Joindre une machine Centos 8 sur un domaine Active Directory |
Version de l’OS | Centos 8.0.1905 |
Article original Publié le : 10 novembre 2019
Mise a jour le : – |
Pas réellement de changement par rapport a Centos 7
Quelques infos
Nom de domaine: izero.fr
Nom du serveur Active Directory: srv-ad.izero.fr
Nom de la machine client Centos 8: test-centos8
Version de Windows serveur : 2012 R2
Nom de l’utilisateur AD: bef
Nom du groupe AD: it
Installer les paquets suivants:
$ sudo yum install chrony epel-release bash-completion bash-completion-extras vim
Configurer le serveur NTP
Éditer le fichier chrony.conf pour définir le(s) serveur(s) NTP interne (AD).
$ sudo vim /etc/chrony.conf
server 192.168.3.100 iburst server 192.168.3.101 iburst
Redémarrer le démon
$ sudo systemctl restart chronyd
Installer les paquets nécessaires à l’intégration AD
$ sudo yum install sssd realmd oddjob oddjob-mkhomedir sssd samba-common-tools
Joindre la machine a l’AD
$ sudo realm join --verbose srv-ad.izero.fr
* Resolving: _ldap._tcp.srv-ad.izero.fr * Resolving: srv-ad.izero.fr * Performing LDAP DSE lookup on: 192.168.3.100 * Successfully discovered: izero.fr Password for Administrator: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli * LANG=C /usr/sbin/adcli join --verbose --domain izero.fr --domain-realm IZERO.FR --domain-controller 192.168.3.100 --login-type user --login-user Administrator --stdin-password * Using domain name: izero.fr * Calculated computer account name from fqdn: TEST-CENTOS8 * Using domain realm: izero.fr * Sending netlogon pings to domain controller: cldap://192.168.3.100 * Received NetLogon info from: srv-ad.izero.fr * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-rrPy24/krb5.d/adcli-krb5-conf-yaQJbu * Authenticated as user: Administrator@IZERO.FR * Looked up short domain name: IZERO * Looked up domain SID: S-1-5-21-274564476-3214569226-337574350 * Using fully qualified name: test-centos8.izero.fr * Using domain name: izero.fr * Using computer account name: TEST-CENTOS8 * Using domain realm: izero.fr * Calculated computer account name from fqdn: TEST-CENTOS8 * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Computer account for TEST-CENTOS8$ does not exist * Found well known computer container at: CN=Computers,DC=izero,DC=fr * Calculated computer account: CN=TEST-CENTOS8,CN=Computers,DC=izero,DC=fr * Created computer account: CN=TEST-CENTOS8,CN=Computers,DC=izero,DC=fr * Sending netlogon pings to domain controller: cldap://192.168.3.100 * Received NetLogon info from: srv-ad.izero.fr * Set computer password * Retrieved kvno '2' for computer account in directory: CN=TEST-CENTOS8,CN=Computers,DC=izero,DC=fr * Discovered which keytab salt to use * Added the entries to the keytab: TEST-CENTOS8$@IZERO.FR: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/TEST-CENTOS8@IZERO.FR: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/test-centos8.izero.fr@IZERO.FR: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/TEST-CENTOS8@IZERO.FR: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/test-centos8.izero.fr@IZERO.FR: FILE:/etc/krb5.keytab * /usr/bin/systemctl enable sssd.service * /usr/bin/systemctl restart sssd.service * /usr/bin/sh -c /usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service Sauvegarde stock?e ? /var/lib/authselect/backups/2019-11-09-22-54-39.yEqFAG Le profil "sssd" a ?t? s?lectionn?. Les mappages nsswitch suivants ont ?t? remplac?s par le profil?: - passwd - group - netgroup - automount - services Make sure that SSSD service is configured and enabled. See SSSD documentation for more information. - with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module is present and oddjobd service is enabled - systemctl enable oddjobd.service - systemctl start oddjobd.service Created symlink /etc/systemd/system/multi-user.target.wants/oddjobd.service ? /usr/lib/systemd/system/oddjobd.service. * Successfully enrolled machine in realm
Modifier le fichier sssd.conf pour ne pas ajouter le nom de domaine de l’utilisateur AD en passant la valeur de True a False.
Corriger également le homedir.
$ sudo vim /etc/sssd/sssd.conf
[sssd] domains = izero.fr config_file_version = 2 services = nss, pam [domain/izero.fr] ad_server = srv-ad.izero.fr ad_domain = izero.fr krb5_realm = IZERO.FR realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /home/%u access_provider = ad
Redémarrer le démon sssd :
$ sudo systemctl restart sssd
Restreindre les autorisations de connexion en SSH au groupe IT (dont l’utilisateur fait parti)
$ sudo realm deny --all
$ sudo realm permit -g it
Ajouter le groupe IT au sudoers
$ sudo visudo
%it ALL=(ALL) ALL
Reste plus qu’a tester la connexion
$ ssh bef@192.168.3.59 bef@192.168.3.59's password: [bef@test-centos8 ~]$ [bef@test-centos8 ~]$ sudo -i We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for bef: [root@test-centos8 ~]#
Vérifier avec l’utilitaire id que l’on remonte bien les droits de l’utilisateur
$ id bef
uid=1340201108(bef) gid=1340200513(utilisateurs du domaine) groups=1340200513(utilisateurs du domaine),1340201107(it)
Check des logs qui devrait renvoyer les informations comme ci dessous
$ sudo tail -f /var/log/secure
Nov 10 01:00:53 test-centos8 sshd[7739]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.3.7 user=bef Nov 10 01:00:53 test-centos8 sshd[7739]: Accepted password for bef from 192.168.3.7 port 61967 ssh2 Nov 10 01:00:53 test-centos8 systemd[7747]: pam_unix(systemd-user:session): session opened for user bef by (uid=0) Nov 10 01:00:53 test-centos8 sshd[7739]: pam_unix(sshd:session): session opened for user bef by (uid=0) Nov 10 01:01:20 test-centos8 sudo[7798]: pam_sss(sudo-i:auth): authentication success; logname=bef uid=1340201108 euid=0 tty=/dev/pts/1 ruser=bef rhost= user=bef Nov 10 01:01:20 test-centos8 sudo[7798]: bef : TTY=pts/1 ; PWD=/home/bef ; USER=root ; COMMAND=/bin/bash Nov 10 01:01:20 test-centos8 sudo[7798]: pam_systemd(sudo-i:session): Cannot create session: Already running in a session or user slice Nov 10 01:01:20 test-centos8 sudo[7798]: pam_unix(sudo-i:session): session opened for user root by bef(uid=0)