使用 realmd将 Rocky Linux 8.7加入 Windows AD 域<02>

环境信息：

主机名称	IP	角色
AD-Server	192.168.61.237	AD服务器
Labs	192.168.61.111	AD服务器

域名：iyou.com
操作步骤：
安装所需包文件：

[root@Labs ~]# yum install -y krb5-workstation realmd sssd samba-common adcli oddjob oddjob-mkhomedir samba samba-common-tools

编辑/etc/resolve.conf文件，将DNS指向DC

cat >>/etc/resolv.conf <<EOF
nameserver 192.168.61.237
EOF

编辑/etc/hosts文件，添加DC的IP及域的对应关系

cat >>/etc/hosts <<EOF
192.168.61.237  ad-server.iyou.com
EOF

将Linux机器加入域

realm join ad-server.iyou.com -U Administrator
realm list

sssd.conf 配置文件加域之后自动生成，更改use_fully_qualified_names之后无需带域名登录
[root@Labs ~]# vi /etc/sssd/sssd.conf 


[sssd]
domains = iyou.com
config_file_version = 2
services = nss, pam

[domain/iyou.com]
ad_server = ad-server.iyou.com
ad_domain = iyou.com
krb5_realm = IYOU.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False  #默认值True
fallback_homedir = /home/%u@%d
access_provider = ad

[root@Labs ~]# systemctl restart sssd 

注意事项：

• KDC不支持加密类型？centos8默认取消了rc4加密，要去改/etc/krb5.conf.d/crypto-policies，在结尾加上rc4-hmac之后重新加入域
  

常见用法：

realm discover [realm-name]
realm join [-U user] [realm-name]
realm leave [-U user] [realm-name]
realm list
realm permit [-ax] [-R realm] {user [at] domain...}
realm deny -a [-R realm]

$ realm permit --all
$ realm permit user [at] example.com
$ realm permit DOMAIN\User2
$ realm permit --withdraw user [at] example.com