Joindre une machine Centos 8 sur un domaine Active Directory |
Version de l’OS | Centos 8.0.1905 |
Article original Publié le : 10 novembre 2019
Mise a jour le : – |
Pas réellement de changement par rapport a Centos 7
Quelques infos
Nom de domaine: izero.fr
Nom du serveur Active Directory: srv-ad.izero.fr
Nom de la machine client Centos 8: test-centos8
Version de Windows serveur : 2012 R2
Nom de l’utilisateur AD: bef
Nom du groupe AD: it
Installer les paquets suivants:
1 |
$ sudo yum install chrony epel-release bash-completion bash-completion-extras vim |
Configurer le serveur NTP
Éditer le fichier chrony.conf pour définir le(s) serveur(s) NTP interne (AD).
1 |
$ sudo vim /etc/chrony.conf |
1 2 |
server 192.168.3.100 iburst server 192.168.3.101 iburst |
Redémarrer le démon
1 |
$ sudo systemctl restart chronyd |
Installer les paquets nécessaires à l’intégration AD
1 |
$ sudo yum install sssd realmd oddjob oddjob-mkhomedir sssd samba-common-tools |
Joindre la machine a l’AD
1 |
$ sudo realm join --verbose srv-ad.izero.fr |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 |
* Resolving: _ldap._tcp.srv-ad.izero.fr * Resolving: srv-ad.izero.fr * Performing LDAP DSE lookup on: 192.168.3.100 * Successfully discovered: izero.fr Password for Administrator: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli * LANG=C /usr/sbin/adcli join --verbose --domain izero.fr --domain-realm IZERO.FR --domain-controller 192.168.3.100 --login-type user --login-user Administrator --stdin-password * Using domain name: izero.fr * Calculated computer account name from fqdn: TEST-CENTOS8 * Using domain realm: izero.fr * Sending netlogon pings to domain controller: cldap://192.168.3.100 * Received NetLogon info from: srv-ad.izero.fr * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-rrPy24/krb5.d/adcli-krb5-conf-yaQJbu * Authenticated as user: Administrator@IZERO.FR * Looked up short domain name: IZERO * Looked up domain SID: S-1-5-21-274564476-3214569226-337574350 * Using fully qualified name: test-centos8.izero.fr * Using domain name: izero.fr * Using computer account name: TEST-CENTOS8 * Using domain realm: izero.fr * Calculated computer account name from fqdn: TEST-CENTOS8 * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Computer account for TEST-CENTOS8$ does not exist * Found well known computer container at: CN=Computers,DC=izero,DC=fr * Calculated computer account: CN=TEST-CENTOS8,CN=Computers,DC=izero,DC=fr * Created computer account: CN=TEST-CENTOS8,CN=Computers,DC=izero,DC=fr * Sending netlogon pings to domain controller: cldap://192.168.3.100 * Received NetLogon info from: srv-ad.izero.fr * Set computer password * Retrieved kvno '2' for computer account in directory: CN=TEST-CENTOS8,CN=Computers,DC=izero,DC=fr * Discovered which keytab salt to use * Added the entries to the keytab: TEST-CENTOS8$@IZERO.FR: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/TEST-CENTOS8@IZERO.FR: FILE:/etc/krb5.keytab * Added the entries to the keytab: host/test-centos8.izero.fr@IZERO.FR: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/TEST-CENTOS8@IZERO.FR: FILE:/etc/krb5.keytab * Added the entries to the keytab: RestrictedKrbHost/test-centos8.izero.fr@IZERO.FR: FILE:/etc/krb5.keytab * /usr/bin/systemctl enable sssd.service * /usr/bin/systemctl restart sssd.service * /usr/bin/sh -c /usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service Sauvegarde stock?e ? /var/lib/authselect/backups/2019-11-09-22-54-39.yEqFAG Le profil "sssd" a ?t? s?lectionn?. Les mappages nsswitch suivants ont ?t? remplac?s par le profil?: - passwd - group - netgroup - automount - services Make sure that SSSD service is configured and enabled. See SSSD documentation for more information. - with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module is present and oddjobd service is enabled - systemctl enable oddjobd.service - systemctl start oddjobd.service Created symlink /etc/systemd/system/multi-user.target.wants/oddjobd.service ? /usr/lib/systemd/system/oddjobd.service. * Successfully enrolled machine in realm |
Modifier le fichier sssd.conf pour ne pas ajouter le nom de domaine de l’utilisateur AD en passant la valeur de True a False.
Corriger également le homedir.
1 |
$ sudo vim /etc/sssd/sssd.conf |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
[sssd] domains = izero.fr config_file_version = 2 services = nss, pam [domain/izero.fr] ad_server = srv-ad.izero.fr ad_domain = izero.fr krb5_realm = IZERO.FR realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = <span style="color: #ff0000;">False</span> fallback_homedir = <span style="color: #ff0000;">/home/%u</span> access_provider = ad |
Redémarrer le démon sssd :
1 |
$ sudo systemctl restart sssd |
Restreindre les autorisations de connexion en SSH au groupe IT (dont l’utilisateur fait parti)
1 |
$ sudo realm deny --all |
1 |
$ sudo realm permit -g it |
Ajouter le groupe IT au sudoers
1 |
$ sudo visudo |
1 |
%it ALL=(ALL) ALL |
Reste plus qu’a tester la connexion
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
$ ssh bef@192.168.3.59 bef@192.168.3.59's password: [bef@test-centos8 ~]$ [bef@test-centos8 ~]$ sudo -i We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for bef: [root@test-centos8 ~]# |
Vérifier avec l’utilitaire id que l’on remonte bien les droits de l’utilisateur
1 |
$ id bef |
1 |
uid=1340201108(bef) gid=1340200513(utilisateurs du domaine) groups=1340200513(utilisateurs du domaine),1340201107(it) |
Check des logs qui devrait renvoyer les informations comme ci dessous
1 |
$ sudo tail -f /var/log/secure |
1 2 3 4 5 6 7 8 9 |
Nov 10 01:00:53 test-centos8 sshd[7739]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.3.7 user=bef Nov 10 01:00:53 test-centos8 sshd[7739]: Accepted password for bef from 192.168.3.7 port 61967 ssh2 Nov 10 01:00:53 test-centos8 systemd[7747]: pam_unix(systemd-user:session): session opened for user bef by (uid=0) Nov 10 01:00:53 test-centos8 sshd[7739]: pam_unix(sshd:session): session opened for user bef by (uid=0) Nov 10 01:01:20 test-centos8 sudo[7798]: pam_sss(sudo-i:auth): authentication success; logname=bef uid=1340201108 euid=0 tty=/dev/pts/1 ruser=bef rhost= user=bef Nov 10 01:01:20 test-centos8 sudo[7798]: bef : TTY=pts/1 ; PWD=/home/bef ; USER=root ; COMMAND=/bin/bash Nov 10 01:01:20 test-centos8 sudo[7798]: pam_systemd(sudo-i:session): Cannot create session: Already running in a session or user slice Nov 10 01:01:20 test-centos8 sudo[7798]: pam_unix(sudo-i:session): session opened for user root by bef(uid=0) |