SUMA 銜接 AD

# SUMA 銜接 AD ## WindowsAD 環境 > Win2019 server > Ip 地址：192.168.11.81 ## suma 設定 1. 設定名稱解析 ``` suma:~ # vim /etc/hosts ...... 192.168.11.81 example.com dc ``` 2. 設定 DNS 指向 AD ``` # 因為 AD 本身就是 DNS server 所以可以透過他名稱解析 suma:~ # yast lan dns 地址： 192.168.11.81 ``` 3. 測試 DNS ``` suma:~ # nslookup example.com Server: 192.168.11.81 Address: 192.168.11.81#53 Name: example.com Address: 192.168.11.81 ``` 4. 安裝套件 ``` suma:~ # zypper in bind-utils acl yast2-samba-client ``` 5. 透過 yast 工具加入 windows 域 - yast -> Network Services -> Windows Domain Membership 6. 按如下圖設置，並選擇右下角的 ok ![image](https://hackmd.io/_uploads/S1nl4P-VA.png) 7. 這裡可能會提示安裝一些 rpm 包，選擇 ok 繼續， ![image](https://hackmd.io/_uploads/r1ZQ4wbEC.png) 8. 輸入 AD 網域 Administrator 管理員密碼，點 ok ![image](https://hackmd.io/_uploads/Hy11Sw-EA.png) ## 設定 SUMA，啟用 PAM 1. 建立 `/etc/pam.d/susemanager` 設定檔，檔案名稱必須小寫，tomcat 使用者可讀。 ``` suma:~ # vim /etc/pam.d/susemanager #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session ``` 2. 在 SUSE Manager 上安裝 sss PAM 模組，需要 root 權限 ``` suma:~ # zypper in sssd ``` 3. 透過該命令將 pam_sss.so 新增至 `/etc/pam.d/common-auth` 設定檔 ``` suma:~ # pam-config -a --sss ``` * 檢查設定 ``` suma:~ # cat /etc/pam.d/common-auth|grep -v ^#|grep -v ^$ auth required pam_env.so auth sufficient pam_unix.so try_first_pass auth sufficient pam_sss.so use_first_pass # add auth required pam_winbind.so use_first_pass ``` 4. 將此行加入 `/etc/rhn/rhn.conf`，加入到最後一行即可 ``` suma:~ # vim /etc/rhn/rhn.conf ...... pam_auth_service = susemanager ``` 5. 重啟 spacewalk-service ``` suma:~ # spacewalk-service restart ``` 6. 在 AD 新增帳號 ![image](https://hackmd.io/_uploads/S1W_0wZE0.png) > 帳號: suma > 密碼: 一大兩小三大兩驚嘆 7. 在 SUMA Web Console 建立相同的使用者，密碼可以為空，或與 AD 中設定的密碼不同。 - Users -> Create User ![image](https://hackmd.io/_uploads/rJDAc2GVC.png) > example 是你的 AD 域名，需要按照各自 AD 做設定 ![image](https://hackmd.io/_uploads/Sk4LJO-E0.png) 8. 使用 AD 帳號/密碼 login suma ![image](https://hackmd.io/_uploads/r1g3snG4A.png) ![image](https://hackmd.io/_uploads/Hk4J23zV0.png) ## troubleshooting * 如果已設定好 suma，但還是無法透過 AD login，可以參考以下設定 * 將 `/etc/samba/smb.conf` 裡面的如下行刪除 ``` idmap config : backend = rid idmap config : range = 20001-99999 ``` ``` suma:~ # cat /etc/samba/smb.conf # smb.conf is the main Samba configuration file. You find a full commented # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the # samba-doc package is installed. [global] passdb backend = tdbsam printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = No idmap config * : backend = tdb idmap config * : range = 10000-20000 security = ADS idmap config example : backend = rid idmap config example : range = 20001-99999 kerberos method = secrets and keytab ...... ```