Haɗa Ubuntu zuwa Samba4 AD DC tare da SSSD da Mulki - Kashi na 15

Wannan koyawa za ta jagorance ku kan yadda ake shiga na'urar Desktop ta Ubuntu zuwa cikin Samba4 Active Directory yanki tare da ayyukan SSSD da Realmd don tantance masu amfani a kan Active Directory.

  1. Ƙirƙiri Kayan Aikin Gida Mai Aiki tare da Samba4 akan Ubuntu

Mataki na 1: Tsarin Farko

1. Kafin ka fara shiga Ubuntu a cikin Active Directory ka tabbata an daidaita sunan mai masaukin da kyau. Yi amfani da umarnin hostnamectl don saita sunan injin ko gyara fayil ɗin /etc/hostname da hannu.

$ sudo hostnamectl set-hostname your_machine_short_hostname
$ cat /etc/hostname
$ hostnamectl

2. A mataki na gaba, gyara saitunan cibiyar sadarwa na inji kuma ƙara daidaitattun saitunan IP da daidaitattun adiresoshin IP na DNS don nunawa Samba AD mai kula da yanki kamar yadda aka kwatanta a cikin hoton da ke ƙasa.

Idan kun saita uwar garken DHCP a gidan ku don sanya saitunan IP ta atomatik don injin LAN ɗinku tare da daidaitattun adiresoshin IP na AD DNS to zaku iya tsallake wannan matakin kuma ku ci gaba.

A kan hoton da ke sama, 192.168.1.254 da 192.168.1.253 suna wakiltar adiresoshin IP na Samba4 Domain Controllers.

3. Sake kunna sabis na cibiyar sadarwa don amfani da canje-canje ta amfani da GUI ko daga layin umarni kuma ba da jerin umarnin ping akan sunan yankin ku don gwada idan ƙudurin DNS yana aiki kamar yadda aka sa ran. Hakanan, yi amfani da umarnin mai watsa shiri don gwada ƙudurin DNS.

$ sudo systemctl restart networking.service
$ host your_domain.tld
$ ping -c2 your_domain_name
$ ping -c2 adc1
$ ping -c2 adc2

4. A ƙarshe, tabbatar da cewa lokacin injin yana aiki tare da Samba4 AD. Sanya kunshin ntpdate da lokacin daidaitawa tare da AD ta hanyar ba da umarni na ƙasa.

$ sudo apt-get install ntpdate
$ sudo ntpdate your_domain_name

Mataki 2: Shigar da Fakitin da ake buƙata

5. A kan wannan matakin shigar da software da ake buƙata da abubuwan dogaro da ake buƙata don shiga cikin Ubuntu zuwa Samba4 AD DC: Realmd da sabis na SSSD.

$ sudo apt install adcli realmd krb5-user samba-common-bin samba-libs samba-dsdb-modules sssd sssd-tools libnss-sss libpam-sss packagekit policykit-1

6. Shigar da sunan tsohuwar daular tare da manya kuma danna maɓallin Shigar don ci gaba da shigarwa.

7. Na gaba, ƙirƙirar fayil ɗin sanyi na SSSD tare da abun ciki mai zuwa.

$ sudo nano /etc/sssd/sssd.conf

Ƙara layin masu biyowa zuwa fayil ɗin sssd.conf.

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[sssd]
domains = tecmint.lan
config_file_version = 2
services = nss, pam
default_domain_suffix = TECMINT.LAN


[domain/tecmint.lan]
ad_domain = tecmint.lan
krb5_realm = TECMINT.LAN
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad

auth_provider = ad
chpass_provider = ad
access_provider = ad
ldap_schema = ad
dyndns_update = true
dyndns_refresh_interval = 43200
dyndns_update_ptr = true
dyndns_ttl = 3600

Tabbatar cewa kun maye gurbin sunan yankin a cikin sigogi masu zuwa daidai:

domains = tecmint.lan
default_domain_suffix = TECMINT.LAN
[domain/tecmint.lan]
ad_domain = tecmint.lan
krb5_realm = TECMINT.LAN

8. Na gaba, ƙara izini masu dacewa don fayil ɗin SSSD ta hanyar ba da umarnin da ke ƙasa:

$ sudo chmod 700 /etc/sssd/sssd.conf

9. Yanzu, bude da shirya Realmd sanyi fayil kuma ƙara wadannan Lines.

$ sudo nano /etc/realmd.conf

Fayil na Realmd.conf:

[active-directory]
os-name = Linux Ubuntu
os-version = 17.04

[service]
automatic-install = yes

 [users]
default-home = /home/%d/%u
default-shell = /bin/bash

[tecmint.lan]
user-principal = yes
fully-qualified-names = no

10. Fayil na ƙarshe da kuke buƙatar gyara na Samba daemon ne. Bude fayil ɗin /etc/samba/smb.conf don gyarawa kuma ƙara toshe na lamba mai zuwa a farkon fayil ɗin, bayan sashin [duniya] kamar yadda aka kwatanta akan hoton da ke ƙasa.

 workgroup = TECMINT
   client signing = yes
   client use spnego = yes
   kerberos method = secrets and keytab
   realm = TECMINT.LAN
   security = ads

Tabbatar cewa kun maye gurbin darajar sunan yankin, musamman ma ƙimar daular don dacewa da sunan yankin ku kuma gudanar da umarnin testparm don bincika idan fayil ɗin sanyi bai ƙunshi kurakurai ba.

$ sudo testparm

11. Bayan kun yi duk canje-canjen da ake buƙata, gwada amincin Kerberos ta amfani da asusun gudanarwa na AD kuma jera tikitin ta hanyar ba da umarnin da ke ƙasa.

$ sudo kinit [email 
$ sudo klist

Mataki 3: Haɗa Ubuntu zuwa Samba4 Realm

12. Don shiga injin Ubuntu zuwa Samba4 Active Directory batun bin jerin umarni kamar yadda aka kwatanta a ƙasa. Yi amfani da sunan asusun AD DC tare da gata na mai gudanarwa domin ɗaurin dauri ya yi aiki kamar yadda aka zata kuma ya maye gurbin ƙimar sunan yankin daidai.

$ sudo realm discover -v DOMAIN.TLD
$ sudo realm list
$ sudo realm join TECMINT.LAN -U ad_admin_user -v
$ sudo net ads join -k

13. Bayan daurin yanki ya faru, gudanar da umarnin da ke ƙasa don tabbatar da cewa an ba da izinin duk asusun yanki don tantancewa akan injin.

$ sudo realm permit --all

Daga baya, zaku iya ba da izini ko hana samun dama ga asusun mai amfani na yanki ko ƙungiya ta amfani da umarnin daula kamar yadda aka gabatar akan misalan da ke ƙasa.

$ sudo realm deny -a
$ realm permit --groups ‘domain.tld\Linux Admins’
$ realm permit [email 
$ realm permit DOMAIN\\User2

14. Daga na'urar Windows mai dauke da kayan aikin RSAT zaka iya bude AD UC sannan ka shiga cikin Container Computers ka duba ko an kirkiri account mai dauke da sunan na'urarka.

Mataki 4: Sanya Tabbatar da Asusu na AD

15. Domin tabbatarwa akan injin Ubuntu tare da asusun yanki kuna buƙatar gudanar da umarnin pam-auth-update tare da tushen gata kuma kunna duk bayanan martaba na PAM gami da zaɓi don ƙirƙirar kundayen adireshi na gida ta atomatik ga kowane asusun yanki a farkon shiga.

Duba duk shigarwar ta latsa maɓallin [space] kuma danna Ok don amfani da sanyi.

$ sudo pam-auth-update

16. A kan tsarin da hannu gyara /etc/pam.d/common-account file da layin da ke biyowa don ƙirƙirar gidaje ta atomatik don masu amfani da yanki ta atomatik.

session    required    pam_mkhomedir.so    skel=/etc/skel/    umask=0022

17. Idan masu amfani da Active Directory ba za su iya canza kalmar sirrin su daga layin umarni a Linux ba, buɗe fayil /etc/pam.d/common-password fayil kuma cire bayanin use_authtok daga layin kalmar sirri don a ƙarshe duba kamar yadda aka cire a ƙasa.

password       [success=1 default=ignore]      pam_winbind.so try_first_pass

18. A ƙarshe, sake farawa kuma kunna sabis na Realmd da SSSD don amfani da canje-canje ta hanyar ba da umarni na ƙasa:

$ sudo systemctl restart realmd sssd
$ sudo systemctl enable realmd sssd

19. Domin a gwada idan na'urar Ubuntu ta sami nasarar haɗa na'urar zuwa aikin runduna shigar da kunshin winbind kuma gudanar da umarnin wbinfo don jera asusun yanki da ƙungiyoyi kamar yadda aka kwatanta a ƙasa.

$ sudo apt-get install winbind
$ wbinfo -u
$ wbinfo -g

20. Har ila yau, duba Winbind nsswitch module ta hanyar ba da umarni ga wani takamaiman mai amfani ko rukuni.

$ sudo getent passwd your_domain_user
$ sudo getent group ‘domain admins’

21. Hakanan zaka iya amfani da umarnin id na Linux don samun bayani game da asusun AD kamar yadda aka kwatanta akan umarnin da ke ƙasa.

$ id tecmint_user

22. Don tabbatarwa akan mai masaukin Ubuntu tare da asusun Samba4 AD yi amfani da sigar sunan mai amfani bayan su - umarni. Gudun umarnin id don samun ƙarin bayani game da asusun AD.

$ su - your_ad_user

Yi amfani da umarnin pwd don ganin adireshin mai amfani na yankinku na yanzu da kuma umarnin passwd idan kuna son canza kalmar sirri.

23. Don amfani da asusun yanki tare da tushen gata akan injin Ubuntu, kuna buƙatar ƙara sunan mai amfani na AD zuwa rukunin tsarin sudo ta hanyar ba da umarnin da ke ƙasa:

$ sudo usermod -aG sudo [email 

Shiga Ubuntu tare da asusun yanki kuma sabunta tsarin ku ta hanyar aiwatar da ingantaccen sabuntawa don bincika gata na tushen.

24. Don ƙara tushen gata ga rukunin yanki, buɗe ƙarshen edit /etc/sudoers fayil ta amfani da umarnin visudo kuma ƙara layin da ke gaba kamar yadda aka kwatanta.

%domain\ [email        		 ALL=(ALL:ALL) ALL

25. Don amfani da amincin asusun yanki don Ubuntu Desktop gyaggyara mai sarrafa nuni na LightDM ta hanyar gyara /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf fayil, haɗa waɗannan layi biyu masu zuwa kuma sake kunna sabis na lightdm ko sake kunna injin a shafi. canje-canje.

greeter-show-manual-login=true
greeter-hide-users=true

Shiga cikin Desktop na Ubuntu tare da asusun yanki ta amfani da ko dai your_domain_username ko [email _domain.tld syntax.

26. Don amfani da gajeren suna don asusun Samba AD, gyara /etc/sssd/sssd.conf fayil, ƙara layin da ke gaba a cikin block [sssd] kamar yadda aka kwatanta a ƙasa.

full_name_format = %1$s

kuma zata sake kunna SSSD daemon don aiwatar da canje-canje.

$ sudo systemctl restart sssd

Za ku lura cewa saurin bash zai canza zuwa gajeriyar sunan mai amfani da AD ba tare da haɗa takwaran sunan yankin ba.

27. Idan ba za ka iya shiga ba saboda enumerate=Gaskiyar hujja da aka saita a cikin sssd.conf dole ne ka share sssd cached database ta hanyar bayar da umarnin da ke ƙasa:

$ rm /var/lib/sss/db/cache_tecmint.lan.ldb

Shi ke nan! Kodayake wannan jagorar an fi mai da hankali kan haɗin kai tare da Samba4 Active Directory, ana iya amfani da matakai iri ɗaya don haɗa Ubuntu tare da sabis na Realmd da SSSD a cikin Microsoft Windows Server Active Directory.