CentOS 7 加入AD

一、基础环境

## Centos 7 机器环境
# uname -r
3.10.0-957.1.3.el7.x86_64

## windows server ad 环境
Windwos Server 2016 Datacenter

192.168.85.7

二、配置CentOS 7

1、配置DNS
# echo "nameserver 10.2.48.84" >> /etc/resolv.conf

2、安装必须的软件包
# yum install -y krb5-workstation realmd sssd samba-common adcli oddjob oddjob-mkhomedir samba samba-common-tools

## SSSD是红帽企业版Linux6中新加入的一个守护进程,该进程可以用来访问多种验证服务器,如LDAP,Kerberos等,并提供授权。

三、将CentOS 7 加入到 AD 域控

# 发现域控服务器
realm discover -v ad.ll-all.com

# 加入域控服务器
realm join -v ad.ll-all.com

# 列出域控服务器
realm list

# 域控服务器中的用户为test，可以使用如下两种方式进行登陆
su - test@sumoning.com
su - sumoning\\test

# 退出域控服务器
realm leave ad.ll-all.com

四、修改sssd 配置切换用户不需要输入域控域名

# cat /etc/sssd/sssd.conf 

[sssd]
domains = ad.ll-all.com
config_file_version = 2
services = nss, pam

[domain/ad.ll-all.com]
ad_domain = ad.ll-all.com
krb5_realm = AD.LL-ALL.COM
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
#use_fully_qualified_names = True
use_fully_qualified_names = False  # 将这里的True 改为 False
fallback_homedir = /home/%u@%d
access_provider = ad

注意：将配置文件如上一行修改后，切换用户就不需要输入域名了

如下：

[root@centos7-all liulei]# id administrator
uid=1838600500(administrator) gid=1838600513(domain users) groups=1838600513(domain users),1838600520(group policy creator owners),1838600519(enterprise admins),1838600512(domain admins),1838600518(schema admins),1838600572(denied rodc password replication group)
[root@centos7-all liulei]# su administrator
[administrator@centos7-all liulei]$ id
uid=1838600500(administrator) gid=1838600513(domain users) groups=1838600513(domain users),1838600512(domain admins),1838600518(schema admins),1838600519(enterprise admins),1838600520(group policy creator owners),1838600572(denied rodc password replication group)