linux通过ad域ldap拉用户 linux ad域管理

https://www.jianshu.com/p/ecfc5a8c4237 AD1.xxx.corp: 是贵司Windows AD上xxx.corp这个域的全局主域控制器
LoginNO: 是贵司AD域xxx.corp中一个组
admin.win: 是贵司AD域xxx.corp中的一个具有管理员权限的用户
Daha.Ma: 是贵司AD域xxx.corp中的一个普通用户
SudoNO: 是贵司AD域xxx.corp中一个组
xxx.corp: 是贵司Windows AD上的主域名

组名：　linux_group@ecwise.local

192.168.3.81
1. centos7:
yum -y install realmd sssd oddjob \
 oddjob-mkhomedir adcli samba-common;realm join ad1.xxx.corp -U admin.win; # 这里需要输入admin.win的密码
 realm permit -g LoginNO@xxx.corp; #这里以允许LoginNO组为例visudo
添加这么一句：
%SudoNO@xxx.corp ALL=(ALL) ALL
sssd.conf
vim /etc/sssd/sssd.conf
修改两句如下：
use_fully_qualified_names = False
 fallback_homedir = /home/%u重启服务
systemctl restart sssd;
1. centos6:
yum -y install sssd oddjob oddjob-mkhomedir adcli samba-common authconfig;
 adcli join ecwise.local -U sql01_admin; # 这里需要输入密码authconfig --enablesssd --enablesssdauth --enablemkhomedir --enablekrb5 --update;
 yum install pam_krb5service messagebus start;
 chkconfig messagebus on;
 service oddjobd start;
 chkconfig oddjob on; # addjob用来自动建立用户的家目录krb5.conf
vim /etc/krb5.conf
使得看起来像这样：
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log[libdefaults]
 default_realm = xxx.corp
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true[realms]
 xxx.corp = {
 kdc = AD1.xxx.corp
 admin_server = AD1.xxx.corp
 }[domain_realm]
 .example.com = xxx.corp
 example.com = xxx.corpsssd.conf
vim /etc/sssd/sssd.conf
修改内容如下：
[sssd]
 services = nss, pam, ssh, autofs
 config_file_version = 2
 domains = xxx.corp[domain/xxx.corp]
 id_provider = ad
 fallback_homedir = /home/%u
 shell_fallback = /bin/bash
 override_shell = /bin/bash
 default_shell = /bin/bash
 access_provider = simple
 simple_allow_groups = LoginNO
 simple_allow_users = Daha.Machmod 600 sssd.conf
 sudoervisudo
添加这么一句：
%SudoNO@xxx.corp ALL=(ALL) ALL
现在的情况将是：
除了LoginNO组和Daha.Ma以外其他域账号不能登录
SudoNO组可以不用密码通过sudo执行任何命令
重启服务
systemctl restart sssd;
维护命令
id Daha.Ma@xxx.corp; # 从AD中获取域用户信息
 id Daha.Ma; # 在/etc/sssh/sssd.conf中设置了use_fully_qualified_names为False的可以直接用
 adcli delete-computer --domain=xxx.corp -U admin.win ; # 退出AD域常见问题:
不能加入域
1.当前面adcli join xxxxxx时如果出错：
adcli: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
的话，请尝试修改/etc/krb5.conf，在[libdefaults]这个区块下加一句：
rdns = false
然后重新再试，即可。
1. 使用id查不到用户，那么在此加下域：
 adcli join ecwise.local -U sql01_admin; # 这里需要输入密码2. 验证不通过：
 Key version number for principal in key table is incorrect[root@CDDevLnxVM03 etc]# klist -k 
 Keytab name: FILE:/etc/krb5.keytab
 KVNO Principal2 CDDEVLNXVM03$@ECWISE.LOCAL
 2 CDDEVLNXVM03$@ECWISE.LOCAL
 2 CDDEVLNXVM03$@ECWISE.LOCAL
 2 CDDEVLNXVM03$@ECWISE.LOCAL
 2 CDDEVLNXVM03$@ECWISE.LOCAL
 2 CDDEVLNXVM03$@ECWISE.LOCAL
 2 host/CDDEVLNXVM03@ECWISE.LOCAL
 2 host/CDDEVLNXVM03@ECWISE.LOCAL
 2 host/CDDEVLNXVM03@ECWISE.LOCAL
 2 host/CDDEVLNXVM03@ECWISE.LOCAL
 2 host/CDDEVLNXVM03@ECWISE.LOCAL
 2 host/CDDEVLNXVM03@ECWISE.LOCAL
 2 host/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
 2 host/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
 2 host/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
 2 host/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
 2 host/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
 2 host/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
 2 RestrictedKrbHost/CDDEVLNXVM03@ECWISE.LOCAL
 2 RestrictedKrbHost/CDDEVLNXVM03@ECWISE.LOCAL
 2 RestrictedKrbHost/CDDEVLNXVM03@ECWISE.LOCAL
 2 RestrictedKrbHost/CDDEVLNXVM03@ECWISE.LOCAL
 2 RestrictedKrbHost/CDDEVLNXVM03@ECWISE.LOCAL
 2 RestrictedKrbHost/CDDEVLNXVM03@ECWISE.LOCAL
 2 RestrictedKrbHost/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
 2 RestrictedKrbHost/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
 2 RestrictedKrbHost/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
 2 RestrictedKrbHost/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
 2 RestrictedKrbHost/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
 2 RestrictedKrbHost/CDDevLnxVM03.ecwise.local@ECWISE.LOCAL
 在次加域，然后仍然输入密码无法登陆，这次提示如下：
 Access denied for user zdchen by PAM account configuration
 然后注释掉这两个文件 system-auth/password-auth-ac的pam_krb5.so模块认证即可