Ubuntu 20にCentrify ExpressをインストールしてWindows Active Directoryでユーザ認証ができるようにしました。
- Active Directoryにユーザ作成
- /etc/nsswitch.conf
- 設定ファイル
- adjoin
- adflush
- adpasswd
- addns
- adfinddomain
- adleave
- adquery
- adreload
- adsmb
新規にguest01,guest02の2つのIDを作成、Ubuntuからログインしてみます。
guest02はログインできましたが、guest01はすでにローカルユーザが存在するとのメッセージが表示されてログインできませんでした(^^;
すっかりguest01を作成済みだったのを忘れていました。
1 2 3 4 5 6 |
guest02@Ubuntu20:~$ id uid=343934033(guest02) gid=343934033(guest02) groups=343934033(guest02),343933441(domain_users) guest02@Ubuntu20:~$ pwd /home/guest02 guest02@Ubuntu20:~$ ls -ld /home/guest02 drwx------ 15 guest02 guest02 4096 12月 21 15:53 /home/guest02 |
/etc/nsswitch.confを確認してみます。
centrifydcが追加されてcentrifydc filesの順になっていました。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
rootlinks@Ubuntu20:~$ sudo cat /etc/nsswitch.conf # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file. passwd: centrifydc files systemd group: centrifydc files systemd shadow: centrifydc files gshadow: files hosts: files mdns4_minimal [NOTFOUND=return] dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
rootlinks@Ubuntu20:~$ ls -la /etc/centrifydc/ total 416 drwxr-xr-x 7 root root 4096 Dec 29 15:46 . drwxr-xr-x 136 root root 12288 Jan 2 19:40 .. -rw-r--r-- 1 root root 5437 May 29 2021 adobfuscate.conf -rw-r--r-- 1 root root 522 May 29 2021 centrifydc -rw-r--r-- 1 root root 171001 May 29 2021 centrifydc.conf -rw-r--r-- 1 root root 171001 May 29 2021 defaults.conf -rw-r--r-- 1 root root 246 Dec 29 15:46 gid.ignore -rw-r--r-- 1 root root 525 May 29 2021 group.ignore -rw-r--r-- 1 root root 1020 May 29 2021 group.ovr.sample drwxr-xr-x 2 root root 4096 Dec 29 15:22 old drwxr-xr-x 2 root root 4096 Dec 29 15:23 openldap -rw-r--r-- 1 root root 2074 May 29 2021 passwd.ovr.sample drwxr-xr-x 3 root root 4096 Dec 29 15:22 scripts drwxr-xr-x 2 root root 4096 Jan 2 19:40 share drwxr-xr-x 2 root root 4096 Dec 29 15:22 ssl -rw-r--r-- 1 root root 184 Dec 29 15:46 uid.ignore -rw-r--r-- 1 root root 4790 May 29 2021 upgradeconf.conf -rw-r--r-- 1 root root 386 May 29 2021 user.ignore |
今回はインストール時にドメイン参加しましたが、インストール後にドメイン参加する場合はこのコマンドを使用するようです。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 |
rootlinks@Ubuntu20:~$ adjoin -h usage: adjoin [options] domain options: -u, --user user[@domain] user name -p, --password pw user password, may prompt if absent -I, --noprompt do not prompt for user credential if no credentials found -c, --container dn subtree to create below or move to. LDAP is used to create computer object, if computer object does not exist. -n, --name comp computer account name -N, --prewin2k name pre-windows 2000 computer account name must be 19 characters or less -D, --dnsname name optional parameter to override the dNSHostName attribute in the computer object -f, --force overwrite existing joined computer -F, --forceDeleteObj clean up the existing computer object and extension object -d, --forceDeleteObjWithDupSpn delete the existing object with duplicate SPN -O, --forceDeleteExistingComputerZone use with --createComputerZone, when specify, clean up the existing computer zone if exists. -a, --alias alias add an alias computer account name -C, --noconf do not update PAM or NSS config -z, --zone zone zone to join -o, --createComputerZone create computer zone for the joined machine -R, --computerrole name the computer role currently joined machine will be added to -s, --server ds domain server for join operations -Z, --zoneserver ds domain server for zone operations useful if zone is in another domain -g, --gc ds domain server for global catalog searches -U, --upn upn user principal name for the account -T, --trust trust computer for delegation, requires administrator permission -k, --des use DES key only -P, --precreate precreate computer and extension object -m, --compat make computer and extension object compatible with DirectControl 2.x. -e --enableAppleIDGenScheme enable Apple scheme for generating ID for AD user or group when machine join to AutoZone. The settings once set will stay even after adleave. It can be used only when join an Auto Zone. It cannot be used together with --precreate. -S, --selfserve use reset computer account credentials to perform a self-service join -r, --useConf <list> use the settings in centrifydc.conf when perform self-service join. the settings can be a comma separated list of: spn: use the setting of adclient.krb5.service.principals enctype: use the setting of adclient.krb5.permitted.encryption.types -w, --workstation join computer to Auto Zone -l, --ldap use LDAP method to create the computer object -L, --linefeed print error/warning message without linefeed in paragraph -x, --extramap mapname add named nss map to nss configuration. Can be repeated -i, --noinit skip cache preload -E, --prestage dir use pre-staged cache. Cache files will be copied from dir. -A, --attempt attempt to grant authenticated users read permissions to PSO objects so that the computer account can read fine grain password security policies in the current domain. Note that the administrator(s) may also need to grant authenticated users read permissions to PSO objects in trusted domains and forests as well for more accurate password expiration times for cross domain and cross forests users. -v, --version print version information -t, --licensetype <type> specify license type to use. Valid values are "server" or "workstation" -V, --verbose print debug information for each operation -G, --loadgroups preload zone groups and group members -y, --notime do not update computer time -h, --help print this help information and exit. |
キャッシュをクリアして再構築なのかな。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
rootlinks@Ubuntu20:~$ sudo adflush -h usage: adflush [options] Without option, default is to expire in the DC and GC cache, and schedule a rebuild of DZ cache options: -f, --force Remove adclient cache, and force adclient to fetch everything from Active Directory. -y, --intended a flag working with --force, use it if you intended to flush cache when adclient is not running or or disconnected -a, --auth flush cached authorization data -d, --dns flush the adclient dns cache and DC locator cache -e, --expire expire everything in the DC and GC object cache -o, --objects flush only the DC and GC object cache -t, --trusts rediscover the trusted domains -b, --bindings force adclient to refresh its connections to domain controllers in the trusted domains in order to find more efficient ones or potentially to redistribute the connection load per server. -c, --connectors force adclient to refresh the Centrify Connector information -H, --health flush system health history -v, --version print version information -V, --verbose print debugging information -h, --help print this help information and exit. |
UbuntuからADのユーザパスワードの変更もできそうです。
と思いましたがドメインadministrator権限が必要なので利用は限られますね。
1 2 3 4 5 6 7 8 |
guest02@Ubuntu20:~$ adpasswd (current) password: Enter new password: Confirm new password: Error: Access denied (5) You do not have permission to change this users password. Please contact your system administrator. Password change failed for user guest02 |
1 2 3 4 5 6 7 8 9 10 |
rootlinks@Ubuntu20:~$ adpasswd -h usage: adpasswd [options] [user[@domain]] options: -a, --adminuser user[@domain] administrator account -p, --adminpass pw administrator password -V, --validate validate user password -o, --oldpass pw current user password -n, --newpass pw new user password -v, --version print version information -h, --help print this help information and exit. |
ADベースのDNSに動的レコード登録するコマンド
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
rootlinks@Ubuntu20:~$ addns -h addns: Implements secure and nonsecure dynamic DNS updates. Usage: addns -U [-u <user> -p <pwd>] [-d <dom>] [-s <svr>] [-n <host>] [(-i <ip>)+] [(-e <interface>)+] Or: addns -D [-u <user> -p <pwd>] [-d <dom>] [-s <svr>] [-n <host>] Or: addns -A [-u <user> -p <pwd>] [-d <dom>] [-s <svr>] [-n <host>] [(-i <ip>)+] [(-e <interface>)+] Or: addns -L [-d <dom>] [-s <svr>] [-n <host>] [(-i <ip>)+] [(-e <interface>)+] With: -U, --update create or update host's DNS records -D, --delete delete host's DNS records -A, --add just add host's DNS records -L, --list lists DNS record details -N, --nocreds no credential is to be supplied or prompted for (only works when the DNS server is configured for non-secured updates) -m, --machine Use machine credentials (must be root) -u, --user un AD user name -p, --password pwd password string, prompts if absent -s, --server svr DNS server to contact. Legal formats include: host<@REALM>, host.domain.com<@REALM> -d, --domain dmn DNS domain name -n, --name hst Host Name. This option cannot be used if the -e option is specified. -i, --ipaddr ipa IP address -e, --interface local network interface name (such as eth0 for the first Ethernet interface). This option cannot be used if the -n option is specified. -f, --force force update DNS records even if they have not changed -r, --refresh updates unchanged records to refresh TTL -t, --ttl val specify a time to live value in seconds -S, --secure Use a secure transaction (only supported for --update) -I, --ignoreptrerr continue to update host record even if there is an error from deleting reverse record PTR -v, --version print version information and exit -V, --verbose print debug information for each operation -h, --help print this help information and exit Examples: addns -U addns -D addns -U -d acme.com -s dnssvr@ACME_REALM.COM -n myhost -i 192.168.1.155 addns -U -d acme.com -s dnssvr@ACME_REALM.COM -e eth0 addns -L |
参加しているドメインコントローラーの表示
1 2 3 4 5 6 7 8 9 10 11 12 |
usage: adfinddomain [options] [domain] options: -f, --format name|ldap|ip format for the server output -p, --port include port number -w, --writable return a writable DC -V, --verify verify the server is up -v, --version print version information -h ,--help print this help information and exit. rootlinks@Ubuntu20:~$ adfinddomain win2019sv.example.jp rootlinks@Ubuntu20:~$ adfinddomain -f ip 192.168.1.1 |
ドメインからの切り離し
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
rootlinks@Ubuntu20:~$ adleave -h usage: adleave [options] options: -u, --user user[@domain] user name, default is administrator -p, --password pw user password, may prompt if absent -I, --noprompt do not prompt for user credential if no credentials found -s, --server ds domain server for leave operations -Z, --zoneserver ds domain server for zone operations useful if zone is in another domain -C, --noconf do not restore PAM or NSS config -G, --nogp do not restore Group Policy -f, --force force local leave, no network activity -v, --version print version information -V, --verbose print debug information for each operation -r, --remove remove computer account from Active Directory -k, --removekeytab remove the keytab file. adleave only cleans up keytab entries without this option. -o, --removecomputerzone remove computer zone from Active Directory -O, --removemachinescope remove Direct Authorize scope from Active Directory -R, --restore restore system configuration files without leaving the domain -t, --reset using the machine credentials, reset computer to pre-created/unjoined state. -h, --help print this help information and exit. |
ADの情報検索
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 |
rootlinks@Ubuntu20:~$ adquery -h usage: adquery <user|group> [options] [username|groupname] Query Active Directory and Direct Control zone information. 1) to query a user: adquery user [options] [username] -h, --home Print the user's home directory -b, --attribute <name> Show the value of the named LDAP or Centrify user attribute. May be repeated for multiple attributes -g, --group Print the user's primary group id -G, --groups List the user's primary group and any UNIX-enabled groups the user is a member of -a, --adgroups List all the Active Directory groups the user is a member of. The groups are listed in canonical name format. -s, --shell List the user's shell -u, --uid List the user's unix id number -p, --display List the user's display name -o, --gecos Show the user's GECOS field -n, --unixname List the user's unix login name -M, --samname List the user's Active Directory name -i, --sid List the user's Active Directory security identifier -P, --principal Print the kerberos user principal name -S, --service Print the kerberos service principal name -C, --canonical Print the user's canonical name -H, --hash Print the Unix password hash for this user (root only) -x, --acct-expire Print the date the account expires -y, --pwd-expired Print whether the AD user account's password is expired -w, --pwd-expire Print the date the password expires -Q, --time-to-pwd-expire Print the number of day before password expires -c, --pwd-nextchange Print the soonest date the password can be changed -l, --pwd-lastchange Print the date the password last changed -k, --locked Print whether the Active Directory account is locked or not due to login failure -d, --disabled Print whether the Active Directory account has been disabled -e, --enabled Print whether this user is enabled in the zone or not -D, --dn Print the user distingished name -W, --userWorkstations Print the user's userWorkstations attribute. -B, --guid Print the user's guid in MSString format. -t, --audit Print the effective audit information of a user -I, --altsecid Print the Alt-Security-Identities of a user -A, --all Print all of the above information -j, --dump Dump all the object's raw attribute names and values. -F, --cache-first Prefer data from the cache. Avoid reading from Active Directory when possible. -r, --separator Specify the separator string. Default ':' -R, --list-separator Specify the list separator string. Default ',' -f, --prefix Prefix a single value by the user's unix name. This is the default for multiple values -m, --mfa Print whether this user requires multi-factor authentication for login -z, --zap-groups Force user's group membership to expire and trigger update of user's sysright -X, --extattr Print a user's extended attribute. Specify the keyword "help" to display supported extended attributes. username Print the specified information for the user. Multiple usernames can be specified. If no username is specified, all zone enabled users will be listed. 2) to query a group: adquery group [options] [groupname] -m, --members Print the group's unix members -a, --admembers Print the group's Active Directory members (canonical) -b, --attribute <name> Show the value of the named LDAP or Centrify group attribute. May be repeated for multiple attributes -s, --sammembers Print the group's Active Directory members (samAccount@domain.name) -g, --gid Print the unix group id number -n, --unixname Print the group's unix name -M, --samname Print the group's Active Directory name -i, --sid Print the group's Active Directory security identifier -q, --required Print the group required status -C, --canonical Print the group's canonical name -D, --dn Print the group's distingished name -t, --type Print the Active Directory group type: global, local or universal -A, --all Print all of the above information -j, --dump Dump all the object's raw attribute names and values. -F, --cache-first Prefer data from the cache. Avoid reading from Active Directory when possible. -r, --separator Specify the separator string. Default ':' -R, --list-separator Specify the list separator string. Default ',' -f, --prefix Prefix a single value by the group's unix name. This is the default for multiple values -X, --extattr Print a group's extended attribute. Specify the keyword "help" to display supported extended attributes. groupname Print the specified information for this group. Multiple groupname can be specified. If no group is specified, all zone enabled groups will be listed. 3) other uses: adquery -h, --help Print this help page adquery -h, --help (-X, --extattr) Print list of extended attributes adquery -v, --version Print version information |
設定ファイルの再読み込み
1 2 3 4 5 6 7 8 |
rootlinks@Ubuntu20:~$ sudo adreload -h Force adclient to reload the centrifydc.conf properties file, reload module, or update CentrifyDC managed configuration files usage: adreload -c, --config Force adclient to reload the centrifydc.conf properties file -m, --module Force adclient to reload module -u, --update Force adclient to update CentrifyDC managed configuration files -h, --help Print this help information and exit |
共有フォルダの操作
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
rootlinks@Ubuntu20:~$ adsmb -h adsmb: CentrifyDC 5.8.0-188 Usage: adsmb <action> [-c credentials] [-d domain] [-h host] -s share [-r file] [-l file ] [-n pattern] [-CmTV] action = get, getnew, getmod, put, putnew, print, dir, mkdir, rename, rmdir, delete -c credentials = credentials to use -h host = host to connect to. If not given it is the 'best' domain controller -d domain = domain to connect to. If not given it is using current joined domain or the domain part from the host -s share = share name -r file = the remote file or remote directory to dir -n pattern= pattern to list when listing directory, default is * -l file = the local file -C = convert CRLF to LF -m = use machine credentials. Requires access to krb5.keytab, typically root -T = Machine-readable timestamps -V = print debug message Examples: adsmb get -h myserver -s test -r files\\my.txt -l foo.txt adsmb dir -s sysvol -mT adsmb dir -s homedrive -mT -r krusty\library -n * adsmb print -h myserver -s sharedPrinterName -l <-|foo.txt> |
他にも幾つかありそうですが、取り合えずここまで。
Free版でも本稼働環境でも利用できそうです。