Ṣepọ Ubuntu si Samba4 AD DC pẹlu SSSD ati Ijọba - Apá 15

Itọsọna yii yoo ṣe itọsọna fun ọ lori bii o ṣe le darapọ mọ ẹrọ Ojú-iṣẹ Ubuntu kan sinu agbegbe Ilana Itọsọna Samba4 pẹlu SSSD ati awọn iṣẹ Realmd lati le jẹrisi awọn olumulo lodi si Ilana Itọsọna.

  1. Ṣẹda Amayederun Ilana Itọsọna pẹlu Samba4 lori Ubuntu

Igbesẹ 1: Awọn atunto Ibẹrẹ

1. Ṣaaju ki o to bẹrẹ lati darapọ mọ Ubuntu sinu Itọsọna Iroyin ṣe idaniloju rii daju pe orukọ olupin ti wa ni tunto daradara. Lo aṣẹ hostnamectl lati ṣeto orukọ ẹrọ tabi satunkọ pẹlu ọwọ/ati be be lo/faili orukọ orukọ.

$ sudo hostnamectl set-hostname your_machine_short_hostname
$ cat /etc/hostname
$ hostnamectl

2. Ni igbesẹ ti n tẹle, satunkọ awọn eto atọkun nẹtiwọọki ẹrọ ki o ṣafikun awọn atunto IP to dara ati awọn adirẹsi olupin IP IP ti o tọ lati tọka si oluṣakoso agbegbe Samba AD bi a ti ṣe apejuwe ninu sikirinifoto isalẹ.

Ti o ba ti tunto olupin DHCP kan ni agbegbe rẹ lati fi awọn eto IP fun awọn ẹrọ LAN rẹ laifọwọyi pẹlu awọn adirẹsi AD DNS to dara lẹhinna o le foju igbesẹ yii ki o lọ siwaju.

Lori sikirinifoto ti o wa loke, 192.168.1.254 ati 192.168.1.253 ṣe aṣoju awọn adirẹsi IP ti awọn Oluṣakoso Aṣẹ Samba4.

3. Tun awọn iṣẹ nẹtiwọọki bẹrẹ lati lo awọn ayipada nipa lilo GUI tabi lati laini aṣẹ ati ṣe atẹjade aṣẹ ping kan si orukọ aaye rẹ lati le danwo ti ipinnu DNS ba n ṣiṣẹ bi o ti ṣe yẹ. Pẹlupẹlu, lo aṣẹ ogun lati ṣe idanwo ipinnu DNS.

$ sudo systemctl restart networking.service
$ host your_domain.tld
$ ping -c2 your_domain_name
$ ping -c2 adc1
$ ping -c2 adc2

4. Lakotan, rii daju pe akoko ẹrọ wa ni amuṣiṣẹpọ pẹlu Samba4 AD. Fi package ntpdate sori ẹrọ ati akoko amuṣiṣẹpọ pẹlu AD nipasẹ ipinfunni awọn ofin isalẹ.

$ sudo apt-get install ntpdate
$ sudo ntpdate your_domain_name

Igbesẹ 2: Fi Awọn idii ti a beere sii

5. Lori igbesẹ yii fi sori ẹrọ sọfitiwia pataki ati awọn igbẹkẹle ti o nilo lati le darapọ mọ Ubuntu sinu Samba4 AD DC: Awọn iṣẹ Realmd ati SSSD.

$ sudo apt install adcli realmd krb5-user samba-common-bin samba-libs samba-dsdb-modules sssd sssd-tools libnss-sss libpam-sss packagekit policykit-1

6. Tẹ orukọ ijọba aiyipada pẹlu awọn apoti oke sii ki o tẹ bọtini Tẹ lati tẹsiwaju fifi sori ẹrọ.

7. Itele, ṣẹda faili iṣeto SSSD pẹlu akoonu atẹle.

$ sudo nano /etc/sssd/sssd.conf

Ṣafikun awọn ila atẹle si faili sssd.conf.

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[sssd]
domains = tecmint.lan
config_file_version = 2
services = nss, pam
default_domain_suffix = TECMINT.LAN


[domain/tecmint.lan]
ad_domain = tecmint.lan
krb5_realm = TECMINT.LAN
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad

auth_provider = ad
chpass_provider = ad
access_provider = ad
ldap_schema = ad
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600

Rii daju pe o rọpo orukọ ìkápá ni awọn atẹle wọnyi ni ibamu:

domains = tecmint.lan
default_domain_suffix = TECMINT.LAN
[domain/tecmint.lan]
ad_domain = tecmint.lan
krb5_realm = TECMINT.LAN

8. Nigbamii, ṣafikun awọn igbanilaaye ti o yẹ fun faili SSSD nipa fifun ipinfunni isalẹ:

$ sudo chmod 700 /etc/sssd/sssd.conf

9. Bayi, ṣii ati satunkọ faili iṣeto Realmd ki o ṣafikun awọn ila wọnyi.

$ sudo nano /etc/realmd.conf

Faili Realmd.conf yọ:

[active-directory]
os-name = Linux Ubuntu
os-version = 17.04

[service]
automatic-install = yes

 [users]
default-home = /home/%d/%u
default-shell = /bin/bash

[tecmint.lan]
user-principal = yes
fully-qualified-names = no

10. Faili ti o kẹhin ti o nilo lati yipada jẹ ti Samba daemon. Ṣii faili /etc/samba/smb.conf fun ṣiṣatunkọ ki o ṣafikun bulọọki atẹle ti koodu ni ibẹrẹ faili naa, lẹhin apakan [agbaye] bi a ti ṣe apejuwe lori aworan ni isalẹ.

 workgroup = TECMINT
   client signing = yes
   client use spnego = yes
   kerberos method = secrets and keytab
   realm = TECMINT.LAN
   security = ads

Rii daju pe o rọpo iye orukọ orukọ ìkápá naa, paapaa iye ijọba lati baamu orukọ ibugbe rẹ ati ṣiṣe aṣẹ aṣẹpagun lati le ṣayẹwo boya faili iṣeto naa ko ni awọn aṣiṣe kankan.

$ sudo testparm

11. Lẹhin ti o ti ṣe gbogbo awọn ayipada ti o nilo, idanwo idanimọ Kerberos nipa lilo akọọlẹ iṣakoso AD ati ṣe atokọ tikẹti nipa fifun awọn ofin isalẹ.

$ sudo kinit [email 
$ sudo klist

Igbesẹ 3: Darapọ mọ Ubuntu si ijọba Samba4

12. Lati darapọ mọ ẹrọ Ubuntu si ọrọ Samba4 Active Directory atẹle atẹle ti awọn ofin bi a ṣe ṣalaye ni isalẹ. Lo orukọ akọọlẹ AD DC kan pẹlu awọn anfani adari ni aṣẹ fun abuda si ijọba lati ṣiṣẹ bi o ti ṣe yẹ ki o rọpo iye orukọ ìkápá ni ibamu.

$ sudo realm discover -v DOMAIN.TLD
$ sudo realm list
$ sudo realm join TECMINT.LAN -U ad_admin_user -v
$ sudo net ads join -k

13. Lẹhin ti abuda ase ti waye, ṣiṣe aṣẹ ni isalẹ lati rii daju pe gbogbo awọn iroyin-ašẹ ni a gba ọ laaye lati jẹrisi lori ẹrọ naa.

$ sudo realm permit --all

Lẹhinna, o le gba laaye tabi sẹ iwọle fun akọọlẹ olumulo ibugbe tabi ẹgbẹ kan nipa lilo aṣẹ ijọba gẹgẹ bi a ti gbekalẹ lori awọn apẹẹrẹ isalẹ.

$ sudo realm deny -a
$ realm permit --groups ‘domain.tld\Linux Admins’
$ realm permit [email 
$ realm permit DOMAIN\\User2

14. Lati inu ẹrọ Windows kan pẹlu awọn irinṣẹ RSAT ti o fi sii o le ṣii AD UC ki o si lilö kiri si apoti Awọn kọmputa ki o ṣayẹwo ti o ba ti ṣẹda iroyin ohun kan pẹlu orukọ ẹrọ rẹ.

Igbesẹ 4: Tunto Ijeri Awọn iroyin AD

15. Lati le jẹrisi lori ẹrọ Ubuntu pẹlu awọn akọọlẹ agbegbe o nilo lati ṣiṣe aṣẹ pam-auth-imudojuiwọn pẹlu awọn anfaani gbongbo ati mu gbogbo awọn profaili PAM ṣiṣẹ pẹlu aṣayan lati ṣẹda awọn ilana ile laifọwọyi fun akọọlẹ agbegbe kọọkan ni ibuwolu akọkọ.

Ṣayẹwo gbogbo awọn titẹ sii nipa titẹ bọtini [aaye] ki o lu ok lati lo iṣeto ni.

$ sudo pam-auth-update

16. Lori awọn ọna ṣiṣe pẹlu ọwọ ṣatunkọ faili /etc/pam.d/common-account ati laini atẹle lati le ṣẹda awọn ile laifọwọyi fun awọn olumulo agbegbe ti o jẹri.

session    required    pam_mkhomedir.so    skel=/etc/skel/    umask=0022

17. Ti Awọn olumulo Itọsọna Ṣiṣẹ ko ba le yi ọrọ igbaniwọle wọn pada lati laini aṣẹ ni Lainos, ṣii faili /etc/pam.d/common-password ki o yọ alaye use_authtok kuro laini ọrọigbaniwọle lati wo nikẹhin ni isalẹ yiyan.

password       [success=1 default=ignore]      pam_winbind.so try_first_pass

18. Lakotan, tun bẹrẹ ki o mu ki Realmd ati iṣẹ SSSD ṣiṣẹ lati lo awọn ayipada nipa gbigbe awọn ofin isalẹ:

$ sudo systemctl restart realmd sssd
$ sudo systemctl enable realmd sssd

19. Lati ṣe idanwo ti ẹrọ Ubuntu ba ti ṣaṣeyọri ni aṣeyọri si ijọba ṣiṣe fifi sori ẹrọ winbind ati ṣiṣe aṣẹ wbinfo lati ṣe atokọ awọn iroyin agbegbe ati awọn ẹgbẹ bi a ti ṣe apejuwe ni isalẹ.

$ sudo apt-get install winbind
$ wbinfo -u
$ wbinfo -g

20. Pẹlupẹlu, ṣayẹwo modulu Winbind nsswitch nipa ipinfunni aṣẹ getent lodi si olumulo ašẹ pato tabi ẹgbẹ kan.

$ sudo getent passwd your_domain_user
$ sudo getent group ‘domain admins’

21. O tun le lo pipaṣẹ id Linux lati gba alaye nipa akọọlẹ AD kan bi a ṣe ṣalaye lori aṣẹ isalẹ.

$ id tecmint_user

22. Lati jẹrisi lori agbalejo Ubuntu pẹlu akọọlẹ Samba4 AD kan lo paramita orukọ olumulo ašẹ lẹhin su - aṣẹ. Ṣiṣe aṣẹ id lati gba alaye ni afikun nipa iroyin AD.

$ su - your_ad_user

Lo pipaṣẹ pwd lati wo itọsọna olumulo lọwọlọwọ rẹ lọwọlọwọ ati aṣẹ passwd ti o ba fẹ yi ọrọ igbaniwọle pada.

23. Lati lo akọọlẹ ìkápá kan pẹlu awọn anfani ipilẹ lori ẹrọ Ubuntu rẹ, o nilo lati ṣafikun orukọ olumulo AD si ẹgbẹ eto sudo nipa ipinfunni aṣẹ isalẹ:

$ sudo usermod -aG sudo [email 

Wọle si Ubuntu pẹlu akọọlẹ ibugbe ki o ṣe imudojuiwọn eto rẹ nipa ṣiṣe pipaṣẹ imudojuiwọn ti o yẹ lati ṣayẹwo awọn anfani root.

24. Lati ṣafikun awọn anfani root fun ẹgbẹ agbegbe kan, ṣii ṣiṣatunkọ ipari/ati be be lo/faili sudoers nipa lilo pipaṣẹ visudo ki o ṣafikun laini atẹle bi a ti ṣapejuwe.

%domain\ [email        		 ALL=(ALL:ALL) ALL

25. Lati lo ijẹrisi akọọlẹ ibugbe fun Ojú-iṣẹ Ubuntu ṣe atunṣe oluṣakoso ifihan LightDM nipa ṣiṣatunkọ /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf faili, ṣafikun awọn ila meji wọnyi ki o tun bẹrẹ iṣẹ lightdm tabi tun atunbere ẹrọ naa lo awọn ayipada.

greeter-show-manual-login=true
greeter-hide-users=true

Wọle si Ojú-iṣẹ Ubuntu pẹlu akọọlẹ ìkápá kan nipa lilo boya your_domain_username tabi [imeeli ti o ni idaabobo] _domain.tld sintasi.

26. Lati lo ọna kika orukọ kukuru fun awọn iroyin Samba AD, satunkọ faili /etc/sssd/sssd.conf, ṣafikun laini atẹle ni bulọọki [sssd] bi a ṣe ṣalaye ni isalẹ.

full_name_format = %1$s

ki o tun bẹrẹ daemon SSSD lati lo awọn ayipada.

$ sudo systemctl restart sssd

Iwọ yoo ṣe akiyesi pe iyara bash yoo yipada si orukọ kukuru ti olumulo AD laisi fifiwe orukọ orukọ ìkápá naa.

27. Ni ọran ti o ko le buwolu wọle nitori iṣiro = ariyanjiyan otitọ ti a ṣeto ni sssd.conf o gbọdọ nu sssd kaṣe ibi ipamọ data nipa sisọ aṣẹ isalẹ:

$ rm /var/lib/sss/db/cache_tecmint.lan.ldb

Gbogbo ẹ niyẹn! Botilẹjẹpe itọsọna yii ni idojukọ akọkọ lori isopọmọ pẹlu Ilana Itọsọna Samba4 kan, awọn igbesẹ kanna ni a le lo lati le ṣepọ Ubuntu pẹlu awọn iṣẹ Realmd ati SSSD sinu Ilana Itọsọna Iroyin Microsoft Windows.