將 Ubuntu Linux 虛擬機器加入 Azure Active Directory Domain Services 受控網域Join an Ubuntu Linux virtual machine to an Azure Active Directory Domain Services managed domain

若要讓使用者能夠使用一組認證來登入 Azure 中的虛擬機器(Vm),您可以將 Vm 加入 Azure Active Directory Domain Services (Azure AD DS)受控網域。To let users sign in to virtual machines (VMs) in Azure using a single set of credentials, you can join VMs to an Azure Active Directory Domain Services (Azure AD DS) managed domain. 當您將 VM 加入 Azure AD DS 受控網域時,可以使用網域中的使用者帳戶和認證來登入和管理伺服器。When you join a VM to an Azure AD DS managed domain, user accounts and credentials from the domain can be used to sign in and manage servers. 也會套用來自受控網域的群組成員資格,讓您控制對 VM 上檔案或服務的存取。Group memberships from the managed domain are also applied to let you control access to files or services on the VM.

本文說明如何將 Ubuntu Linux VM 加入受控網域。This article shows you how to join an Ubuntu Linux VM to a managed domain.

必要條件Prerequisites

若要完成此教學課程,您需要下列資源和權限:To complete this tutorial, you need the following resources and privileges:

建立並連接至 Ubuntu Linux VMCreate and connect to an Ubuntu Linux VM

如果您在 Azure 中有現有的 Ubuntu Linux VM,請使用 SSH 連接到它,然後繼續進行下一個步驟以開始設定 VMIf you have an existing Ubuntu Linux VM in Azure, connect to it using SSH, then continue on to the next step to start configuring the VM.

如果您需要建立 Ubuntu Linux VM,或想要建立要與本文搭配使用的測試 VM,您可以使用下列其中一種方法:If you need to create an Ubuntu Linux VM, or want to create a test VM for use with this article, you can use one of the following methods:

當您建立 VM 時,請注意虛擬網路設定,以確保 VM 可以與受控網域進行通訊:When you create the VM, pay attention to the virtual network settings to make sure that the VM can communicate with the managed domain:

  • 將 VM 部署到已啟用 Azure AD Domain Services 的相同或對等互連虛擬網路中。Deploy the VM into the same, or a peered, virtual network in which you have enabled Azure AD Domain Services.
  • 將 VM 部署到與您的 Azure AD Domain Services 受控網域不同的子網。Deploy the VM into a different subnet than your Azure AD Domain Services managed domain.

部署 VM 之後,請遵循使用 SSH 連接到 VM 的步驟。Once the VM is deployed, follow the steps to connect to the VM using SSH.

設定 hosts 檔案Configure the hosts file

為確保受控網域已正確設定 VM 主機名稱,請編輯 /etc/hosts檔案,並設定主機名稱:To make sure that the VM host name is correctly configured for the managed domain, edit the /etc/hosts file and set the hostname:

sudo vi /etc/hosts

hosts檔案中,更新localhost位址。In the hosts file, update the localhost address. 在下例中︰In the following example:

  • aaddscontoso.com是受控網域的 DNS 功能變數名稱。aaddscontoso.com is the DNS domain name of your managed domain.
  • ubuntu是您要加入受控網域之 ubuntu VM 的主機名稱。ubuntu is the hostname of your Ubuntu VM that you're joining to the managed domain.

使用您自己的值來更新這些名稱:Update these names with your own values:

127.0.0.1 ubuntu.aaddscontoso.com ubuntu

完成時,請使用編輯器的命令來儲存並結束hosts檔案 :wqWhen done, save and exit the hosts file using the :wq command of the editor.

安裝必要的套件Install required packages

VM 需要一些額外的套件,才能將 VM 加入受控網域。The VM needs some additional packages to join the VM to the managed domain. 若要安裝及設定這些封裝,請使用來更新和安裝網域聯結工具apt-getTo install and configure these packages, update and install the domain-join tools using apt-get

在 Kerberos 安裝期間, krb5 使用者套件會以全部大寫的方式來提示領域名稱。During the Kerberos installation, the krb5-user package prompts for the realm name in ALL UPPERCASE. 例如,如果您的受控網功能變數名稱稱是aaddscontoso.com,請輸入AADDSCONTOSO.COM作為領域。For example, if the name of your managed domain is aaddscontoso.com, enter AADDSCONTOSO.COM as the realm. 安裝會 [realm] [domain_realm]/etc/krb5.conf設定檔中寫入和區段。The installation writes the [realm] and [domain_realm] sections in /etc/krb5.conf configuration file. 請確定您將領域全部指定為大寫:Make sure that you specify the realm an ALL UPPERCASE:

sudo apt-get update
sudo apt-get install krb5-user samba sssd sssd-tools libnss-sss libpam-sss ntp ntpdate realmd adcli

設定網路時間通訊協定(NTP)Configure Network Time Protocol (NTP)

若要讓網域通訊正確運作,您的 Ubuntu VM 的日期和時間必須與受控網域同步處理。For domain communication to work correctly, the date and time of your Ubuntu VM must synchronize with the managed domain. 將受控網域的 NTP 主機名稱新增至 /etc/ntp.conf檔案。Add your managed domain's NTP hostname to the /etc/ntp.conf file.

  1. 使用編輯器開啟ntp檔案:Open the ntp.conf file with an editor:

    sudo vi /etc/ntp.conf
    
  2. ntp檔案中,建立一行來新增受控網域的 DNS 名稱。In the ntp.conf file, create a line to add your managed domain's DNS name. 在下列範例中,會新增aaddscontoso.com的專案。In the following example, an entry for aaddscontoso.com is added. 使用您自己的 DNS 名稱:Use your own DNS name:

    server aaddscontoso.com
    

    完成時,請使用編輯器的命令來儲存並結束ntp檔案。 :wqWhen done, save and exit the ntp.conf file using the :wq command of the editor.

  3. 為確保 VM 與受控網域同步,需要執行下列步驟:To make sure that the VM is synchronized with the managed domain, the following steps are needed:

    • 停止 NTP 伺服器Stop the NTP server
    • 更新受控網域中的日期和時間Update the date and time from the managed domain
    • 啟動 NTP 服務Start the NTP service

    執行下列命令來完成這些步驟。Run the following commands to complete these steps. 搭配命令使用您自己的 DNS 名稱 ntpdateUse your own DNS name with the ntpdate command:

    sudo systemctl stop ntp
    sudo ntpdate aaddscontoso.com
    sudo systemctl start ntp
    

將 VM 加入受控網域Join VM to the managed domain

現在已將必要的套件安裝在 VM 上,並已設定 NTP,請將 VM 加入受控網域。Now that the required packages are installed on the VM and NTP is configured, join the VM to the managed domain.

  1. 使用 realm discover 命令來探索受控網域。Use the realm discover command to discover the managed domain. 下列範例會探索領域AADDSCONTOSO.COMThe following example discovers the realm AADDSCONTOSO.COM. 以大寫指定您自己的受控功能變數名稱:Specify your own managed domain name in ALL UPPERCASE:

    sudo realm discover AADDSCONTOSO.COM
    

    如果 realm discover 命令找不到您的受控網域,請參閱下列疑難排解步驟:If the realm discover command can't find your managed domain, review the following troubleshooting steps:

    • 請確定可從 VM 連線到該網域。Make sure that the domain is reachable from the VM. 請嘗試 ping aaddscontoso.com 查看是否傳回正面回復。Try ping aaddscontoso.com to see if a positive reply is returned.
    • 檢查 VM 是否部署到可使用受控網域的相同或對等互連虛擬網路。Check that the VM is deployed to the same, or a peered, virtual network in which the managed domain is available.
    • 確認虛擬網路的 DNS 伺服器設定已更新,以指向受控網域的網域控制站。Confirm that the DNS server settings for the virtual network have been updated to point to the domain controllers of the managed domain.
  2. 現在使用命令初始化 Kerberos kinitNow initialize Kerberos using the kinit command. 指定屬於受控網域的使用者。Specify a user that's a part of the managed domain. 如有需要,請將使用者帳戶新增至 Azure AD 中的群組If needed, add a user account to a group in Azure AD.

    同樣地,必須以全部大寫輸入受控功能變數名稱。Again, the managed domain name must be entered in ALL UPPERCASE. 在下列範例中,會使用名為的帳戶 contosoadmin@aaddscontoso.com 來初始化 Kerberos。In the following example, the account named contosoadmin@aaddscontoso.com is used to initialize Kerberos. 輸入屬於受控網域的使用者帳戶:Enter your own user account that's a part of the managed domain:

    kinit contosoadmin@AADDSCONTOSO.COM
    
  3. 最後,使用命令將機器加入受控網域 realm joinFinally, join the machine to the managed domain using the realm join command. 使用與您在上一個命令中指定的受控網域之一部分相同的使用者帳戶 kinit ,例如 contosoadmin@AADDSCONTOSO.COMUse the same user account that's a part of the managed domain that you specified in the previous kinit command, such as contosoadmin@AADDSCONTOSO.COM:

    sudo realm join --verbose AADDSCONTOSO.COM -U 'contosoadmin@AADDSCONTOSO.COM' --install=/
    

將 VM 加入受控網域需要幾分鐘的時間。It takes a few moments to join the VM to the managed domain. 下列範例輸出顯示 VM 已成功加入受控網域:The following example output shows the VM has successfully joined to the managed domain:

Successfully enrolled machine in realm

如果您的 VM 無法順利完成網域加入程式,請確定 VM 的網路安全性群組允許 TCP + UDP 埠464上的輸出 Kerberos 流量連到受控網域的虛擬網路子網。If your VM can't successfully complete the domain-join process, make sure that the VM's network security group allows outbound Kerberos traffic on TCP + UDP port 464 to the virtual network subnet for your managed domain.

如果您收到錯誤未指定的 GSS 失敗。 次要程式碼可能會提供詳細資訊(在 Kerberos 資料庫中找不到伺服器)、開啟檔案 /etc/krb5.conf ,並在區段中新增下列程式碼, [libdefaults] 然後再試一次:If you received the error Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database), open the file /etc/krb5.conf and add the following code in [libdefaults] section and try again:

rdns=false

更新 SSSD 設定Update the SSSD configuration

上一個步驟中安裝的其中一個封裝是系統安全性服務 Daemon (SSSD)。One of the packages installed in a previous step was for System Security Services Daemon (SSSD). 當使用者嘗試使用網域認證登入 VM 時,SSSD 會將要求轉送至驗證提供者。When a user tries to sign in to a VM using domain credentials, SSSD relays the request to an authentication provider. 在此案例中,SSSD 會使用 Azure AD DS 來驗證要求。In this scenario, SSSD uses Azure AD DS to authenticate the request.

  1. 使用編輯器開啟sssd檔案:Open the sssd.conf file with an editor:

    sudo vi /etc/sssd/sssd.conf
    
  2. 批註掉use_fully_qualified_names的程式程式碼,如下所示:Comment out the line for use_fully_qualified_names as follows:

    # use_fully_qualified_names = True
    

    完成時,請使用編輯器的命令來儲存並結束sssd檔案。 :wqWhen done, save and exit the sssd.conf file using the :wq command of the editor.

  3. 若要套用變更,請重新開機 SSSD 服務:To apply the change, restart the SSSD service:

    sudo service sssd restart
    

設定使用者帳戶和群組設定Configure user account and group settings

當 VM 加入受控網域並設定進行驗證時,有幾個使用者設定選項需要完成。With the VM joined to the managed domain and configured for authentication, there are a few user configuration options to complete. 這些設定變更包括允許以密碼為基礎的驗證,以及在網域使用者第一次登入時自動建立本機 VM 上的主目錄。These configuration changes include allowing password-based authentication, and automatically creating home directories on the local VM when domain users first sign in.

允許 SSH 的密碼驗證Allow password authentication for SSH

根據預設,使用者只能使用 SSH 公用金鑰驗證來登入 VM。By default, users can only sign in to a VM using SSH public key-based authentication. 以密碼為基礎的驗證失敗。Password-based authentication fails. 當您將 VM 加入受控網域時,這些網域帳戶必須使用密碼型驗證。When you join the VM to a managed domain, those domain accounts need to use password-based authentication. 將 SSH 設定更新為允許以密碼為基礎的驗證,如下所示。Update the SSH configuration to allow password-based authentication as follows.

  1. 使用編輯器開啟sshd_conf檔案:Open the sshd_conf file with an editor:

    sudo vi /etc/ssh/sshd_config
    
  2. passwordauthentication 開頭的行更新為 [是]Update the line for PasswordAuthentication to yes:

    PasswordAuthentication yes
    

    完成時,請使用編輯器的命令儲存並結束sshd_conf檔案 :wqWhen done, save and exit the sshd_conf file using the :wq command of the editor.

  3. 若要套用變更並讓使用者使用密碼登入,請重新開機 SSH 服務:To apply the changes and let users sign in using a password, restart the SSH service:

    sudo systemctl restart ssh
    

設定自動主目錄建立Configure automatic home directory creation

若要在使用者第一次登入時啟用主目錄的自動建立,請完成下列步驟:To enable automatic creation of the home directory when a user first signs in, complete the following steps:

  1. 在編輯器中開啟 /etc/pam.d/common-session檔案:Open the /etc/pam.d/common-session file in an editor:

    sudo vi /etc/pam.d/common-session
    
  2. 在此檔案中的行下方,新增下列程式 session optional pam_sss.so 程式碼:Add the following line in this file below the line session optional pam_sss.so:

    session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
    

    完成時,請使用編輯器的命令來儲存和結束一般會話檔案 :wqWhen done, save and exit the common-session file using the :wq command of the editor.

授與 'AAD DC Administrators' 群組 sudo 權限Grant the 'AAD DC Administrators' group sudo privileges

若要授與AAD DC Administrators群組的成員 Ubuntu VM 上的系統管理許可權,您可以在 /etc/sudoers中新增一個專案。To grant members of the AAD DC Administrators group administrative privileges on the Ubuntu VM, you add an entry to the /etc/sudoers. 新增之後, AAD DC 系統管理員群組的成員就可以在 sudo Ubuntu VM 上使用命令。Once added, members of the AAD DC Administrators group can use the sudo command on the Ubuntu VM.

  1. 開啟sudoers檔案進行編輯:Open the sudoers file for editing:

    sudo visudo
    
  2. 將下列專案新增至 /etc/sudoers檔案的結尾:Add the following entry to the end of /etc/sudoers file:

    # Add 'AAD DC Administrators' group members as admins.
    %AAD\ DC\ Administrators ALL=(ALL) NOPASSWD:ALL
    

    完成時,請使用命令儲存並結束編輯器 Ctrl-XWhen done, save and exit the editor using the Ctrl-X command.

使用網域帳戶登入 VMSign in to the VM using a domain account

若要確認 VM 已成功加入受控網域,請使用網域使用者帳戶啟動新的 SSH 連線。To verify that the VM has been successfully joined to the managed domain, start a new SSH connection using a domain user account. 確認已建立主目錄,並已套用網域的群組成員資格。Confirm that a home directory has been created, and that group membership from the domain is applied.

  1. 從您的主控台建立新的 SSH 連線。Create a new SSH connection from your console. 使用屬於受控網域的網域帳戶( ssh -l 例如), contosoadmin@aaddscontoso.com 然後輸入您 VM 的位址,例如ubuntu.aaddscontoso.comUse a domain account that belongs to the managed domain using the ssh -l command, such as contosoadmin@aaddscontoso.com and then enter the address of your VM, such as ubuntu.aaddscontoso.com. 如果您使用 Azure Cloud Shell,請使用 VM 的公用 IP 位址,而不是內部 DNS 名稱。If you use the Azure Cloud Shell, use the public IP address of the VM rather than the internal DNS name.

    ssh -l contosoadmin@AADDSCONTOSO.com ubuntu.aaddscontoso.com
    
  2. 當您成功連線到 VM 時,請確認已正確初始化主目錄:When you've successfully connected to the VM, verify that the home directory was initialized correctly:

    pwd
    

    您應該會在 /home目錄中,其中包含符合使用者帳戶的專屬目錄。You should be in the /home directory with your own directory that matches the user account.

  3. 現在檢查是否已正確解析群組成員資格:Now check that the group memberships are being resolved correctly:

    id
    

    您應該會看到來自受控網域的群組成員資格。You should see your group memberships from the managed domain.

  4. 如果您已以AAD DC 系統管理員群組的成員身分登入 VM,請檢查您是否可以正確地使用 sudo 命令:If you signed in to the VM as a member of the AAD DC Administrators group, check that you can correctly use the sudo command:

    sudo apt-get update
    

後續步驟Next steps

如果您在將 VM 連線到受控網域或使用網域帳戶登入時發生問題,請參閱針對網域加入問題進行疑難排解If you have problems connecting the VM to the managed domain or signing in with a domain account, see Troubleshooting domain join issues.