[Linux] Joindre une machine Centos 8 sur un domaine Active Directory - iZero

Joindre une machine Centos 8 sur un domaine Active Directory

Version de l’OS

Centos 8.0.1905

Article original Publié le : 10 novembre 2019

Mise a jour le : –

Pas réellement de changement par rapport a Centos 7

Quelques infos

Nom de domaine: izero.fr
Nom du serveur Active Directory: srv-ad.izero.fr
Nom de la machine client Centos 8: test-centos8
Version de Windows serveur : 2012 R2
Nom de l’utilisateur AD: bef
Nom du groupe AD: it

Installer les paquets suivants:

$ sudo yum install chrony epel-release bash-completion bash-completion-extras vim

1	$ sudo yum install chrony epel-release bash-completion bash-completion-extras vim

Configurer le serveur NTP

Éditer le fichier chrony.conf pour définir le(s) serveur(s) NTP interne (AD).

$ sudo vim /etc/chrony.conf

1	$ sudo vim /etc/chrony.conf

server 192.168.3.100 iburst
server 192.168.3.101 iburst

1 2	server 192.168.3.100 iburst server 192.168.3.101 iburst

Redémarrer le démon

$ sudo systemctl restart chronyd

1	$ sudo systemctl restart chronyd

Installer les paquets nécessaires à l’intégration AD

$ sudo yum install sssd realmd oddjob oddjob-mkhomedir sssd samba-common-tools

1	$ sudo yum install sssd realmd oddjob oddjob-mkhomedir sssd samba-common-tools

Joindre la machine a l’AD

$ sudo realm join --verbose srv-ad.izero.fr

1	$ sudo realm join --verbose srv-ad.izero.fr

* Resolving: _ldap._tcp.srv-ad.izero.fr
 * Resolving: srv-ad.izero.fr
 * Performing LDAP DSE lookup on: 192.168.3.100
 * Successfully discovered: izero.fr
Password for Administrator:
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --domain izero.fr --domain-realm IZERO.FR --domain-controller 192.168.3.100 --login-type user --login-user Administrator --stdin-password
 * Using domain name: izero.fr
 * Calculated computer account name from fqdn: TEST-CENTOS8
 * Using domain realm: izero.fr
 * Sending netlogon pings to domain controller: cldap://192.168.3.100
 * Received NetLogon info from: srv-ad.izero.fr
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-rrPy24/krb5.d/adcli-krb5-conf-yaQJbu
 * Authenticated as user: Administrator@IZERO.FR
 * Looked up short domain name: IZERO
 * Looked up domain SID: S-1-5-21-274564476-3214569226-337574350
 * Using fully qualified name: test-centos8.izero.fr
 * Using domain name: izero.fr
 * Using computer account name: TEST-CENTOS8
 * Using domain realm: izero.fr
 * Calculated computer account name from fqdn: TEST-CENTOS8
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Computer account for TEST-CENTOS8$ does not exist
 * Found well known computer container at: CN=Computers,DC=izero,DC=fr
 * Calculated computer account: CN=TEST-CENTOS8,CN=Computers,DC=izero,DC=fr
 * Created computer account: CN=TEST-CENTOS8,CN=Computers,DC=izero,DC=fr
 * Sending netlogon pings to domain controller: cldap://192.168.3.100
 * Received NetLogon info from: srv-ad.izero.fr
 * Set computer password
 * Retrieved kvno '2' for computer account in directory: CN=TEST-CENTOS8,CN=Computers,DC=izero,DC=fr
 * Discovered which keytab salt to use
 * Added the entries to the keytab: TEST-CENTOS8$@IZERO.FR: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/TEST-CENTOS8@IZERO.FR: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/test-centos8.izero.fr@IZERO.FR: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/TEST-CENTOS8@IZERO.FR: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/test-centos8.izero.fr@IZERO.FR: FILE:/etc/krb5.keytab
 * /usr/bin/systemctl enable sssd.service
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
Sauvegarde stock?e ? /var/lib/authselect/backups/2019-11-09-22-54-39.yEqFAG
Le profil "sssd" a ?t? s?lectionn?.
Les mappages nsswitch suivants ont ?t? remplac?s par le profil?:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
  is present and oddjobd service is enabled
  - systemctl enable oddjobd.service
  - systemctl start oddjobd.service
Created symlink /etc/systemd/system/multi-user.target.wants/oddjobd.service ? /usr/lib/systemd/system/oddjobd.service.
 * Successfully enrolled machine in realm

* Resolving: _ldap._tcp.srv-ad.izero.fr

* Resolving: srv-ad.izero.fr

* Performing LDAP DSE lookup on: 192.168.3.100

* Successfully discovered: izero.fr

Password for Administrator:

* Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli

* LANG=C /usr/sbin/adcli join --verbose --domain izero.fr --domain-realm IZERO.FR --domain-controller 192.168.3.100 --login-type user --login-user Administrator --stdin-password

* Using domain name: izero.fr

* Calculated computer account name from fqdn: TEST-CENTOS8

* Using domain realm: izero.fr

* Sending netlogon pings to domain controller: cldap://192.168.3.100

* Received NetLogon info from: srv-ad.izero.fr

* Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-rrPy24/krb5.d/adcli-krb5-conf-yaQJbu

* Authenticated as user: Administrator@IZERO.FR

* Looked up short domain name: IZERO

* Looked up domain SID: S-1-5-21-274564476-3214569226-337574350

* Using fully qualified name: test-centos8.izero.fr

* Using domain name: izero.fr

* Using computer account name: TEST-CENTOS8

* Using domain realm: izero.fr

* Calculated computer account name from fqdn: TEST-CENTOS8

* Generated 120 character computer password

* Using keytab: FILE:/etc/krb5.keytab

* Computer account for TEST-CENTOS8$ does not exist

* Found well known computer container at: CN=Computers,DC=izero,DC=fr

* Calculated computer account: CN=TEST-CENTOS8,CN=Computers,DC=izero,DC=fr

* Created computer account: CN=TEST-CENTOS8,CN=Computers,DC=izero,DC=fr

* Sending netlogon pings to domain controller: cldap://192.168.3.100

* Received NetLogon info from: srv-ad.izero.fr

* Set computer password

* Retrieved kvno '2' for computer account in directory: CN=TEST-CENTOS8,CN=Computers,DC=izero,DC=fr

* Discovered which keytab salt to use

* Added the entries to the keytab: TEST-CENTOS8$@IZERO.FR: FILE:/etc/krb5.keytab

* Added the entries to the keytab: host/TEST-CENTOS8@IZERO.FR: FILE:/etc/krb5.keytab

* Added the entries to the keytab: host/test-centos8.izero.fr@IZERO.FR: FILE:/etc/krb5.keytab

* Added the entries to the keytab: RestrictedKrbHost/TEST-CENTOS8@IZERO.FR: FILE:/etc/krb5.keytab

* Added the entries to the keytab: RestrictedKrbHost/test-centos8.izero.fr@IZERO.FR: FILE:/etc/krb5.keytab

* /usr/bin/systemctl enable sssd.service

* /usr/bin/systemctl restart sssd.service

* /usr/bin/sh -c /usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service

Sauvegarde stock?e ? /var/lib/authselect/backups/2019-11-09-22-54-39.yEqFAG

Le profil "sssd" a ?t? s?lectionn?.

Les mappages nsswitch suivants ont ?t? remplac?s par le profil?:

- passwd

- group

- netgroup

- automount

- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module

is present and oddjobd service is enabled

- systemctl enable oddjobd.service

- systemctl start oddjobd.service

Created symlink /etc/systemd/system/multi-user.target.wants/oddjobd.service ? /usr/lib/systemd/system/oddjobd.service.

* Successfully enrolled machine in realm

Modifier le fichier sssd.conf pour ne pas ajouter le nom de domaine de l’utilisateur AD en passant la valeur de True a False.
Corriger également le homedir.

$ sudo vim /etc/sssd/sssd.conf

1	$ sudo vim /etc/sssd/sssd.conf

[sssd]
domains = izero.fr
config_file_version = 2
services = nss, pam

[domain/izero.fr]
ad_server = srv-ad.izero.fr
ad_domain = izero.fr
krb5_realm = IZERO.FR
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = <span style="color: #ff0000;">False</span>
fallback_homedir = <span style="color: #ff0000;">/home/%u</span>
access_provider = ad

[sssd]

domains = izero.fr

config_file_version = 2

services = nss, pam

[domain/izero.fr]

ad_server = srv-ad.izero.fr

ad_domain = izero.fr

krb5_realm = IZERO.FR

realmd_tags = manages-system joined-with-adcli

cache_credentials = True

id_provider = ad

krb5_store_password_if_offline = True

default_shell = /bin/bash

ldap_id_mapping = True

use_fully_qualified_names = <span style="color: #ff0000;">False</span>

fallback_homedir = <span style="color: #ff0000;">/home/%u</span>

access_provider = ad

Redémarrer le démon sssd :

$ sudo systemctl restart sssd

1	$ sudo systemctl restart sssd

Restreindre les autorisations de connexion en SSH au groupe IT (dont l’utilisateur fait parti)

$ sudo realm deny --all

1	$ sudo realm deny --all

$ sudo realm permit -g it

1	$ sudo realm permit -g it

Ajouter le groupe IT au sudoers

$ sudo visudo

1	$ sudo visudo

%it     ALL=(ALL)       ALL

1	%it ALL=(ALL) ALL

Reste plus qu’a tester la connexion

$ ssh bef@192.168.3.59
bef@192.168.3.59's password:

[bef@test-centos8 ~]$
[bef@test-centos8 ~]$ sudo -i
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for bef:
[root@test-centos8 ~]#

$ ssh bef@192.168.3.59

bef@192.168.3.59's password:

[bef@test-centos8 ~]$

[bef@test-centos8 ~]$ sudo -i

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.

#2) Think before you type.

#3) With great power comes great responsibility.

[sudo] password for bef:

[root@test-centos8 ~]#

Vérifier avec l’utilitaire id que l’on remonte bien les droits de l’utilisateur

$ id bef

$ id bef

uid=1340201108(bef) gid=1340200513(utilisateurs du domaine) groups=1340200513(utilisateurs du domaine),1340201107(it)

1	uid=1340201108(bef) gid=1340200513(utilisateurs du domaine) groups=1340200513(utilisateurs du domaine),1340201107(it)

Check des logs qui devrait renvoyer les informations comme ci dessous

$ sudo tail -f /var/log/secure

1	$ sudo tail -f /var/log/secure

Nov 10 01:00:53 test-centos8 sshd[7739]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.3.7 user=bef
Nov 10 01:00:53 test-centos8 sshd[7739]: Accepted password for bef from 192.168.3.7 port 61967 ssh2
Nov 10 01:00:53 test-centos8 systemd[7747]: pam_unix(systemd-user:session): session opened for user bef by (uid=0)
Nov 10 01:00:53 test-centos8 sshd[7739]: pam_unix(sshd:session): session opened for user bef by (uid=0)

Nov 10 01:01:20 test-centos8 sudo[7798]: pam_sss(sudo-i:auth): authentication success; logname=bef uid=1340201108 euid=0 tty=/dev/pts/1 ruser=bef rhost= user=bef
Nov 10 01:01:20 test-centos8 sudo[7798]: bef : TTY=pts/1 ; PWD=/home/bef ; USER=root ; COMMAND=/bin/bash
Nov 10 01:01:20 test-centos8 sudo[7798]: pam_systemd(sudo-i:session): Cannot create session: Already running in a session or user slice
Nov 10 01:01:20 test-centos8 sudo[7798]: pam_unix(sudo-i:session): session opened for user root by bef(uid=0)

Nov 10 01:00:53 test-centos8 sshd[7739]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.3.7 user=bef

Nov 10 01:00:53 test-centos8 sshd[7739]: Accepted password for bef from 192.168.3.7 port 61967 ssh2

Nov 10 01:00:53 test-centos8 systemd[7747]: pam_unix(systemd-user:session): session opened for user bef by (uid=0)

Nov 10 01:00:53 test-centos8 sshd[7739]: pam_unix(sshd:session): session opened for user bef by (uid=0)

Nov 10 01:01:20 test-centos8 sudo[7798]: pam_sss(sudo-i:auth): authentication success; logname=bef uid=1340201108 euid=0 tty=/dev/pts/1 ruser=bef rhost= user=bef

Nov 10 01:01:20 test-centos8 sudo[7798]: bef : TTY=pts/1 ; PWD=/home/bef ; USER=root ; COMMAND=/bin/bash

Nov 10 01:01:20 test-centos8 sudo[7798]: pam_systemd(sudo-i:session): Cannot create session: Already running in a session or user slice

Nov 10 01:01:20 test-centos8 sudo[7798]: pam_unix(sudo-i:session): session opened for user root by bef(uid=0)

Articles lus : 3 940

Rating: 5.0/5. From 2 votes.

Please wait...

Voting is currently disabled, data maintenance in progress.

Laisser un commentaire Annuler la réponse