이제 리눅스의 모든 로컬 계정을 삭제한 뒤 AD 계정만 살리고

각 계정별로 로그인 가능/불가 등의 정책과, 리눅스 상에서 계정별 명령어의 제약을 두어 사용하게 하면 될듯 싶다.

[Tip]

1) domain^admins : Active Directory 의 관리자 그룹

2) domain^users : Acive Directory 의 일반 유저 그룹

3) AD에서 추가하는 그룹은 Linux에도 반영된다.

4) Linux의 Local 계정과 AD의 계정을 다시 구분지어 표시하고 싶으면 아래 명령어를 사용하면 된다.

# /opt/pbis/bin/config UserDomainPrefix domain_name

이렇게 되면 AD의 계정 혹은 그룹을 표시할 때 domain_name\user_name 이라 해야 한다.

5) AD 의 계정 정보 확인

# /opt/pbis/bin/find-user-by-name domain_name\user_name

6) 고급 사용자용 설정 명령어 확인

# /opt/pbis/bin/config –dump

7) AD 연동 – LSA Server 관련 정보 확인

# /opt/pbis/bin/get-status

8) 기타 정보 확인

# /opt/pbis/bin/find-objects –help

ex) # /opt/pbis/bin/find-objects –user USERNAME

# vi /etc/pbis/pbis-krb5-ad.conf

[부족한 점]

1) AD 와의 연결이 끊어진 상태에서 로그인 불가 – Local계정 모두 삭제 및 Root로의 SSH 연결 막았다면 원격지에서 리눅스 이용 불가.

2) 계정 로그인 보안이 어떤 방식을 쓰는지 잘 모른다. Kerberos 를 사용하려나..?

로그인 시 Using keyboard-interactive authentication. 라고 뜨는데 이 것은 어떤 의미를 담고 있을 지도 알아봐야 한다.

3) AD의 강력한 기능인 GPO는 거의 무용지물. 서버 내에서 GPO로 리눅스는 관리가 되지 않는다.

물론 이러한 개선점들은 유료 프로그램에서 지원해준다고 하긴 한다..ㅎㅎㅎㅎ

How to join a Linux system to an Active Directory domain

Microsoft’s Active Directory (AD) is the go-to directory service for many organizations. If you and your team are responsible for a mixed Windows and Linux environment, then you probably would like to centralize authentication for both platforms. I’ll cover how to add Linux computers to an Active Directory domain.

Active Directory and the need for centralized access management

Microsoft’s Active Directory, more popularly known as AD, has held the lion’s share of the market for enterprise access management for many years now. It is used by institutions and individuals the world over to centrally control access to resources belonging to the organization. It gives you the ability to manage users, passwords, resources such as computers, and dictate who has access to what. For some of you reading this write-up, especially those who work in large institutions, you have interacted with AD before. Usually, the interaction is using one set of login credentials to log in to any workstation in the organization. That is just the tip of a large iceberg.

Imagine a collection of 40 computer systems and 70 users in a firm. Some employees run shifts while others work regular hours. Some have access to printing; others don’t. The traditional way of working is to create local user accounts on each computer a user needs to access. Imagine the workload on the end-user support team. When a user changes his password for any reason, that user has to change the password on all computers he previously had access to, to keep things in sync. In no time, there will be mayhem. Now, imagine two members of the staff resign. I do not need to tell you the monotonous work that has to be repeated any time there’s a change to the staffing or any workstations. For IT teams, this is a nightmare. Time that could be used for innovative tasks is now spent reinventing the wheel. I have not even spoken about managing access to the printers.

This is where a directory service such as Active Directory thrives. It can literally be a lifesaver. With Active Directory, each user is uniquely created as an object in a central database, with a single set of credentials. Each computer system is also created as an object. Automatically, every user can access every workstation with that same set of credentials. Any account changes that need to be made are made once at the central database. Members of staff can access the printers using the same set of credentials. The printers’ authentication mechanism can be coupled with AD to achieve that. Happy users, happy IT team.

Using groups and organizational units, access to various resources can be tailored and maintained. It gets even better. This directory can store staff phone numbers, email addresses, and can be extended to store other information. What if someone resigns? No problem. Just disable the user’s account. That person’s access to all resources is nullified on the spot. The bigger the organization, the greater the need for centralized management. It saves time; it saves emotions.

At its heart, a directory service is just an organized way of itemizing all the resources in an organization while facilitating easy access to those resources. Basically, AD is a kind of distributed database, which is accessed remotely via the Lightweight Directory Access Protocol (LDAP). LDAP is an open protocol for remotely accessing directory services over a connection-oriented medium such as TCP/IP.

AD is not the only directory service based on the x.500 standard, or that can be accessed using LDAP. Other directory services include OpenLDAP and FreeIPA. However, AD is a mature Windows-based service that comes incorporated with Windows Server systems. In other words, it’s going to be the automatic winner when your organization has many Windows systems. This is one of the reasons for its ubiquity. Directory services such as FreeIPA are Linux-based and provide an excellent service for a Linux stable. When the rubber hits the road, the choice boils down to which of the two you can set up quickly, given your current environment and your team’s skill set.

[ Learn how to manage your Linux environment for success by downloading this free eBook. ]

But what happens when you choose AD, and you have a few CentOS servers, and you do not want to maintain a separate set of credentials for your Linux users? That overhead is entirely avoidable. What you need to do is join the Linux servers to the AD domain, like you would a Windows server.

If that is what you need to do, then read on to find out just how to do it. It is possible to join a Windows system to a FreeIPA domain, but that is outside the scope of this article.

Prerequisites

This article presupposes that you have at least some introductory-level experience with Active Directory, especially around user and computer account management. Aside from that, the following obvious requirements need to be met:

An account in AD that has the privileges necessary to join a system to the domain.

A Linux server (a CentOS 7 server was used for this demonstration).

A Domain Controller.

Ensure your Linux server knows how to find the domain controller via DNS.

To make this article easier on everyone, here’s a list of key details. This is how the lab I used for this write up is set up, so you should modify accordingly.

AD Domain Name: Hope.net

User account for joining the domain: fkorea (Fullname – Fiifi Korea)

Linux server hostname: centy2

Packages to install

For this configuration, the essential package to install is realmd . Aside from realmd , there are a host of packages that need to be installed to make this work.

# yum install sssd realmd oddjob oddjob-mkhomedir adcli samba-common samba-common-tools krb5-workstation openldap-clients policycoreutils-python

Realmd provides a simplified way to discover and interact with Active Directory domains. It employs sssd to do the actual lookups required for remote authentication and other heavy work of interacting with the domain. In the interest of brevity, I won’t dwell on the other packages in the list.

However, for those interested in the details, a quick Google search should be of great help.

Realmd (interacting with the domain)

Now that all packages have been installed, the first thing to do is to join the CentOS system to the Active Directory domain. We use the realm application for that. The realm client is installed at the same time as realmd . It is used to join, remove, control access, and accomplish many other tasks. Here is the expected syntax for a simple domain join:

realm join –user=[domain user account] [domain name]

The space between the user account and the domain account is not a typo. By inserting the corresponding details, we get the following command:

# realm join –user=fkorea hope.net

Supply the password when the prompt appears and wait for the process to end.

Image

Don’t let the short absence of output deceive you. There are a number of operations that go on as part of the process. You can tack on the -v switch for more verbose output. However, the best way to check if the computer is now a member of the domain is by running the realm list command. The command attempts to display the current state of the server with regard to the domain. It is a quick and dirty way to know which groups or users can access the server.

Have a look at its output:

Image

It is also quite trivial to place the newly-created AD computer object in a specific Organizational Unit (OU) from the onset. I’ll leave that for further reading, but, as a tip, you can consult the man page. Using the realm client, you can grant or revoke access to domain users and groups. A deep dive on using realmd in a more fine-grained way is enough to make another article. However, I will not be out of order to pick out a few parameters for your attention, namely client-software and the server-software. By now, you should understand why we had to install so many packages.

To leave the domain altogether, you need two words: realm leave

Further configuration

So now that the Linux server is part of the AD domain, domain users can access the server with their usual credentials. We are done, right? Wrong. “What’s the problem?” I hear you say.

[ Free cheat sheet: Get a list of Linux utilities and commands for managing servers and networks. ]

Well, for starters, this is the barebones configuration to get you up and running. But the experience is clunky, to say the least. We need to configure the service further to give it a true AD feel. It should be just like logging on to a domain-joined Windows 10 workstation.

Secondly, there is the big elephant in the room for sysadmins called Dynamic DNS Updates (DynDNS). If it is not set up correctly, we create extra overhead by having to maintain DNS records manually. For an environment that relies heavily on DNS, that could be a problem. For Windows systems, joining a system to the domain means two entries are automatically managed and maintained on the DNS server. When IP addresses change, the change is automatically reflected in DNS. This means you can change the IPs of systems without incurring the cost of manual maintenance. This will only make sense to people who already take advantage of DNS in their environments. Aside from the noticeable productivity gains of automation, it helps to have both Windows and Linux environments working the same way.

The third issue is DNS Scavenging. In an Active Directory domain, DNS is usually provided by the Domain Controllers. Every system joined to the domain has an automatic DNS entry with a corresponding IP address. This is super convenient. Automatically, at a specified interval, stale DNS records are deleted to prevent misdirected packets and also take care of deleted computer objects. This is known as scavenging, and it is not turned on by default in AD. However, if it is turned on, we need to configure it. Typically, the scavenging interval is seven days. If, after that period, there has been no update to the record, it is deleted, unless it is a static record. For Windows systems, the Dynamic Updates feature is automatically set up. However, with Linux servers, a few modifications need to be made. Without doing that, we will have services going down after a while because their records are deleted from DNS, and no one knows how to reach their component parts.

Now that we know some of the potential issues we need to address, let’s take a look at some of the things we can tweak to deliver a more seamless experience to the end-user and the sysadmin.

SSSD (easier logins and dynamic updates)

sssd on a Linux system is responsible for enabling the system to access authentication services from a remote source such as Active Directory. In other words, it is the primary interface between the directory service and the module requesting authentication services, realmd . Its main configuration file is located at /etc/sssd/sssd.conf . As a matter of fact, this is the main configuration file we will modify.

Let’s have a look at its contents before configuration. Once you join the domain, it is immediately modified to contain the minimum information required for a successful logon. My file looked like this:

Image

In order to solve all three of the problems I mentioned earlier, edit your file to look like the one below:

Image

Most of the options are self-explanatory, and you can modify yours accordingly while we step through what some of the key options represent. More information on all the options can be obtained by checking the man page. I think it is well written. Just type man 5 sssd.conf at the command line. You can also view the man page for sssd_ad for further information.

First and foremost, the configuration file is separated into two sections. The global section, under [sssd] and the domain-specific options section, [domain/[domain name]].

The global section contains options that affect the general behavior of sssd , such as the version information and related services. One key parameter under this section is shown below:

default_domain_suffix – Set this to the domain name if you do not want to have to type the full user account name when logging in. Instead of having to type [email protected] always, you can just type fkorea and the password. This helps a lot when you have a long domain name.

The domain-specific section contains parameters that are specific to the domain you have joined. Key parameters are:

Kubernetes and OpenShift Kubernetes cheat sheet Interactive course: Getting started with OpenShift Red Hat OpenShift and Kubernetes … what’s the difference? Interactive course: Create a cluster in Red Hat OpenShift Service on AWS with S… Get started with Red Hat OpenShift Service on AWS access_provider – Allows you to select a provider optimized and used for interacting with AD servers for authentication purposes. It should be set to ad . Other values that can be used here are ldap and ipa , assuming you use those directory services.

– Allows you to select a provider optimized and used for interacting with AD servers for authentication purposes. It should be set to . Other values that can be used here are and , assuming you use those directory services. id_provider – Allows you to select a provider optimized and used for interacting with AD servers for identification purposes. It should be set to ad .

– Allows you to select a provider optimized and used for interacting with AD servers for identification purposes. It should be set to . ad_hostname – This should be the fully qualified hostname of the server. It should be set if the system’s hostname is anything other than the fully qualified domain name. If this is not set and the sssd does not have access to the fully qualified hostname, dynamic updates will fail.

– This should be the fully qualified hostname of the server. It should be set if the system’s hostname is anything other than the fully qualified domain name. If this is not set and the does not have access to the fully qualified hostname, dynamic updates will fail. ad_domain – This should be the full domain name ( hope.net in this case).

– This should be the full domain name ( in this case). cache_credentials – This enables AD users to log in when the domain controller is offline. When this is set to true , credentials are cached for a period such that authentication does not fail when the back end is offline. The period of storage is also configurable.

– This enables AD users to log in when the domain controller is offline. When this is set to , credentials are cached for a period such that authentication does not fail when the back end is offline. The period of storage is also configurable. fallback_homedir – This helps you set a home directory for AD users who do not have a home directory attribute in AD. This is different from the override_home parameter that works when a home directory is set in AD for users.

– This helps you set a home directory for AD users who do not have a home directory attribute in AD. This is different from the parameter that works when a home directory is set in AD for users. dyndns_update – This enables dynamic DNS updates and accepts either true or false as a value. When dynamic updates are enabled, updates occur primarily under three conditions: When the Linux server restarts. When the provider comes online. When the refresh interval is due.

– This enables dynamic DNS updates and accepts either or as a value. When dynamic updates are enabled, updates occur primarily under three conditions: dyndns_refresh_interval – This value is in seconds with a practical minimum of 60 seconds. It accepts integer values and has a default of 24 hours (86400s). In this example, we set it to 12 hours. If nothing else triggers an update, an update is regularly done between.

– This value is in seconds with a practical minimum of 60 seconds. It accepts integer values and has a default of 24 hours (86400s). In this example, we set it to 12 hours. If nothing else triggers an update, an update is regularly done between. dyndns_update_ptr – A boolean value that specifies whether the associated PTR record is to be updated in every update cycle. PTR records are used for reverse lookups, and unless there is a good reason, this should be set to true .

– A boolean value that specifies whether the associated PTR record is to be updated in every update cycle. PTR records are used for reverse lookups, and unless there is a good reason, this should be set to . dyndns_auth – Specifies whether the dynamic updates should be done securely or not. The setting depends on the mode accepted by AD. If AD is set to Accept Secure Updates Only, this value should be set to GSS-TSIG. If not, and you do not care for the security benefits of secure dynamic updates (despite the strong warning in AD), this value can be set to none.

Once the configuration is complete, restart sssd to apply settings immediately.

# systemctl restart sssd

At this point, we are set. We can now login like we would at a Windows workstation or server.

Image

Image

Visudo (granting admin privileges)

Users that are granted access have unprivileged access to the Linux server. For all intents and purposes, all Active Directory accounts are now accessible to the Linux system, in the same way natively-created local accounts are accessible to the system. You can now do the regular sysadmin tasks of adding them to groups, making them owners of resources, and configure other needed settings. If the user tries any activity that requires sudo access, the familiar error is presented. As can be seen in the inset, our user is not in the sudoers file.

Image

In that light, we can edit the sudoers file directly to grant them superuser privileges. This is not an article on granting superuser privileges, but we can use the visudo tool to interact safely with the sudoers file.

Image

Image

Alternatively, we could have just added the user to the wheel group. The point is the user account is now available to be used by the system.

[ Network getting out of control? Check out Network automation for everyone, a free book from Red Hat. ]

Wrap up

Try this out in your organization or lab environment. It is obvious I just scratched the surface on this topic but this will get you pretty far into the process. Check out the respective documentation if you want to explore options not covered in this article.

Joining a Linux system to an Active Directory domain allows you to get the best of both worlds. The process is very simple and can be scripted using Bash or automated using Ansible, especially during the system’s initial setup. If you are still managing a group of more than five systems without a directory service and a good reason, please do yourself a favor and get one set up. You can thank me later.

[Linux] SMB(SAMBA)를 이용한 AD Join ( AD LDAP)설정

반응형

환경

– OS : Centos 7.8

– Kernel : 3.10.0-1127.13.1.el7.x86_64

sssd를 이용한 AD LDAP연동하는 바업도 있지만 SAMBA를 이용한 LDAP연동도 가능하다.

PKG설치

[root@TEST ~]# yum install -y authconfig samba-winbind samba-client samba-winbind-clients

Join할 domain정보 resolv.conf에 추가

[root@test ~]# echo “domain adserver.test.net” >> /etc/resolv.conf

[root@test ~]# vi /etc/nsswitch.conf ~(생략) passwd: files sss winbind shadow: files sss winbind (저장) [root@test ~]# vi /etc/krb5.conf # Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = true #### false로 되어 있을 경우 true로 변경 ticket_lifetime = 24h renew_lifetime = 7d forwardable = false rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt # default_realm = EXAMPLE.COM default_ccache_name = KEYRING:persistent:%{uid} default_realm = TEST.NET [realms] # EXAMPLE.COM = { # kdc = kerberos.example.com # admin_server = kerberos.example.com # } INFOBANK.NET = { kdc = adserver.test.net } INFOBANK.NET = { kdc = adserver.test.net } [domain_realm] # .example.com = EXAMPLE.COM # example.com = EXAMPLE.COM

samba설정

[root@test ~]# vi /etc/samba/smb.conf # See smb.conf.example for a more detailed config file or # read the smb.conf manpage. # Run ‘testparm’ to verify the config is correct after # you modified it. [global] #–authconfig–start-line– # Generated by authconfig on 2020/08/04 14:32:59 # DO NOT EDIT THIS SECTION (delimited by –start-line–/–end-line–) # Any modification may be deleted or altered by authconfig in future workgroup = test password server = adserver.test.net realm = TEST.NET security = ads idmap config * : range = 16777216-33554431 template shell = /bin/bash template homedir = /home/test.net/%U ## AD계정이 최조 로그인하면 생성되는 홈 디렉토리 kerberos method = secrets only winbind use default domain = false winbind offline logon = false #–authconfig–end-line– ; workgroup = SAMBA ; security = user passdb backend = tdbsam printing = cups printcap name = cups load printers = yes cups options = raw [homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes [printers] comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @printadmin root force group = @printadmin create mask = 0664 directory mask = 0775

설정방법은 어렵지 않다.

설정 1. authconfig-tui를 이용한 설정

[root@TEST ~]# authconfig-tui

authconfig-tui를 입력하면 구닥다리 같은 화면이 출력된다.

A.설정 전 화면

우측 “Winbind 인증 사용”에 체크를 한다. 방향키로 이동한다음에 스페이스 바를 누르면 선택이 된다.

A,설정 후 화면

키보드의 탭키를 눌러 다음을 선택한다.

LDAP join할 AD서버 정보를 입력한다.

B. AD정보 설정 전

B. AD정보 설정 후 (예시)

보안모델 ads를 선택한다. 도메인 도메인 정보를 입력한다. test.net이면 test만 입력한다. 도메인제어기 시스템명 포함 도메인 주소를 입력한다. adserver.test.net ADS관리 영역 서브 도메인 정보를 제외한 도메인 정보를 입력한다. join된 계정이 사용할 shell를 선택한다. 해당 계정으로 로그인을 해야 함으로 /bin/bash를 선택

정상적으로Joindl 될 경우

[/usr/bin/net join -w TEST -S adserver.test.net -U strator] Enter strator’s password:<...> Using short domain name — TEST Joined ‘test’ to dns domain ‘test.net’

<정상적으로 연동이 될 경우 >

[root@IB-DEVWINGO ~]# authconfig-tui You have new mail in /var/spool/mail/root 또는 [root@IB-DEVWINGO ~]# authconfig-tui [/usr/bin/net join -w TEST -S adserver.test.net -U strator] Enter strator’s password:<...> Using short domain name — TEST Joined ‘test’ to dns domain ‘test.net’ No DNS domain configured for test. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER You have new mail in /var/spool/mail/root

<정상적으로 연동이 안 될 경우 >

[root@TEST ~]# authconfig-tui Job for winbind.service failed because the control process exited with error code. See “systemctl status winbind.service” and “journalctl -xe” for details. getsebool: SELinux is disabled getsebool: SELinux is disabled You have new mail in /var/spool/mail/root

# vi /etc/samba/smb.conf ~(생략) winbind use default domain = true # false를 true로 변경한다. winbind offline logon = true # false를 true로 변경한다.

AD계정으로 처음 로그온 할 때 로컬 홈을 만들려면 아래 명령을 실행한다.

[root@test ~]# authconfig –enablemkhomedir –update

서비스 daemon 재시작

여기서는 winbind daemon만 재시작하면 된다.

[root@test ~]# systemctl restart winbind You have new mail in /var/spool/mail/root

정상적으로 AD와 join이 되었다면 아래 명령어를 통해 AD 내 group정보 및 사용자 정보를 출력할 수 있다.

반응형

Linux 인스턴스 수동 조인

기계 번역으로 제공되는 번역입니다. 제공된 번역과 원본 영어의 내용이 상충하는 경우에는 영어 버전이 우선합니다.

Linux 인스턴스 수동 조인

Amazon EC2 Windows 인스턴스 외에도 특정 Amazon EC2 Linux 인스턴스를 조인할 수 있습니다.AWSMicrosoft Active Directory용 Directory Service 다음과 같은 Linux 인스턴스 배포판과 버전이 지원됩니다.

Amazon Linux AMI 2018.03.0

Amazon Linux 2(64비트 x86)

Red Hat Enterprise Linux 8(HVM)(64비트 x86)

Ubuntu Server 18.04 LTS 및 Ubuntu Server 16.04 LTS

CentOS 7 x86-64

SUSE Linux Enterprise Server 15 SP1

참고 기타 Linux 배포판 및 버전은 작동이 가능할 수도 있지만, 테스트는 거치지 않았습니다.

디렉터리에 인스턴스 조인

디렉터리에 Amazon Linux 혹은 CentOS, Red Hat, Ubuntu 인스턴스를 조인하려면 Windows EC2 인스턴스를 원활하게 조인에 지정된 대로 인스턴스를 먼저 시작해야 합니다.

중요 아래의 일부 절차들로 인해(올바르게 수행되지 않은 경우) 인스턴스 접속이나 사용이 불가능해질 수 있습니다. 따라서 이러한 절차를 수행하기 전에 인스턴스에 대한 백업을 생성하거나 스냅샷을 만드는 것이 좋습니다.

디렉터리에 Linux 인스턴스 조인

다음 탭 중 하나를 이용해 특정 Linux 인스턴스의 단계를 수행합니다.

계정 로그인 액세스 제한

모든 계정을 Active Directory에 정의하면 기본으로 디렉토리의 모든 사용자는 인스턴스에 로그인할 수 있습니다. 특정 사용자만 sssd.conf의 ad_access_filter으로 인스턴스에 로그인할 수 있습니다. 예:

ad_access_filter = (memberOf=cn=admins,ou=Testou,dc=example,dc=com)

memberOf 특정 그룹의 멤버인 사용자는 반드시 인스턴스에 액세스할 수 있어야 한다는 뜻입니다. cn 액세스해야 하는 그룹의 일반 이름입니다. 이 예제에서 그룹 이름은 admins 입니다. ou 위의 그룹이 위치해 있는 조직 단위(OU)입니다. 이 예제에서 OU는 Testou 입니다. dc 도메인의 도메인 구성 요소입니다. 이 예제에서는 example 입니다. dc 추가적인 도메인 구성 요소입니다. 이 예제에서는 com 입니다.

현재 사용자는 ad_access_filter를 /etc/sssd/sssd.conf에 수동으로 추가해야 합니다.

텍스트 에디터에서 /etc/sssd/sssd.conf 파일을 엽니다.

sudo vi /etc/sssd/sssd.conf

추가를 하고 나면 sssd.conf가 다음과 같이 보일 수 있습니다.

[sssd] domains = example.com config_file_version = 2 services = nss, pam [domain/example.com] ad_domain = example.com krb5_realm = EXAMPLE.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad ad_access_filter = (memberOf=cn=admins,ou=Testou,dc=example,dc=com)

구성이 적용되려면 sssd 서비스를 재시작해야 합니다.

sudo systemctl restart sssd.service

또는 다음 작업을 사용할 수 있습니다.

sudo service sssd restart

인스턴스에 Connect

SSH 클라이언트를 사용하여 인스턴스 연결을 하면 사용자 이름을 입력하라는 메시지가 나타납니다. 사용자는 다음 중 하나에 사용자 이름을 입력할 수 있습니다. [email protected] 또는 EXAMPLE\username 형식 응답은 사용 중인 Linux 배포판에 따라 다음과 같이 나타납니다.

Amazon Linux, Red Hat Enterprise Linux, CentOS Linux

login as: [email protected] [email protected]’s password: Last login: Thu Jun 25 16:26:28 2015 from XX.XX.XX.XX

SUSE Linux

SUSE Linux Enterprise Server 15 SP1 x86_64 (64-bit) As “root” (sudo or sudo -i) use the: – zypper command for package management – yast command for configuration management Management and Config: https://www.suse.com/suse-in-the-cloud-basics Documentation: https://www.suse.com/documentation/sles-15/ Forum: https://forums.suse.com/forumdisplay.php?93-SUSE-Public-Cloud Have a lot of fun…

Ubuntu Linux

리눅스 SAMBA AD Join

[winbind]

* yum install samba-winbind

* 구성(도메인명: delmaster.vm IP주소: 192.168.100.101)

* DNS 설정(추가및 수정)

* vi /etc/resolv.conf

* domain delmaster.vm (추가)

* nameserver 192.168.100.101 * 인증 설정

* vi /etc/nsswitch.conf

* passwd: files winbind (수정)

* shadow: files winbind (수정)

* group: files winbind (수정)

* vi /etc/krb5.conf

[libdefaults]

default_realm = delmaster.vm (수정)

dns_lookup_realm = true (수정)

dns_lookup_kdc = true (수정)

ticket_lifetime = 24h

renew_lifetime = 7d

forwardable = true (수정)

* vi /etc/samba/smb.conf

[global] workgroup = delmaster

server string = Samba Server Version %v

security = ads

realm = delmaster.vm

domain master = no

local master = no

preferred master = no

idmap backend = hash

idmap uid = 100000000-999999999

idmap gid = 100000000-999999999

idmap config delmaster.vm : backend = hash

idmap config delmaster.vm : rang = 100000000-999999999 inherit acls = Yes

inherit permissions = Yes

map acl inherit = Yes

winbind separator = .

winbind enum users = yes

winbind enum groups = yes

winbind use default domain = yes

winbind nested groups = yes winbind refresh tickets = yes

template homedir = /smb/%D/%U

template shell = /bin/bash

restrict anonymous = 2

[Domain Members Options] security = ads realm = delmaster.vm password server = 192.168.100.101

winbind expand groups = 4

vfs objects = acl_xattr

ea support = yes log file = /var/log/samba/log.%m

#log level = all:10

max log size = 50 store dos attributes = yes [homes]

comment = Home Direcotries

valid users = %S

read only = no

browseable = no

[Share_group1]

comment = Test share

path = /smb/Test share

read only = no

valid users = @”delmaster.G-linux”

; force group = “Domain Users.G1″

directory mode = 0770

force directory mode = 0770

create mode = 0660

force create mode = 0660

access based share enum = yes

hide unreadable = yes

vfs objects = acl_xattr

acl group control = yes

write list = @”delmaster.G-linux” [Share]

comment = Test share

path = /smb/share

read only = no

valid users = @”delmaster.Domain Users”

force group = “Domain Users”

directory mode = 0770

force directory mode = 0770

create mode = 0660

force create mode = 0660

access based share enum = yes

hide unreadable = yes

vfs objects = acl_xattr

acl group control = yes

write list = @”delmaster.Domain Users”

browseable = yes

상기 내용을 아래의 파일을 통해 다운로드하세요.

* AD JOIN

* net ads join -U administrator

* 서비스 재시작

* service smb restart

* service nmb restart

* service winbind restart

* Join 확인

* wbinfo -u : AD 사용자 목록 출력

[Linux]Create AD in linux system and join domain in different operating systems

Như chúng ta đã biết, active directory là dịch vụ quản lý thư mục được Microsoft phát triển cho mạng windows bao gồm hầu hết các dịch vụ như: quản lý người dung, quản lý dns, quản lý tên miền, policy… mà chủ yếu dùng cho hệ điều hành windows là chủ yếu, và máy chủ sử dụng windows server để quản lý. Active directory là dịch vụ mà người quản trị nào cũng muốn sử dụng để quản lý tập trung hệ thống mạng của công ty. Nhưng vấn đề về chi phí bản quyền Microsoft thì không phải công ty vừa và nhỏ nào cũng có khả năng đáp ứng. Vì vậy, hiện nay nhiều công ty đã, đang chuyển hướng sang các dịch vụ mã nguồn mở tương ứng. Và hôm nay mình sẽ giới thiệu tới các bạn dịch vụ Samba 4.

Samba được biết tới như Domain Controller dễ dàng cài đặt và sử dụng trên nền linux. Kể từ phiên bản 4.0 Samba còn tương thích với Microsoft Active Directory.

1. Cài đặt samba 4

Để cài đặt Samba4, trước hết bạn phải đăng ký tài khoản trên trang chủ https://portal.enterprisesamba.com/

Sau khi đăng ký và login, bạn sẽ thấy USERNAME:ACCESSKEY . Đây sẽ là key để bạn thiết lập trong file repo trong bước tiếp theo.

Thiết lập file repo: Nếu bạn dùng Centos 7: file repo sẽ có dạng

[[email protected] ~]# vi /etc/yum.repos.d/sernet-samba-4.1.repo

#change to your username and accesskey

[sernet-samba-4.1]

name=SerNet Samba 4.1 Packages (centos-7)

type=rpm-md baseurl=https://USERNAME:[email protected]/packages/samba/4.1/centos/7/

gpgcheck=1

gpgkey=https://USERNAME:[email protected]/packages/samba/4.1/centos/7/repodata/repomd.xml.key

enabled=1

Nếu sử dụng Centos 6:

[[email protected] ~]# vi /etc/yum.repos.d/sernet-samba-4.1.repo

# change to your username and accesskey

[sernet-samba-4.1]

name=SerNet Samba 4.1 Packages (centos-6)

type=rpm-md

baseurl=https:// USERNAME:ACCESSKEY @download.sernet.de/packages/samba/4.1/centos/6/

gpgcheck=1 gpgkey=https://USERNAME:[email protected]/packages/samba/4.1/centos/6/repodata/repomd.xml.key

enabled=1

Cài Samba qua yum:

[[email protected] ~]# yum -y install sernet-samba sernet-samba-ad

2. Cấu hình Samba

Sau khi cài đặt xong, ta sẽ cấu hình Samba AD DC

[[email protected] ~]# samba-tool domain provision –use-rfc2307 –interactive

Trong đó:

–use-rfc2307: cho phép enable NIS extensions, cho phép ta dễ dàng sử dụng Windows tool Active Directory để quản lý user, computer

–interactive: sử dụng trường mặc định (trong ngoặc vuông) nếu không điền gì

Realm: Kerberos Realm. Nó sẽ tự động sử dụng như Active Directory DNS domain name

Domain: NT4/NetBIOS Domain Name (tối đa 15 ký tự)

Server role: ‘dc’ cho Domain Controller

DNS backend: Sử dụng DNS nội bộ hoặc BIND9 làm DNS dự phòng (default là DNS nội bộ)

DNS forwader IP address: Nếu chọn DNS backend là DNS nội bộ thì mới có lựa chọn này. (trỏ tới server DNS nội bộ)

Administrator password: đảm bảo mật khẩu mạnh:

Ít nhất 8 ký tự

Có chứa 3 trong 4 thành phần: chữ hoa, chữ thường, số hoặc ký tự đặc biệt

Chỉnh samba4 start với mode ad:

[[email protected] ~]# vi /etc/default/sernet-samba

Thay đổi line 7: SAMBA_START_MODE=”ad”

OK. Giờ ta khởi động samba4 và start dịch vụ khi khởi động server

[[email protected] ~]# /etc/init.d/sernet-samba-ad start

Starting SAMBA AD services : [ OK ] [[email protected] ~]# chkconfig sernet-samba-ad on

[[email protected] ~]# chkconfig sernet-samba-smbd off

[[email protected] ~]# chkconfig sernet-samba-nmbd off

[[email protected] ~]# chkconfig sernet-samba-winbindd off

Raise domain level thành 2008R2

[[email protected] ~]# samba-tool domain level raise –domain-level 2008_R2 –forest-level 2008_R2

Domain function level changed!

Forest function level changed!

All changes applied successfully!

Check domain level:

[[email protected] ~]# samba-tool domain level show

Domain and forest function level for domain ‘DC=demo,DC=net’

Forest function level: (Windows) 2008 R2

Domain function level: (Windows) 2008 R2

Lowest function level of a DC: (Windows) 2008 R2

3. Join domain trên các hệ điều hành khác nhau

Đối với Windows

Ta có thể join domain linux trên hệ điều hành windows không khác so với windows server với các thao tác đơn giản

Phải chuột vào Computer -> Properties -> Change settings. Trong khung cửa sổ Computer name chọn Change -> chuyển Domain tương ứng -> Điền user + password của administrator vừa thiết lập ở trên -> Done!

Đối với Ubuntu

Ta sẽ sử dụng likewise-open – cung cấp phương pháp xác thực cho phép hệ thống *nix join vào AD một cách đơn giản. Trước hết phải sửa file resolve.conf trỏ lại về DNS để có thể tìm thấy domain tương ứng:

[[email protected] ~]# vi /etc/resolv.conf

nameserver 192.168.0.2

search demo.net

download likewise:

[email protected]:~# wget http://launchpadlibrarian.net/153427240/likewise-open_6.1.0.406-0ubuntu10_amd64.deb

Install likewise:

[email protected]:~# dpkg -i likewise-open* libglade2-0_2.6.4*

Selecting previously unselected package likewise-open.

(Reading database … 56915 files and directories currently installed.)

Preparing to unpack likewise-open_6.1.0.406-0ubuntu10_amd64.deb …

Unpacking likewise-open (6.1.0.406-0ubuntu10) …

Selecting previously unselected package libglade2-0:amd64.

Preparing to unpack libglade2-0_2.6.4-2_amd64.deb …

Unpacking libglade2-0:amd64 (1:2.6.4-2) …

Setting up likewise-open (6.1.0.406-0ubuntu10) …

Importing registry…

Để tạo quyền root cho user domain:

[email protected]:~# echo -e ‘%demo\\\domain^users ALL=(ALL) ALL’ >> /etc/sudoers

Join domain:

[email protected]:~# domainjoin-cli join demo.net Administrator

Joining to AD Domain: demo.net

With Computer DNS Name: ubuntu.demo.net

SUCCESS

You should reboot this system before attempting GUI logins as a domain user.

Done. Giờ ta có thể login bằng account domain: demo

Đối với mac os, ta sẽ dùng sẵn tiện ích đã tích hợp trên mac

Mở user & computer:

Enable change login option

Click join. To join domain

Type domain, Computer client name and AD admin, password

Và khi đã join thành công

Khác với windows và Ubuntu, khi đăng nhập lần đầu bắt buộc phải có mạng kết nối tới domain, các lần sau nếu không có mạng vẫn có thể đăng nhập vào account domain này thì với MacOS, các bạn luôn cần có mạng mới có thể đăng nhập vào account domain ( kể cả wifi hay mạng LAN).

Và 1 điểm khác nhau nữa khi đăng nhập bằng account domain trên MacOS đó là không cần tên domain phía trước như Windows hay Ubuntu.

VD: account domain là: tran.van.cuong thì khi đăng nhập trên windows và ubuntu là: *demo\tran.van.cuong*

Còn trên MacOS chỉ cần điền account tran.van.cuong và MacOS sẽ tự find user có trong local và trên domain.

Bài tiếp theo chúng ta sẽ tìm hiểu việc quản lý user, group, computer và policy trên Samba4.

키워드에 대한 정보 리눅스 ad 조인

다음은 Bing에서 리눅스 ad 조인 주제에 대한 검색 결과입니다. 필요한 경우 더 읽을 수 있습니다.

이 기사는 인터넷의 다양한 출처에서 편집되었습니다. 이 기사가 유용했기를 바랍니다. 이 기사가 유용하다고 생각되면 공유하십시오. 매우 감사합니다!

사람들이 주제에 대해 자주 검색하는 키워드 Linux 시스템을 Active Directory에 연결하는 방법 (Ubuntu 20.04)

  • cyber security
  • home lab
  • lab
  • pen testing
  • sys admin
  • security
  • tutorial
  • active directory
  • ad
  • windows
  • server
  • pentesting
  • domain controller
  • how to
  • vm
  • virtual machine
  • conda
  • sssd
  • realm
  • linux
  • ubuntu
  • mixed active directory
  • ssh
  • ldap
  • linux sssd
  • pam
  • home directory
  • sudo
  • sssd active directory
  • sssd service
  • kerberos realm
  • kerberos
  • kerberos on linux
  • linux kerberos

Linux #시스템을 #Active #Directory에 #연결하는 #방법 #(Ubuntu #20.04)


YouTube에서 리눅스 ad 조인 주제의 다른 동영상 보기

주제에 대한 기사를 시청해 주셔서 감사합니다 Linux 시스템을 Active Directory에 연결하는 방법 (Ubuntu 20.04) | 리눅스 ad 조인, 이 기사가 유용하다고 생각되면 공유하십시오, 매우 감사합니다.

Leave a Comment