Ubuntu 20をWindows Active Directoryでユーザ認証するには幾つかの方法があるようですが、今回はCentrify Expressを使ってみました。
ActiveDirectoryHowto
https://help.ubuntu.com/community/ActiveDirectoryHowto
There are several ways to use AD for authentication, you can use Centrify Express, Likewise Open, pam_krb5, LDAP or winbind. For Centrify Express see [DirectControl]. Centrify Express can be used to integrate servers or desktops with Active Directory. Likewise Open is also a solution for Linux workstations to authenticate to an Active Directory domain. For Likewise Open see [LikewiseOpen] or Likewise Open. For Winbind see [ActiveDirectoryWinbindHowto].
DirectControl
https://help.ubuntu.com/community/DirectControl
Centrify DirectControl Express can quickly and easily join an Ubuntu server or desktop to Active Directory and supports authentication using your Active Directory username and password or SSO using Kerberos.
http://archive.canonical.com/のrepositoryで簡単インストールと思っていたら配布停止になったんですかね? パッケージが見当たりませんでした。
http://archive.canonical.com/pool/partner/c/centrifydc/
そこで開発元からダウンロードしてインストールしてみました。
CENTRIFY EXPRESS FOR LINUX – Free Active Directory Authentication for Linux
https://www.centrify.com/express/linux/download/
Centrify Express for Linux is a comprehensive suite of free Active Directory-based integration solutions for authentication, single sign-on, remote access and file-sharing for heterogeneous systems. It is the quickest and most proven solution for integrating Linux systems with Windows, and delivers more functionality and more to upgrade to when compared to other free offerings.
CENTRIFY EXPRESS FOR LINUX – Reasons to Upgrade
https://www.centrify.com/express/linux/reasons-to-upgrade/
Free版はActive Directoryでの認証機能のみですが100クライアントまでは利用できるようです。
環境(クライアント)
・Ubuntu 20.04.3 LTS
・Kernel 5.11.0-43-generic
環境(Active Directory)
・Windows Server 2019(評価版) バージョン1809 ビルド17763.2366
・ドメイン example.jp
- Centrify Express for Linuxのダウンロード
- 展開
- DNSの設定
- インストール
- ドメイン参加情報
下記サイトから必要事項を入力してダウンロードします。
https://www.centrify.com/express/server-suite-form/
CentOS, Debian, SUSE, Oracle, Red Hat対応版がダウンロードできます。
今回はUbuntuなのでDebian対応プログラム(centrify-server-suite-2021-deb9-x86_64.tgz)をダウンロードしました。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
rootlinks@Ubuntu20:~$ mkdir centrify rootlinks@Ubuntu20:~$ cd centrify/ rootlinks@Ubuntu20:~/centrify$ tar xvfz ../centrify-server-suite-2021-deb9-x86_64.tgz ./adcheck-deb9-x86_64 ./centrifyda-5.8.0-135-deb9-x86_64.deb ./centrifyda-5.8.0-deb9-x86_64.deb ./centrifydc-5.8.0-188-deb9-x86_64.deb ./centrifydc-5.8.0-deb9-x86_64.deb ./centrifydc-cifsidmap-5.8.0-188-deb9-x86_64.deb ./centrifydc-cifsidmap-5.8.0-deb9-x86_64.deb ./centrifydc-curl-5.8.0-188-deb9-x86_64.deb ./centrifydc-curl-5.8.0-deb9-x86_64.deb ./centrifydc-install.cfg ./centrifydc-ldapproxy-5.8.0-188-deb9-x86_64.deb ./centrifydc-ldapproxy-5.8.0-deb9-x86_64.deb ./centrifydc-nis-5.8.0-188-deb9-x86_64.deb ./centrifydc-nis-5.8.0-deb9-x86_64.deb ./centrifydc-openldap-5.8.0-188-deb9-x86_64.deb ./centrifydc-openldap-5.8.0-deb9-x86_64.deb ./centrifydc-openssh-8.6p1-5.8.0-184-deb9-x86_64.deb ./centrifydc-openssh-8.6p1-5.8.0-deb9-x86_64.deb ./centrifydc-openssl-5.8.0-188-deb9-x86_64.deb ./centrifydc-openssl-5.8.0-deb9-x86_64.deb ./centrify-suite.cfg ./install-express.sh ./install.sh rootlinks@Ubuntu20:~/centrify$ ls -l 合計 40648 -r-xr-xr-x 1 rootlinks rootlinks 12604696 5月 29 2021 adcheck-deb9-x86_64 -rw-rw-r-- 1 rootlinks rootlinks 55094 11月 6 2020 centrify-suite.cfg -r--r--r-- 1 rootlinks rootlinks 5506794 5月 18 2021 centrifyda-5.8.0-135-deb9-x86_64.deb lrwxrwxrwx 1 rootlinks rootlinks 36 5月 29 2021 centrifyda-5.8.0-deb9-x86_64.deb -> centrifyda-5.8.0-135-deb9-x86_64.deb -r--r--r-- 1 rootlinks rootlinks 17763978 5月 29 2021 centrifydc-5.8.0-188-deb9-x86_64.deb lrwxrwxrwx 1 rootlinks rootlinks 36 5月 29 2021 centrifydc-5.8.0-deb9-x86_64.deb -> centrifydc-5.8.0-188-deb9-x86_64.deb -r--r--r-- 1 rootlinks rootlinks 6504 5月 29 2021 centrifydc-cifsidmap-5.8.0-188-deb9-x86_64.deb lrwxrwxrwx 1 rootlinks rootlinks 46 5月 29 2021 centrifydc-cifsidmap-5.8.0-deb9-x86_64.deb -> centrifydc-cifsidmap-5.8.0-188-deb9-x86_64.deb -r--r--r-- 1 rootlinks rootlinks 321484 5月 29 2021 centrifydc-curl-5.8.0-188-deb9-x86_64.deb lrwxrwxrwx 1 rootlinks rootlinks 41 5月 29 2021 centrifydc-curl-5.8.0-deb9-x86_64.deb -> centrifydc-curl-5.8.0-188-deb9-x86_64.deb -rw-rw-r-- 1 rootlinks rootlinks 1364 11月 6 2020 centrifydc-install.cfg -r--r--r-- 1 rootlinks rootlinks 632546 5月 29 2021 centrifydc-ldapproxy-5.8.0-188-deb9-x86_64.deb lrwxrwxrwx 1 rootlinks rootlinks 46 5月 29 2021 centrifydc-ldapproxy-5.8.0-deb9-x86_64.deb -> centrifydc-ldapproxy-5.8.0-188-deb9-x86_64.deb -r--r--r-- 1 rootlinks rootlinks 228354 5月 29 2021 centrifydc-nis-5.8.0-188-deb9-x86_64.deb lrwxrwxrwx 1 rootlinks rootlinks 40 5月 29 2021 centrifydc-nis-5.8.0-deb9-x86_64.deb -> centrifydc-nis-5.8.0-188-deb9-x86_64.deb -r--r--r-- 1 rootlinks rootlinks 602600 5月 29 2021 centrifydc-openldap-5.8.0-188-deb9-x86_64.deb lrwxrwxrwx 1 rootlinks rootlinks 45 5月 29 2021 centrifydc-openldap-5.8.0-deb9-x86_64.deb -> centrifydc-openldap-5.8.0-188-deb9-x86_64.deb -r--r--r-- 1 rootlinks rootlinks 952400 5月 14 2021 centrifydc-openssh-8.6p1-5.8.0-184-deb9-x86_64.deb lrwxrwxrwx 1 rootlinks rootlinks 50 5月 29 2021 centrifydc-openssh-8.6p1-5.8.0-deb9-x86_64.deb -> centrifydc-openssh-8.6p1-5.8.0-184-deb9-x86_64.deb -r--r--r-- 1 rootlinks rootlinks 2508034 5月 29 2021 centrifydc-openssl-5.8.0-188-deb9-x86_64.deb lrwxrwxrwx 1 rootlinks rootlinks 44 5月 29 2021 centrifydc-openssl-5.8.0-deb9-x86_64.deb -> centrifydc-openssl-5.8.0-188-deb9-x86_64.deb lrwxrwxrwx 1 rootlinks rootlinks 10 5月 29 2021 install-express.sh -> install.sh -r-xr-xr-- 1 rootlinks rootlinks 411439 5月 29 2021 install.sh |
取り合えずインストールしてみたところDNSチェックでエラーがでました。事前に環境チェックしてくれるんですね。
DNSの設定をAcrive DirectoryのDNSに変更して下さい。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
rootlinks@Ubuntu20:~/centrify$ sudo ./install.sh ***** ***** ***** WELCOME to the Centrify Server Suite installer! ***** ***** ***** Detecting local platform ... Running ./adcheck-deb9-x86_64 ... OSCHK : Verify that this is a supported OS : Pass PATCH : Linux patch check : Pass PORTMAP : Verify that portmap or rpcbind is installed : Pass PERL : Verify perl is present and is a good version : Pass SAMBA : Inspecting Samba installation : Pass NSCD : Check if Name Service Caching Daemon is running : Warning : Name Service Caching Daemon is not running SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass HOSTNAME : Verify hostname setting : Pass NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass DNSPROBE : Probe DNS server 192.168.1.99 : Warning : This DNS server does not respond to requests. This is a serious problem DNSCHECK : Analyze basic health of DNS servers : Failed : No good DNS servers were found. : You must fix this issue before continuing. : Check the IP addresses in /etc/resolv.conf : Alternatively you can use the -s <server> option and : place all required system names in /etc/hosts, : but this is not recommended. : : The following table lists the state of all configured : DNS servers. : 192.168.1.99 (unknown): dead 1 serious issue was encountered during check. This must be fixed before proceeding 2 warnings were encountered during check. We recommend checking these before proceeding WARNING: Centrify adcheck exited with error(s). Do you want to continue installation? (Q|Y|N) [Y]:q Installation terminated. Exiting ... |
インストール時にドメイン参加までできました。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 |
rootlinks@Ubuntu20:~/centrify$ sudo ./install.sh ***** ***** ***** WELCOME to the Centrify Server Suite installer! ***** ***** ***** Detecting local platform ... Running ./adcheck-deb9-x86_64 ... OSCHK : Verify that this is a supported OS : Pass PATCH : Linux patch check : Pass PORTMAP : Verify that portmap or rpcbind is installed : Pass PERL : Verify perl is present and is a good version : Pass SAMBA : Inspecting Samba installation : Pass NSCD : Check if Name Service Caching Daemon is running : Warning : Name Service Caching Daemon is not running SPACECHK : Check if there is enough disk space in /var /usr /tmp : Pass HOSTNAME : Verify hostname setting : Pass NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass DNSPROBE : Probe DNS server 192.168.1.1 : Pass DNSCHECK : Analyze basic health of DNS servers : Warning : Only one DNS server was found in /etc/resolv.conf. : At least one backup DNS server is recommended for : enterprise installations. : Only one good DNS server was found : You might be able to continue but it is likely that you : will have problems. : Add more good DNS servers into /etc/resolv.conf. WHATSSH : Is this an SSH that Centrify DirectControl Agent works well with: Pass SSH : SSHD version and configuration : Warning : You are running OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f 31 Mar 2020. : : This version of OpenSSH does not seem to be configured for PAM, : ChallengeResponse and Kerberos/GSSAPI support. : To get Active Directory users to successfully login, : you need to configure your OpenSSH with the following options: : (display the ones we identified were not set) : ChallengeResponseAuthentication yes : UsePAM Yes : : Centrify provides a version of OpenSSH that's configured properly : to allow AD users to login and provides Kerberos GSSAPI support. 3 warnings were encountered during check. We recommend checking these before proceeding WARNING: Centrify adcheck exited with warning(s). This installation script provides installation of the following services in Centrify Server Suite on UNIX and Linux: - Centrify Authentication Service - Centrify Privilege Elevation Service - Centrify Auditing & Monitoring Service The Centrify Authentication Service and Centrify Privilege Elevation Service are contained in the CentrifyDC (Centrify DirectControl) packages, and the Centrify Auditing & Monitoring Service is in the CentrifyDA (Centrify DirectAudit) packages. With this script, you can perform the following tasks: - Install (update) CentrifyDC & CentrifyDA packages (License required) [E] - Install (update) CentrifyDC only packages (License required) [S] - Install (update) CentrifyDC Express packages [X] - Custom install (update) of individual packages [C] You can type Q at any prompt to quit the installation and exit the script without making any changes to your environment. How do you want to proceed? (E|S|X|C|Q) [E]: X The Express mode license allows you to install a total of 200 agents. The Express mode license does not allow the use of licensed features for advanced authentication, access control, auditing, and centralized management. This includes, but is not limited to, features such as SmartCard authentication, Privilege Elevation, Auditing, Group Policy, Login User Filtering, and NSS overrides. Do you want to continue to install in Express mode? (C|Y|Q|N) [Y]:Y Do you want to run Centrify adcheck to verify your AD environment? (Q|Y|N) [Y]:Y Please enter the Active Directory domain to check [company.com]: example.jp Join an Active Directory domain? (Q|Y|N) [Y]:Y Enter the Active Directory domain to join [example.jp]: Enter the Active Directory authorized user [administrator]: Enter the password for the Active Directory user: Enter the computer name [Ubuntu20]: Enter the container DN [Computers]: Enter the name of the domain controller [auto detect]: Reboot the computer after installation? (Q|Y|N) [Y]:N You entered the following: Install CentrifyDC 5.8.0 package: Y Install CentrifyDC-openssl 5.8.0 package: Y Install CentrifyDC-openldap 5.8.0 package: Y Install CentrifyDC-curl 5.8.0 package: Y Install CentrifyDC-ldapproxy 5.8.0 package: N Install CentrifyDC-nis 5.8.0 package: N Install CentrifyDC-cifsidmap 5.8.0 package: N Install CentrifyDC-openssh 5.8.0 package: N Install CentrifyDA 5.8.0 package: N Run Centrify adcheck : Y Join an Active Directory domain : Y Active Directory domain to join : example.jp Active Directory authorized user : administrator computer name : Ubuntu20 container DN : Computers domain controller name : auto detect Reboot computer : N If this information is correct and you want to proceed, type "Y". To change any information, type "N" and enter new information. Do you want to continue (Y) or re-enter information? (Q|Y|N) [Y]:Y Running ./adcheck-deb9-x86_64 ... NSHOSTS : Check hosts line in /etc/nsswitch.conf : Pass DNSPROBE : Probe DNS server 192.168.1.1 : Pass DNSCHECK : Analyze basic health of DNS servers : Warning : Only one DNS server was found in /etc/resolv.conf. : At least one backup DNS server is recommended for : enterprise installations. : Only one good DNS server was found : You might be able to continue but it is likely that you : will have problems. : Add more good DNS servers into /etc/resolv.conf. WHATSSH : Is this an SSH that Centrify DirectControl Agent works well with: Pass SSH : SSHD version and configuration : Warning : You are running OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f 31 Mar 2020. : : This version of OpenSSH does not seem to be configured for PAM, : ChallengeResponse and Kerberos/GSSAPI support. : To get Active Directory users to successfully login, : you need to configure your OpenSSH with the following options: : (display the ones we identified were not set) : ChallengeResponseAuthentication yes : UsePAM Yes : : Centrify provides a version of OpenSSH that's configured properly : to allow AD users to login and provides Kerberos GSSAPI support. DOMNAME : Check that the domain name is reasonable : Pass ADDC : Find domain controllers in DNS : Pass ADDNS : DNS lookup of DC win2019sv.example.jp : Pass ADPORT : Port scan of DC win2019sv.example.jp 192.168.1.1 : Pass ADDC : Check Domain Controllers : Pass ADDNS : DNS lookup of DC win2019sv.example.jp : Pass GCPORT : Port scan of GC win2019sv.example.jp 192.168.1.1 : Pass ADGC : Check Global Catalog servers : Pass DCUP : Check for operational DCs in example.jp : Pass SITEUP : Check DCs for example.jp in our site : Pass DNSSYM : Check DNS server symmetry : Pass ADSITE : Check that this machine's subnet is in a site known by AD : Pass GSITE : See if we think this is the correct site : Pass TIME : Check clock synchronization : Pass ADSYNC : Check domains all synchronized : Pass 2 warnings were encountered during check. We recommend checking these before proceeding WARNING: Centrify adcheck exited with warning(s). Selecting previously unselected package centrifydc-openssl. (Reading database ... 182198 files and directories currently installed.) Preparing to unpack .../centrifydc-openssl-5.8.0-deb9-x86_64.deb ... Unpacking centrifydc-openssl (5.8.0-188) ... Selecting previously unselected package centrifydc-openldap. Preparing to unpack .../centrifydc-openldap-5.8.0-deb9-x86_64.deb ... Unpacking centrifydc-openldap (5.8.0-188) ... Selecting previously unselected package centrifydc-curl. Preparing to unpack .../centrifydc-curl-5.8.0-deb9-x86_64.deb ... Unpacking centrifydc-curl (5.8.0-188) ... Selecting previously unselected package centrifydc. Preparing to unpack .../centrifydc-5.8.0-deb9-x86_64.deb ... Unpacking centrifydc (5.8.0-188) ... Setting up centrifydc-openssl (5.8.0-188) ... Setting up centrifydc-openldap (5.8.0-188) ... Setting up centrifydc-curl (5.8.0-188) ... Setting up centrifydc (5.8.0-188) ... Processing triggers for libc-bin (2.31-0ubuntu9.2) ... Processing triggers for systemd (245.4-4ubuntu3.13) ... Processing triggers for man-db (2.9.1-1) ... Joining the Active Directory domain example.jp ... Using domain controller: win2019sv.example.jp writable=true Using GC server: win2019sv.example.jp Join to domain:example.jp, zone:Auto Zone successful Centrify DirectControl started. Loading domains and trusts information Initializing cache . You have successfully joined the Active Directory domain: example.jp in the Centrify DirectControl zone: Auto Zone You may need to restart other services that rely upon PAM and NSS or simply reboot the computer for proper operation. Failure to do so may result in login problems for AD users. Install.sh completed successfully. |
クライアント起動直後はまだドメインに接続できていませんでした。
|
1 2 3 4 5 6 7 8 9 10 |
rootlinks@Ubuntu20:~$ sudo adinfo Local host name: ubuntu20 Joined to domain: example.jp Joined as: ubuntu20.example.jp Pre-win2K name: ubuntu20 Current DC: <unavailable> Preferred site: Default-First-Site-Name Zone: Auto Zone CentrifyDC mode: disconnected Licensed Features: Disabled |
暫くすると接続状態になりました。
|
1 2 3 4 5 6 7 8 9 10 11 |
rootlinks@Ubuntu20:~$ sudo adinfo Local host name: ubuntu20 Joined to domain: example.jp Joined as: ubuntu20.example.jp Pre-win2K name: ubuntu20 Current DC: win2019sv.example.jp Preferred site: Default-First-Site-Name Zone: Auto Zone Last password set: 2021-12-25 15:23:02 JST CentrifyDC mode: connected Licensed Features: Disabled |
Active Directory にもコンピュータアカウント ubuntu20が登録されていました。