Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision | |||
linux_faq:ubuntu1804_join_ad_using_winbind_samba [2019/12/03 20:23] – [Проверка] admin | linux_faq:ubuntu1804_join_ad_using_winbind_samba [2019/12/03 20:24] (current) – [Скрипт для быстрого присоединения Ubuntu к домену Active Directory] admin | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | Тут я описываю как присоединить **Ubuntu 18.04 Server** к домену **Active Directory** с помощью **Kerberos** и **Winbind** | ||
+ | ====== Задаем статический адрес - Network Static IP====== | ||
+ | Если хост свежий, | ||
+ | < | ||
+ | network: | ||
+ | | ||
+ | | ||
+ | eth0: | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | </ | ||
+ | Применяем конфиг: | ||
+ | sudo ip address flush eth0 | ||
+ | sudo ip address flush eth1 | ||
+ | sudo netplan apply | ||
+ | ====== Устанавливаем софт - Software needed to join AD ====== | ||
+ | Некоторые нужные пакеты (например - **krb5-user**) отсуствуют в **main**, но находятся в репозитории **universe**. Поэтому, | ||
+ | sudo apt-add-repository universe | ||
+ | И потом устанавливаем софт: | ||
+ | < | ||
+ | sudo apt-get -y purge cloud-init && sudo rm -rf /etc/cloud | ||
+ | sudo apt-get -y install nano curl openssl libnss3-tools \ | ||
+ | chrony krb5-config krb5-locales krb5-user libpam-krb5 \ | ||
+ | samba smbclient winbind libpam-winbind libnss-winbind gss-ntlmssp \ | ||
+ | ldap-utils cifs-utils libsasl2-modules-gssapi-mit | ||
+ | </ | ||
+ | Если при установке скрипт будет спрашивать **Kerberos default REALM** - ничего не вводим и жмем **enter**. | ||
+ | ====== Настраиваем софт - Setup chrony, kerberos, samba, nsswitch, pam ====== | ||
+ | Этот скрипт конфигурирует **Ubuntu 18.04** для присоединения к домену AD. В начале скрипта есть список переменных, | ||
+ | < | ||
+ | #! /bin/bash | ||
+ | NEW_HOSTNAME=somehostname | ||
+ | NEW_DOMAINNAME=domaniname.com | ||
+ | DNS_SERVERS=' | ||
+ | DOMAIN_CONTROLLERS=' | ||
+ | DEFAULT_REALM=" | ||
+ | NETBIOS_DOMAIN_NAME=$(echo $DEFAULT_REALM | sed '1,$ s/ | ||
+ | |||
+ | ######################################### | ||
+ | ### Setup NTP servers | ||
+ | ######################################### | ||
+ | sed -i "/ | ||
+ | sed -i "/ | ||
+ | |||
+ | for dc in $DOMAIN_CONTROLLERS; | ||
+ | do | ||
+ | echo " | ||
+ | done | ||
+ | |||
+ | ######################################### | ||
+ | ### Setup Kerberos / | ||
+ | ######################################### | ||
+ | LIBDEFAULTS=$(cat <<EOF | ||
+ | [libdefaults] | ||
+ | dns_lookup_kdc = true | ||
+ | dns_lookup_realm = false | ||
+ | default_realm = $DEFAULT_REALM | ||
+ | clockskew = 300 | ||
+ | default_ccache_name = FILE:/ | ||
+ | EOF | ||
+ | ) | ||
+ | |||
+ | REALMS_KDC=$(for i in $DOMAIN_CONTROLLERS; | ||
+ | |||
+ | REALMS=$(cat <<EOF | ||
+ | |||
+ | [realms] | ||
+ | $DEFAULT_REALM = { | ||
+ | $REALMS_KDC | ||
+ | default_domain = $DEFAULT_REALM | ||
+ | } | ||
+ | EOF | ||
+ | ) | ||
+ | |||
+ | DOMAIN_REALM=$(cat <<EOF | ||
+ | |||
+ | [domain_realm] | ||
+ | .$NEW_DOMAINNAME = $DEFAULT_REALM | ||
+ | $NEW_DOMAINNAME = $DEFAULT_REALM | ||
+ | |||
+ | [appdefaults] | ||
+ | pam = { | ||
+ | ticket_lifetime = 1d | ||
+ | renew_lifetime = 1d | ||
+ | forwardable = true | ||
+ | proxiable = false | ||
+ | minimum_uid = 1 | ||
+ | } | ||
+ | EOF | ||
+ | ) | ||
+ | |||
+ | echo " | ||
+ | echo " | ||
+ | echo " | ||
+ | |||
+ | ######################################## | ||
+ | #### Configure / | ||
+ | ######################################## | ||
+ | SMB_CONF=$(cat <<EOF | ||
+ | # smb.conf is the main Samba configuration file. You find a full commented | ||
+ | # version at / | ||
+ | # samba-doc package is installed. | ||
+ | [global] | ||
+ | workgroup = $NETBIOS_DOMAIN_NAME | ||
+ | passdb backend = tdbsam | ||
+ | map to guest = Bad User | ||
+ | include = / | ||
+ | usershare allow guests = No | ||
+ | idmap gid = 10000-20000 | ||
+ | idmap uid = 10000-20000 | ||
+ | realm = $DEFAULT_REALM | ||
+ | security = ADS | ||
+ | template homedir = /home/%D/%U | ||
+ | template shell = /bin/bash | ||
+ | usershare max shares = 100 | ||
+ | encrypt passwords = yes | ||
+ | kerberos method = secrets and keytab | ||
+ | winbind nested groups = yes | ||
+ | winbind offline logon = yes | ||
+ | winbind refresh tickets = yes | ||
+ | winbind use default domain = yes | ||
+ | dns proxy = no | ||
+ | domain master = no | ||
+ | local master = no | ||
+ | preferred master = no | ||
+ | load printers = no | ||
+ | show add printer wizard = no | ||
+ | printcap name = /dev/null | ||
+ | disable spoolss = yes | ||
+ | client use spnego = yes | ||
+ | client ntlmv2 auth = yes | ||
+ | EOF | ||
+ | ) | ||
+ | |||
+ | mv / | ||
+ | echo " | ||
+ | |||
+ | ######################################## | ||
+ | #### Configure / | ||
+ | ######################################## | ||
+ | sed -i '/ | ||
+ | sed -i '/ | ||
+ | sed -i '/ | ||
+ | |||
+ | ########################################## | ||
+ | #### Configure PAM | ||
+ | ########################################## | ||
+ | sed -i "/ | ||
+ | sed -i '/ | ||
+ | pam-auth-update --package | ||
+ | |||
+ | ############################################### | ||
+ | ### Setup Services | ||
+ | ############################################### | ||
+ | systemctl enable ssh | ||
+ | systemctl enable nmbd.service | ||
+ | systemctl enable smbd.service | ||
+ | systemctl enable winbind.service | ||
+ | |||
+ | ############################################### | ||
+ | ### Setting HOSTNAME, DOMAINNAME | ||
+ | ############################################### | ||
+ | sed -i '/ | ||
+ | echo " | ||
+ | echo " | ||
+ | sed -i "/ | ||
+ | hostname $NEW_HOSTNAME | ||
+ | domainname $NEW_DOMAINNAME | ||
+ | echo $NEW_HOSTNAME.$NEW_DOMAINNAME | sudo tee / | ||
+ | echo $NEW_HOSTNAME.$NEW_DOMAINNAME | sudo tee / | ||
+ | |||
+ | </ | ||
+ | |||
+ | ====== Собственно присоединение к AD - Join AD ====== | ||
+ | < | ||
+ | sudo net ads join -U domainadmin | ||
+ | </ | ||
+ | |||
+ | ====== Права sudo для доменных пользователей - AD users sudoers ====== | ||
+ | После присоединения можно добавить доменных пользователей в группу **sudo** для того, чтобы дать права: | ||
+ | sudo usermod -aG sudo domain_user_name | ||
+ | Для добавления групп - редактируем **/ | ||
+ | sudo visudo | ||
+ | Группы добавляются с помощью строк, начинающихся с **%**, пробелы в названиях групп заменяются на **^**, а слеш экранируется **\\**. | ||
+ | Для добавления доменных админов нужно добавить строку: | ||
+ | %DOMAIN\\domain^admins | ||
+ | или без домена (в зависимости от настроек): | ||
+ | %domain^admins | ||
+ | В любом случае - проверить, | ||
+ | sudo -u domainusername groups | ||
+ | ====== Проверка ====== | ||
+ | Убедиться, | ||
+ | | ||
+ | В выводе должны быть все пользователи домена.\\ | ||
+ | Также можно увидеть доступные группы: | ||
+ | wbinfo -g | ||
+ | Пробуем залогиниться доменным пользователем: | ||
+ | su -l domain.user | ||
+ | |||
+ | ====== Скрипт для быстрого присоединения Ubuntu к домену Active Directory ====== | ||
+ | Данный скрипт я использую для быстрой настройки и присоединения к домену машин (и контейнеров) без специальных требований. Просто для аутентификации пользователей из AD. Проверено на **Ubuntu 16.04, 18.04, 19.04, 19.10**. | ||
+ | < | ||
+ | |||
+ | #################################### | ||
+ | #### Set needed Variables | ||
+ | #################################### | ||
+ | NEW_DOMAINNAME=" | ||
+ | DNS_SERVERS=" | ||
+ | DNS_STATIC_SEARCHLIST=" | ||
+ | DOMAIN_CONTROLLERS=`host -t srv _ldap._tcp.$NEW_DOMAINNAME | awk {' | ||
+ | DEFAULT_REALM=" | ||
+ | NETBIOS_DOMAIN_NAME=$(echo $DEFAULT_REALM | sed '1,$ s/ | ||
+ | |||
+ | # check root | ||
+ | if [ "$(id -u)" != " | ||
+ | echo "You do not have the appropriate privileges..." | ||
+ | exit 1 | ||
+ | fi | ||
+ | |||
+ | ############################################## | ||
+ | ### Setting up NameServers | ||
+ | ############################################## | ||
+ | echo " | ||
+ | echo -ne > / | ||
+ | for nameserver in $DNS_SERVERS; | ||
+ | resolvconf -u | ||
+ | |||
+ | #################################### | ||
+ | #### Setup Software | ||
+ | #################################### | ||
+ | apt-get update | ||
+ | apt-get -y upgrade | ||
+ | apt-get -y install nano curl openssl libnss3-tools software-properties-common \ | ||
+ | chrony krb5-config krb5-locales krb5-user libpam-krb5 \ | ||
+ | samba smbclient winbind libpam-winbind libnss-winbind gss-ntlmssp \ | ||
+ | ldap-utils cifs-utils libsasl2-modules-gssapi-mit | ||
+ | |||
+ | ############################################### | ||
+ | ### Setup Services | ||
+ | ############################################### | ||
+ | systemctl enable ssh | ||
+ | systemctl enable nmbd.service | ||
+ | systemctl enable samba.service | ||
+ | systemctl enable winbind.service | ||
+ | |||
+ | ######################################### | ||
+ | ### Setup NTP servers | ||
+ | ######################################### | ||
+ | sed -i "/ | ||
+ | sed -i "/ | ||
+ | |||
+ | for dc in $DOMAIN_CONTROLLERS; | ||
+ | do | ||
+ | echo " | ||
+ | done | ||
+ | |||
+ | ######################################### | ||
+ | ### Setup Kerberos / | ||
+ | ######################################### | ||
+ | LIBDEFAULTS=$(cat <<EOF | ||
+ | [libdefaults] | ||
+ | dns_lookup_kdc = true | ||
+ | dns_lookup_realm = false | ||
+ | default_realm = $DEFAULT_REALM | ||
+ | clockskew = 300 | ||
+ | default_ccache_name = FILE:/ | ||
+ | EOF | ||
+ | ) | ||
+ | |||
+ | REALMS_KDC=$(for i in $DOMAIN_CONTROLLERS; | ||
+ | |||
+ | REALMS=$(cat <<EOF | ||
+ | |||
+ | [realms] | ||
+ | $DEFAULT_REALM = { | ||
+ | $REALMS_KDC | ||
+ | default_domain = $DEFAULT_REALM | ||
+ | } | ||
+ | EOF | ||
+ | ) | ||
+ | |||
+ | DOMAIN_REALM=$(cat <<EOF | ||
+ | |||
+ | [domain_realm] | ||
+ | .$NEW_DOMAINNAME = $DEFAULT_REALM | ||
+ | $NEW_DOMAINNAME = $DEFAULT_REALM | ||
+ | |||
+ | [appdefaults] | ||
+ | pam = { | ||
+ | ticket_lifetime = 1d | ||
+ | renew_lifetime = 1d | ||
+ | forwardable = true | ||
+ | proxiable = false | ||
+ | minimum_uid = 1 | ||
+ | } | ||
+ | EOF | ||
+ | ) | ||
+ | |||
+ | echo " | ||
+ | echo " | ||
+ | echo " | ||
+ | |||
+ | ######################################## | ||
+ | #### Configure / | ||
+ | ######################################## | ||
+ | SMB_CONF=$(cat <<EOF | ||
+ | # smb.conf is the main Samba configuration file. You find a full commented | ||
+ | # version at / | ||
+ | # samba-doc package is installed. | ||
+ | [global] | ||
+ | realm = $DEFAULT_REALM | ||
+ | security = ADS | ||
+ | workgroup = $NETBIOS_DOMAIN_NAME | ||
+ | passdb backend = tdbsam | ||
+ | map to guest = Bad User | ||
+ | include = / | ||
+ | usershare allow guests = No | ||
+ | idmap gid = 10000-20000 | ||
+ | idmap uid = 10000-20000 | ||
+ | template homedir = /home/%D/%U | ||
+ | template shell = /bin/bash | ||
+ | usershare max shares = 100 | ||
+ | encrypt passwords = yes | ||
+ | kerberos method = secrets and keytab | ||
+ | winbind nested groups = yes | ||
+ | winbind offline logon = yes | ||
+ | winbind refresh tickets = yes | ||
+ | winbind use default domain = yes | ||
+ | dns proxy = no | ||
+ | domain master = no | ||
+ | local master = no | ||
+ | preferred master = no | ||
+ | load printers = no | ||
+ | show add printer wizard = no | ||
+ | printcap name = /dev/null | ||
+ | disable spoolss = yes | ||
+ | client use spnego = yes | ||
+ | client ntlmv2 auth = yes | ||
+ | client max protocol = SMB2 | ||
+ | client min protocol = SMB2 | ||
+ | EOF | ||
+ | ) | ||
+ | |||
+ | mv / | ||
+ | echo " | ||
+ | |||
+ | ######################################## | ||
+ | #### Configure / | ||
+ | ######################################## | ||
+ | sed -i '/ | ||
+ | sed -i '/ | ||
+ | sed -i '/ | ||
+ | |||
+ | ########################################## | ||
+ | #### Configure PAM | ||
+ | ########################################## | ||
+ | sed -i "/ | ||
+ | sed -i '/ | ||
+ | pam-auth-update --package | ||
+ | </ | ||
+ | Для присоединения: | ||
+ | net ads joun -U domain_admin_loginname |