您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

将 Red Hat Enterprise Linux 虚拟机加入 Azure AD 域服务托管域Join a Red Hat Enterprise Linux virtual machine to an Azure AD Domain Services managed domain

若要让用户使用一组凭据登录到 Azure 中的虚拟机(Vm),可以将 Vm 加入到 Azure Active Directory 域服务(AD DS)托管域。To let users sign in to virtual machines (VMs) in Azure using a single set of credentials, you can join VMs to an Azure Active Directory Domain Services (AD DS) managed domain. 将 VM 加入到 Azure AD DS 托管域时,可以使用域中的用户帐户和凭据来登录和管理服务器。When you join a VM to an Azure AD DS managed domain, user accounts and credentials from the domain can be used to sign in and manage servers. 还将应用来自 Azure AD DS 托管域的组成员身份,以便控制对 VM 上的文件或服务的访问。Group memberships from the Azure AD DS managed domain are also applied to let you control access to files or services on the VM.

本文介绍如何将 Red Hat Enterprise Linux (RHEL) VM 加入 Azure AD DS 托管域。This article shows you how to join a Red Hat Enterprise Linux (RHEL) VM to an Azure AD DS managed domain.

必备组件Prerequisites

需有以下资源和特权才能完成本教程:To complete this tutorial, you need the following resources and privileges:

创建并连接到 RHEL Linux VMCreate and connect to a RHEL Linux VM

如果 Azure 中有现有的 RHEL Linux VM,请使用 SSH 连接到该 VM,然后继续执行下一步,开始配置 VMIf you have an existing RHEL Linux VM in Azure, connect to it using SSH, then continue on to the next step to start configuring the VM.

如果需要创建 RHEL Linux VM,或者想要创建用于本文的测试 VM,可以使用以下方法之一:If you need to create a RHEL Linux VM, or want to create a test VM for use with this article, you can use one of the following methods:

创建 VM 时,请注意虚拟网络设置,以确保 VM 能够与 Azure AD DS 托管域通信:When you create the VM, pay attention to the virtual network settings to make sure that the VM can communicate with the Azure AD DS managed domain:

  • 将 VM 部署到相同的或对等互连的虚拟网络,在该网络中已启用 Azure AD 域服务。Deploy the VM into the same, or a peered, virtual network in which you have enabled Azure AD Domain Services.
  • 将 VM 部署到不同于 Azure AD 域服务实例的子网中。Deploy the VM into a different subnet than your Azure AD Domain Services instance.

部署 VM 后,请遵循使用 SSH 连接到 VM 的步骤。Once the VM is deployed, follow the steps to connect to the VM using SSH.

配置 hosts 文件Configure the hosts file

若要确保为托管域正确配置了 VM 主机名,请编辑 /etc/hosts文件,并设置主机名:To make sure that the VM host name is correctly configured for the managed domain, edit the /etc/hosts file and set the hostname:

sudo vi /etc/hosts

hosts文件中,更新localhost地址。In the hosts file, update the localhost address. 在以下示例中:In the following example:

  • contoso.com是 Azure AD DS 托管域的 DNS 域名。contoso.com is the DNS domain name of your Azure AD DS managed domain.
  • rhel是你要加入到托管域的 rhel VM 的主机名。rhel is the hostname of your RHEL VM that you're joining to the managed domain.

请用自己的值更新这些名称:Update these names with your own values:

127.0.0.1 rhel rhel.contoso.com

完成后,使用编辑器的 :wq 命令保存并退出hosts文件。When done, save and exit the hosts file using the :wq command of the editor.

安装所需程序包Install required packages

VM 需要其他一些包才能将 VM 加入到 Azure AD DS 托管域。The VM needs some additional packages to join the VM to the Azure AD DS managed domain. 若要安装和配置这些包,请使用 yum 更新和安装域加入工具:To install and configure these packages, update and install the domain-join tools using yum:

RHEL 7RHEL 7

sudo yum install realmd sssd krb5-workstation krb5-libs oddjob oddjob-mkhomedir samba-common-tools

RHEL 6RHEL 6

sudo yum install adcli sssd authconfig krb5-workstation

将 VM 加入托管域Join VM to the managed domain

现在,所需的包已安装到 VM 上,请将 VM 加入到 Azure AD DS 托管域。Now that the required packages are installed on the VM, join the VM to the Azure AD DS managed domain.

RHEL 7RHEL 7

  1. 使用 realm discover 命令发现 Azure AD DS 托管域。Use the realm discover command to discover the Azure AD DS managed domain. 以下示例发现领域CONTOSO.COMThe following example discovers the realm CONTOSO.COM. 以全部大写的形式指定你自己 Azure AD DS 托管域名:Specify your own Azure AD DS managed domain name in ALL UPPERCASE:

    sudo realm discover CONTOSO.COM
    

    如果 realm discover 命令找不到你的 Azure AD DS 托管域,请查看以下故障排除步骤:If the realm discover command can't find your Azure AD DS managed domain, review the following troubleshooting steps:

    • 请确保可从 VM 访问域。Make sure that the domain is reachable from the VM. 尝试 ping contoso.com 以查看是否返回了肯定回复。Try ping contoso.com to see if a positive reply is returned.
    • 检查是否已将 VM 部署到相同的或对等互连的虚拟网络,Azure AD DS 托管域在该网络中可用。Check that the VM is deployed to the same, or a peered, virtual network in which the Azure AD DS managed domain is available.
    • 确认已将虚拟网络的 DNS 服务器设置更新为指向 Azure AD DS 托管域的域控制器。Confirm that the DNS server settings for the virtual network have been updated to point to the domain controllers of the Azure AD DS managed domain.
  2. 现在使用 kinit 命令初始化 Kerberos。Now initialize Kerberos using the kinit command. 指定属于AAD DC 管理员组的用户。Specify a user that belongs to the AAD DC Administrators group. 如果需要,请将用户帐户添加到 Azure AD 中的组If needed, add a user account to a group in Azure AD.

    同样,必须以全部大写的形式输入 Azure AD DS 托管域名。Again, the Azure AD DS managed domain name must be entered in ALL UPPERCASE. 在下面的示例中,名为 contosoadmin@contoso.com 的帐户用于初始化 Kerberos。In the following example, the account named contosoadmin@contoso.com is used to initialize Kerberos. 输入您自己的用户帐户,该帐户是AAD DC Administrators组的成员:Enter your own user account that's a member of the AAD DC Administrators group:

    kinit contosoadmin@CONTOSO.COM
    
  3. 最后,使用 realm join 命令将计算机加入到 Azure AD DS 托管域。Finally, join the machine to the Azure AD DS managed domain using the realm join command. 使用同一个用户帐户,该帐户是在上一个 kinit 命令中指定的AAD DC Administrators组的成员,如 contosoadmin@CONTOSO.COMUse the same user account that's a member of the AAD DC Administrators group that you specified in the previous kinit command, such as contosoadmin@CONTOSO.COM:

    sudo realm join --verbose CONTOSO.COM -U 'contosoadmin@CONTOSO.COM'
    

将 VM 加入到 Azure AD DS 托管域需要一段时间。It takes a few moments to join the VM to the Azure AD DS managed domain. 以下示例输出显示 VM 已成功加入到 Azure AD DS 托管域:The following example output shows the VM has successfully joined to the Azure AD DS managed domain:

Successfully enrolled machine in realm

RHEL 6RHEL 6

  1. 使用 adcli info 命令发现 Azure AD DS 托管域。Use the adcli info command to discover the Azure AD DS managed domain. 以下示例发现领域CONTOSO.COMThe following example discovers the realm CONTOSO.COM. 以全部大写的形式指定你自己 Azure AD DS 托管域名:Specify your own Azure AD DS managed domain name in ALL UPPERCASE:

    sudo adcli info contoso.com
    

    如果 adcli info 命令找不到你的 Azure AD DS 托管域,请查看以下故障排除步骤:If the adcli info command can't find your Azure AD DS managed domain, review the following troubleshooting steps:

    • 请确保可从 VM 访问域。Make sure that the domain is reachable from the VM. 尝试 ping contoso.com 以查看是否返回了肯定回复。Try ping contoso.com to see if a positive reply is returned.
    • 检查是否已将 VM 部署到相同的或对等互连的虚拟网络,Azure AD DS 托管域在该网络中可用。Check that the VM is deployed to the same, or a peered, virtual network in which the Azure AD DS managed domain is available.
    • 确认已将虚拟网络的 DNS 服务器设置更新为指向 Azure AD DS 托管域的域控制器。Confirm that the DNS server settings for the virtual network have been updated to point to the domain controllers of the Azure AD DS managed domain.
  2. 首先,使用 adcli join 命令联接域,此命令还会创建 keytab 以对计算机进行身份验证。First, join the domain using the adcli join command, this command will also creates the keytab to authenticate the machine. 使用属于 " AAD DC 管理员" 组成员的用户帐户。Use a user account that's a member of the AAD DC Administrators group.

    sudo adcli join contoso.com -U contosoadmin
    
  3. 现在配置 /ect/krb5.conf 并创建 /etc/sssd/sssd.conf 文件,以使用 contoso.com Active Directory 域。Now configure the /ect/krb5.conf and create the /etc/sssd/sssd.conf files to use the contoso.com Active Directory domain. 请确保将 CONTOSO.COM 替换为你自己的域名:Make sure that CONTOSO.COM is replaced by your own domain name :

    使用编辑器打开 /ect/krb5.conf 文件:Open the /ect/krb5.conf file with an editor:

    sudo vi /etc/krb5.conf
    

    更新 krb5.conf 文件,使其与以下示例匹配:Update the krb5.conf file to match the following sample :

    [logging]
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
    
    [libdefaults]
     default_realm = CONTOSO.COM
     dns_lookup_realm = true
     dns_lookup_kdc = true
     ticket_lifetime = 24h
     renew_lifetime = 7d
     forwardable = true
    
    [realms]
     CONTOSO.COM = {
     kdc = CONTOSO.COM
     admin_server = CONTOSO.COM
     }
    
    [domain_realm]
     .CONTOSO.COM = CONTOSO.COM
     CONTOSO.COM = CONTOSO.COM
    

    创建 /etc/sssd/sssd.conf 文件:Create the /etc/sssd/sssd.conf file :

    sudo vi /etc/sssd/sssd.conf
    

    更新 sssd.conf 文件,使其与以下示例匹配:Update the sssd.conf file to match the following sample :

    [sssd]
     services = nss, pam, ssh, autofs
     config_file_version = 2
     domains = CONTOSO.COM
    
    [domain/CONTOSO.COM]
    
     id_provider = ad
    
  4. 请确保 /etc/sssd/sssd.conf 的权限为600,并且由 root 用户拥有:Make sure /etc/sssd/sssd.conf permissions are 600 and is owned by root user:

    sudo chmod 600 /etc/sssd/sssd.conf
    sudo chown root:root /etc/sssd/sssd.conf
    
  5. 使用 authconfig 向 VM 指示 AD Linux 集成:Use authconfig to instruct the VM about the AD Linux integration :

    sudo authconfig --enablesssd --enablesssdauth --update
    
  6. 启动并启用 sssd 服务:Start and enable the sssd service :

    sudo service sssd start
    sudo chkconfig sssd on
    

如果 VM 无法成功完成域加入过程,请确保 VM 的网络安全组允许 TCP + UDP 端口464上的出站 Kerberos 流量到 Azure AD DS 托管域的虚拟网络子网。If your VM can't successfully complete the domain-join process, make sure that the VM's network security group allows outbound Kerberos traffic on TCP + UDP port 464 to the virtual network subnet for your Azure AD DS managed domain.

现在,请检查是否可以使用 getent 查询用户广告信息Now check if you can query user AD information using getent

sudo getent passwd contosoadmin

允许对 SSH 进行密码身份验证Allow password authentication for SSH

默认情况下,用户只能使用基于 SSH 公钥的身份验证登录到 VM。By default, users can only sign in to a VM using SSH public key-based authentication. 基于密码的身份验证失败。Password-based authentication fails. 将 VM 加入到 Azure AD DS 托管域时,这些域帐户需要使用基于密码的身份验证。When you join the VM to an Azure AD DS managed domain, those domain accounts need to use password-based authentication. 更新 SSH 配置,以允许基于密码的身份验证,如下所示。Update the SSH configuration to allow password-based authentication as follows.

  1. 使用编辑器打开sshd_conf文件:Open the sshd_conf file with an editor:

    sudo vi /etc/ssh/sshd_config
    
  2. PasswordAuthentication的行更新为 "是"Update the line for PasswordAuthentication to yes:

    PasswordAuthentication yes
    

    完成后,使用编辑器的 :wq 命令保存并退出sshd_conf文件。When done, save and exit the sshd_conf file using the :wq command of the editor.

  3. 若要应用更改并让用户使用密码进行登录,请重新启动 SSH 服务:To apply the changes and let users sign in using a password, restart the SSH service:

    RHEL 7RHEL 7

    sudo systemctl restart sshd
    

    RHEL 6RHEL 6

    sudo service sshd restart
    

为“AAD DC 管理员”组授予 sudo 特权Grant the 'AAD DC Administrators' group sudo privileges

若要向AAD DC Administrators组成员授予 RHEL VM 的管理权限,请向 /etc/sudoers添加一个条目。To grant members of the AAD DC Administrators group administrative privileges on the RHEL VM, you add an entry to the /etc/sudoers. 添加后, AAD DC 管理员组的成员可以在 RHEL VM 上使用 sudo 命令。Once added, members of the AAD DC Administrators group can use the sudo command on the RHEL VM.

  1. 打开sudoers文件进行编辑:Open the sudoers file for editing:

    sudo visudo
    
  2. 将以下条目添加到 /etc/sudoers文件的末尾。Add the following entry to the end of /etc/sudoers file. AAD DC 管理员组的名称中包含空格,因此请在组名称中包含反斜杠转义符。The AAD DC Administrators group contains whitespace in the name, so include the backslash escape character in the group name. 添加你自己的域名,例如contoso.comAdd your own domain name, such as contoso.com:

    # Add 'AAD DC Administrators' group members as admins.
    %AAD\ DC\ Administrators@contoso.com ALL=(ALL) NOPASSWD:ALL
    

    完成后,使用编辑器的 :wq 命令保存并退出编辑器。When done, save and exit the editor using the :wq command of the editor.

使用域帐户登录到 VMSign in to the VM using a domain account

若要验证 VM 是否已成功加入到 Azure AD DS 托管域,请使用域用户帐户启动新的 SSH 连接。To verify that the VM has been successfully joined to the Azure AD DS managed domain, start a new SSH connection using a domain user account. 确认已创建主目录,并且已应用域的组成员身份。Confirm that a home directory has been created, and that group membership from the domain is applied.

  1. 从控制台创建新的 SSH 连接。Create a new SSH connection from your console. 使用 "ssh -l" 命令(如 contosoadmin@contoso.com)使用属于托管域的域帐户,然后输入 VM 的地址,例如rhel.contoso.comUse a domain account that belongs to the managed domain using the ssh -l command, such as contosoadmin@contoso.com and then enter the address of your VM, such as rhel.contoso.com. 如果使用 Azure Cloud Shell,请使用 VM 的公共 IP 地址,而不使用内部 DNS 名称。If you use the Azure Cloud Shell, use the public IP address of the VM rather than the internal DNS name.

    ssh -l contosoadmin@CONTOSO.com rhel.contoso.com
    
  2. 成功连接到 VM 后,验证是否已正确初始化主目录:When you've successfully connected to the VM, verify that the home directory was initialized correctly:

    pwd
    

    你应在 /home目录中,并将你自己的目录与用户帐户相匹配。You should be in the /home directory with your own directory that matches the user account.

  3. 现在请检查是否已正确解析组成员身份:Now check that the group memberships are being resolved correctly:

    id
    

    应会看到来自 Azure AD DS 托管域的组成员身份。You should see your group memberships from the Azure AD DS managed domain.

  4. 如果以AAD DC Administrators组成员的身份登录到 VM,请检查是否可以正确使用 sudo 命令:If you signed in to the VM as a member of the AAD DC Administrators group, check that you can correctly use the sudo command:

    sudo yum update
    

后续步骤Next steps

如果在将 VM 连接到 Azure AD DS 托管域或使用域帐户登录时遇到问题,请参阅排查域加入问题If you have problems connecting the VM to the Azure AD DS managed domain or signing in with a domain account, see Troubleshooting domain join issues.