1、安装软件包tt@demopc:~$ sudo apt install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit -y
2、确保DNS能够正确解析域名tt@demopc:~$ ping alphabook.cnPING alphabook.cn (192.168.11.10) 56(84) bytes of data.64 bytes from 192.168.11.10 (192.168.11.10): icmp_seq=1 ttl=128 time=0.146 ms64 bytes from 192.168.11.10 (192.168.11.10): icmp_seq=2 ttl=128 time=1.01 ms64 bytes from 192.168.11.10 (192.168.11.10): icmp_seq=3 ttl=128 time=1.09 ms64 bytes from 192.168.11.10 (192.168.11.10): icmp_seq=4 ttl=128 time=1.54 ms
3、运行realm discovertt@demopc:~$ realm discover alphabook.cnalphabook.cn type: kerberos realm-name: ALPHABOOK.CN domain-name: alphabook.cn configured: no server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin
4、加域,输入域管理员administrator的密码tt@demopc:~$ sudo realm join alphabook.cnPassword for Administrator
5、可能遇到加域失败,报错信息:Insufficient permissions to join the domain,虽然使用的是域管理员账户administrator根据提示,可查看更多报错信息如下:Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm)adcli: couldn't connect to streamcomputing.com domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Configuration file does not specify default realm)Insufficient permissions to join the domain该问题与DNS(反向DNS解析)有关,临时解决方法:创建/etc/krb5.conf(如果没有),并确保如下配置:[libdefaults]default_realm = alphabook.cnrdns = false
6、加域成功后,可以查询Windows域账户信息tt@demopc:~$ id [email protected]=76800500([email protected]) gid=76800513(domain [email protected]) groups=76800513(domain [email protected]),76801104(organization [email protected]),76800572(denied rodc password replication [email protected]),76800512(domain [email protected]),76800519(enterprise [email protected]),76800520(group policy creator [email protected]),76800518(schema [email protected]
7、修改sssd.conf配置(可选)tt@demopc:~$ sudo vi /etc/sssd/sssd.conf下面设置默认为True,可以修改为False,这样登陆系统时可以使用SamAccountName形式登录,例如administratoruse_fully_qualified_names = False下面设置默认为/home/%u@%d,可以修改为/home/%ufallback_homedir = /home/%u
8、解决Home目录创建问题(或者登录时闪退,根本问题是Home目录创建)tt@demopc:~$ sudo vi /etc/pam.d/common-sessio在这一行(session required pam_unix.so)下一行添加下面内容session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
9、重启系统,使用域用户登录login as: [email protected]'s password:administrator@demopc:~$ iduid=76800500(administrator) gid=76800513(domain users) groups=76800513(domain users),76800512(domain admins),76800518(schema admins),76800519(enterprise admins),76800520(group policy creator owners),76800572(denied rodc password replication group),76801104(organization management)administrator@demopc:~$ whoamiadministratoradministrator@demopc:~$ pwd/home/administrator
