[Linux] Joindre une machine Centos 8 sur un domaine Active Directory

 

Joindre une machine Centos 8 sur un domaine Active Directory
Version de l’OS Centos 8.0.1905
Article original Publié le : 10 novembre 2019

Mise a jour le :

 

Pas réellement de changement par rapport a Centos 7

 

Quelques infos

Nom de domaine: izero.fr
Nom du serveur Active Directory: srv-ad.izero.fr
Nom de la machine client Centos 8: test-centos8
Version de Windows serveur : 2012 R2
Nom de l’utilisateur AD: bef
Nom du groupe AD: it

 

Installer les paquets suivants:

$ sudo yum install chrony epel-release bash-completion bash-completion-extras vim

 

Configurer le serveur NTP

Éditer le fichier chrony.conf pour définir le(s) serveur(s) NTP interne (AD).

$ sudo vim /etc/chrony.conf
server 192.168.3.100 iburst
server 192.168.3.101 iburst

Redémarrer le démon

$ sudo systemctl restart chronyd

 

Installer les paquets nécessaires à l’intégration AD

$ sudo yum install sssd realmd oddjob oddjob-mkhomedir sssd samba-common-tools

 

Joindre la machine a l’AD

$ sudo realm join --verbose srv-ad.izero.fr
* Resolving: _ldap._tcp.srv-ad.izero.fr
 * Resolving: srv-ad.izero.fr
 * Performing LDAP DSE lookup on: 192.168.3.100
 * Successfully discovered: izero.fr
Password for Administrator:
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --domain izero.fr --domain-realm IZERO.FR --domain-controller 192.168.3.100 --login-type user --login-user Administrator --stdin-password
 * Using domain name: izero.fr
 * Calculated computer account name from fqdn: TEST-CENTOS8
 * Using domain realm: izero.fr
 * Sending netlogon pings to domain controller: cldap://192.168.3.100
 * Received NetLogon info from: srv-ad.izero.fr
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-rrPy24/krb5.d/adcli-krb5-conf-yaQJbu
 * Authenticated as user: Administrator@IZERO.FR
 * Looked up short domain name: IZERO
 * Looked up domain SID: S-1-5-21-274564476-3214569226-337574350
 * Using fully qualified name: test-centos8.izero.fr
 * Using domain name: izero.fr
 * Using computer account name: TEST-CENTOS8
 * Using domain realm: izero.fr
 * Calculated computer account name from fqdn: TEST-CENTOS8
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Computer account for TEST-CENTOS8$ does not exist
 * Found well known computer container at: CN=Computers,DC=izero,DC=fr
 * Calculated computer account: CN=TEST-CENTOS8,CN=Computers,DC=izero,DC=fr
 * Created computer account: CN=TEST-CENTOS8,CN=Computers,DC=izero,DC=fr
 * Sending netlogon pings to domain controller: cldap://192.168.3.100
 * Received NetLogon info from: srv-ad.izero.fr
 * Set computer password
 * Retrieved kvno '2' for computer account in directory: CN=TEST-CENTOS8,CN=Computers,DC=izero,DC=fr
 * Discovered which keytab salt to use
 * Added the entries to the keytab: TEST-CENTOS8$@IZERO.FR: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/TEST-CENTOS8@IZERO.FR: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/test-centos8.izero.fr@IZERO.FR: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/TEST-CENTOS8@IZERO.FR: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/test-centos8.izero.fr@IZERO.FR: FILE:/etc/krb5.keytab
 * /usr/bin/systemctl enable sssd.service
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
Sauvegarde stock?e ? /var/lib/authselect/backups/2019-11-09-22-54-39.yEqFAG
Le profil "sssd" a ?t? s?lectionn?.
Les mappages nsswitch suivants ont ?t? remplac?s par le profil?:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
  is present and oddjobd service is enabled
  - systemctl enable oddjobd.service
  - systemctl start oddjobd.service
Created symlink /etc/systemd/system/multi-user.target.wants/oddjobd.service ? /usr/lib/systemd/system/oddjobd.service.
 * Successfully enrolled machine in realm

 

Modifier le fichier sssd.conf pour ne pas ajouter le nom de domaine de l’utilisateur AD en passant la valeur de True a False.
Corriger également le homedir.

$ sudo vim /etc/sssd/sssd.conf
[sssd]
domains = izero.fr
config_file_version = 2
services = nss, pam

[domain/izero.fr]
ad_server = srv-ad.izero.fr
ad_domain = izero.fr
krb5_realm = IZERO.FR
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad

Redémarrer le démon sssd :

$ sudo systemctl restart sssd

 

Restreindre les autorisations de connexion en SSH au groupe IT (dont l’utilisateur fait parti)

$ sudo realm deny --all
$ sudo realm permit -g it

 

Ajouter le groupe IT au sudoers

$ sudo visudo
%it     ALL=(ALL)       ALL

 

Reste plus qu’a tester la connexion

$ ssh bef@192.168.3.59
bef@192.168.3.59's password:

[bef@test-centos8 ~]$
[bef@test-centos8 ~]$ sudo -i
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for bef:
[root@test-centos8 ~]#

 

Vérifier avec l’utilitaire id que l’on remonte bien les droits de l’utilisateur

$ id bef
uid=1340201108(bef) gid=1340200513(utilisateurs du domaine) groups=1340200513(utilisateurs du domaine),1340201107(it)

 

Check des logs qui devrait renvoyer les informations comme ci dessous

$ sudo tail -f /var/log/secure
Nov 10 01:00:53 test-centos8 sshd[7739]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.3.7 user=bef
Nov 10 01:00:53 test-centos8 sshd[7739]: Accepted password for bef from 192.168.3.7 port 61967 ssh2
Nov 10 01:00:53 test-centos8 systemd[7747]: pam_unix(systemd-user:session): session opened for user bef by (uid=0)
Nov 10 01:00:53 test-centos8 sshd[7739]: pam_unix(sshd:session): session opened for user bef by (uid=0)

Nov 10 01:01:20 test-centos8 sudo[7798]: pam_sss(sudo-i:auth): authentication success; logname=bef uid=1340201108 euid=0 tty=/dev/pts/1 ruser=bef rhost= user=bef
Nov 10 01:01:20 test-centos8 sudo[7798]: bef : TTY=pts/1 ; PWD=/home/bef ; USER=root ; COMMAND=/bin/bash
Nov 10 01:01:20 test-centos8 sudo[7798]: pam_systemd(sudo-i:session): Cannot create session: Already running in a session or user slice
Nov 10 01:01:20 test-centos8 sudo[7798]: pam_unix(sudo-i:session): session opened for user root by bef(uid=0)

 

 

No votes yet.
Please wait...

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Ce site utilise Akismet pour réduire les indésirables. En savoir plus sur comment les données de vos commentaires sont utilisées.