1、安装软件包
tt@demopc:~$ sudo apt install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit -y
2、确保DNS能够正确解析域名
tt@demopc:~$ ping alphabook.cn
PING alphabook.cn (192.168.11.10) 56(84) bytes of data.
64 bytes from 192.168.11.10 (192.168.11.10): icmp_seq=1 ttl=128 time=0.146 ms
64 bytes from 192.168.11.10 (192.168.11.10): icmp_seq=2 ttl=128 time=1.01 ms
64 bytes from 192.168.11.10 (192.168.11.10): icmp_seq=3 ttl=128 time=1.09 ms
64 bytes from 192.168.11.10 (192.168.11.10): icmp_seq=4 ttl=128 time=1.54 ms
3、运行realm discover
tt@demopc:~$ realm discover alphabook.cn
alphabook.cn
type: kerberos
realm-name: ALPHABOOK.CN
domain-name: alphabook.cn
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
4、加域,输入域管理员administrator的密码
tt@demopc:~$ sudo realm join alphabook.cn
Password for Administrator
5、可能遇到加域失败,报错信息:Insufficient permissions to join the domain,虽然使用的是域管理员账户administrator
根据提示,可查看更多报错信息如下:
Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm)
adcli: couldn't connect to streamcomputing.com domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configurationfile does not specify default realm)
Insufficient permissions to join the domain
该问题与DNS(反向DNS解析)有关,临时解决方法:创建/etc/krb5.conf(如果没有),并确保如下配置:
[libdefaults]
default_realm = alphabook.cn
rdns = false
6、加域成功后,可以查询Windows域账户信息
tt@demopc:~$ id administrator@alphabook.cn
uid=76800500(administrator@alphabook.cn) gid=76800513(domain users@alphabook.cn) groups=76800513(domain users@alphabook.cn),76801104(organization management@alphabook.cn),76800572(denied rodc password replication group@alphabook.cn),76800512(domain admins@alphabook.cn),76800519(enterprise admins@alphabook.cn),76800520(group policy creator owners@alphabook.cn),76800518(schema admins@alphabook.cn
7、修改sssd.conf配置(可选)
tt@demopc:~$ sudo vi /etc/sssd/sssd.conf
下面设置默认为True,可以修改为False,这样登陆系统时可以使用SamAccountName形式登录,例如administrator
use_fully_qualified_names = False
下面设置默认为/home/%u@%d,可以修改为/home/%u
fallback_homedir = /home/%u
8、解决Home目录创建问题(或者登录时闪退,根本问题是Home目录创建)
tt@demopc:~$ sudo vi /etc/pam.d/common-sessio
在这一行(session required pam_unix.so)下一行添加下面内容
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
9、重启系统,使用域用户登录
login as: administrator
administrator@192.168.11.207's password:
administrator@demopc:~$ id
uid=76800500(administrator) gid=76800513(domain users) groups=76800513(domain users),76800512(domain admins),76800518(schema admins),76800519(enterprise admins),76800520(group policy creator owners),76800572(denied rodc password replication group),76801104(organization management)
administrator@demopc:~$ whoami
administrator
administrator@demopc:~$ pwd
/home/administrator
