realmd - sorah-public

realmd

sssd 手で設定してたけど realmd 通すと domain join やってくれるので cifs を computer account でマウントするために乗り換え。

AUR

https://aur.archlinux.org/packages/realmd

なんか glib2-devel への依存が抜けてるので --asdeps で入れとく

[commands] は arch には distro 用の設定がバンドルされてないので必要

code:/etc/realmd.conf

users

default-home = /home/%U

default-shell = /bin/bash

active-directory

default-client = sssd

ds.nkmi.me

fully-qualified-names = no

commands

sssd-enable-logins =

sssd-disable-logins =

sssd-enable-service = /usr/bin/systemctl enable sssd.service

sssd-disable-service = /usr/bin/systemctl disable sssd.service

sssd-restart-service = /usr/bin/systemctl restart sssd.service

sssd-stop-service = /usr/bin/systemctl stop sssd.service

sssd-caches-flush = /usr/sbin/sss_cache --users --groups --netgroups --services --autofs-maps

name-caches-flush =

krb5.conf

code:/etc/krb5.conf

libdefaults

# ...

default_ccache_name = KEYRING:persistent:%{uid}

sssd の ccache name は sysdb に保存されてるので注意

sssd が更新してくれる ccache をそのまま使うのに必要

join

code:a.log

5:26 ~ (▰╹◡╹) sudo realm join --verbose --user sorah ds.nkmi.me

sudo password for sorah:

* Resolving: _ldap._tcp.ds.nkmi.me

* Performing LDAP DSE lookup on: 10.4.16.162

* Performing LDAP DSE lookup on: 2406:da14:cb3:c701:1a3a:71ae:9129:1ea5

* Successfully discovered: ds.nkmi.me

Password for sorah:

* LANG=C /usr/sbin/adcli join --verbose --domain ds.nkmi.me --domain-realm DS.NKMI.ME --domain-controller 10.4.16.162 --login-type user --login-user sorah --stdin-password

* Using domain name: ds.nkmi.me

* Calculated computer account name from fqdn: MAFUYU

* Using domain realm: ds.nkmi.me

* Sending NetLogon ping to domain controller: 10.4.16.162

* Received NetLogon info from: shigure.ds.nkmi.me

* Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-pVLIdC/krb5.d/adcli-krb5-conf-d8Jrvg

* Authenticated as user: sorah@DS.NKMI.ME

* Using GSS-SPNEGO for SASL bind

* Looked up short domain name: nekomit

* Looked up domain SID: S-1-5-21-4272676656-675539351-1770382533

* Received NetLogon info from: shigure.ds.nkmi.me

* Using fully qualified name: mafuyu

* Using domain name: ds.nkmi.me

* Using computer account name: MAFUYU

* Using domain realm: ds.nkmi.me

* Calculated computer account name from fqdn: MAFUYU

* Generated 120 character computer password

* Using keytab: FILE:/etc/krb5.keytab

* A computer account for MAFUYU$ does not exist

* Found well known computer container at: CN=Computers,DC=ds,DC=nkmi,DC=me

* Calculated computer account: CN=MAFUYU,CN=Computers,DC=ds,DC=nkmi,DC=me

* Encryption type 3 not permitted.

* Encryption type 1 not permitted.

* Created computer account: CN=MAFUYU,CN=Computers,DC=ds,DC=nkmi,DC=me

* Trying to set computer password with Kerberos

* Set computer password

* Retrieved kvno '2' for computer account in directory: CN=MAFUYU,CN=Computers,DC=ds,DC=nkmi,DC=me

* Checking RestrictedKrbHost/MAFUYU

* Added RestrictedKrbHost/MAFUYU

* Checking host/MAFUYU

* Added host/MAFUYU

* Discovered which keytab salt to use

* Added the entries to the keytab: MAFUYU$@DS.NKMI.ME: FILE:/etc/krb5.keytab

* Added the entries to the keytab: host/MAFUYU@DS.NKMI.ME: FILE:/etc/krb5.keytab

* Added the entries to the keytab: RestrictedKrbHost/MAFUYU@DS.NKMI.ME: FILE:/etc/krb5.keytab

* /usr/bin/systemctl enable sssd.service

* /usr/bin/systemctl restart sssd.service

* Successfully enrolled machine in realm

必要に応じて servicePrincipalName に fqdn を足す

sssd

適当に追記

code:/etc/sssd/sssd.conf

sssd

debug_level = 0xFFF0

#debug_level = 0

config_file_version = 2

services = nss, pam, ssh

domains = ds.nkmi.me

entry_negative_timeout = 1

pam

debug_level = 0

entry_negative_timeout = 1

nss

debug_level = 0

entry_negative_timeout = 1

ssh

debug_level = 0

entry_negative_timeout = 1

domain/ds.nkmi.me

# ...

ldap_id_mapping = True

ldap_user_object_class = user

ldap_group_object_class = group

ldap_user_name = sAMAccountName

ldap_user_home_directory = homeDirectory

ldap_user_principal = userPrincipalName

ldap_user_fullname = cn

ldap_user_certificate = userCertificate

ldap_user_primary_group = primaryGroupID

ldap_user_ssh_public_key = sshPublicKey

ad_access_filter = FOREST:DS.NKMI.ME:(memberOf:1.2.840.113556.1.4.1941:=CN=penguin,OU=Groups,OU=Team,DC=ds,DC=nkmi,DC=me)

ad_gpo_ignore_unreadable = True

code:/etc/systemd/system/sssd.service.d/network.conf

Unit

Wants=network-online.target

After=network-online.target

ssh

code:/etc/ssh/sshd_config.d/99-sssd.conf

AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys

AuthorizedKeysCommandUser nobody

pam

code:/etc/pam.d/system-auth

#%PAM-1.0

auth sufficient pam_sss.so forward_pass

auth required pam_unix.so try_first_pass nullok

auth optional pam_permit.so

auth required pam_env.so

account default=bad success=ok user_unknown=ignore authinfo_unavail=ignore pam_sss.so

account required pam_unix.so

account optional pam_permit.so

account required pam_time.so

password sufficient pam_sss.so use_authtok

password required pam_unix.so try_first_pass nullok sha512 shadow

password optional pam_permit.so

session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

session required pam_limits.so

session required pam_unix.so

session optional pam_sss.so

session optional pam_permit.so

nss

code:/etc/nsswitch.conf

passwd: files mymachines systemd sss

shadow: files sss

group: files mymachines systemd sss

hosts: files mymachines myhostname resolve !UNAVAIL=return dns

networks: files

services: db files

protocols: db files

rpc: db files

ethers: db files

netmasks: files

netgroup: files sss

bootparam: files

sudoers: files sss

automount: files

aliases: files

cifs

yay -S cifs-utils kstart autofs

https://superuser.com/questions/1657620/mount-cifs-any-way-to-mount-with-kerberos-using-the-machine-credentials

code:kstart.service

Unit

Description=ensure root krb tickets

Wants=network-online.target

After=network-online.target

Service

Type=forking

ExecStart=/usr/bin/k5start -f /etc/krb5.keytab -U -b -K 60 -v -L

Install

WantedBy=multi-user.target

code:a.sh

sudo mount -t cifs -o multiuser,cruid=root,sec=krb5,vers=2.0 //kanade.c.nkmi.me/sorah /mnt/win

autofs

code:a.sh

echo '+dir:/etc/autofs/auto.master.d' | sudo tee /etc/autofs/auto.master

echo '/mnt/w /etc/autofs/auto.w --timeout=600' | sudo tee /etc/autofs/auto.master/w.autofs

code:/etc/autofs/auto.w

nvme2010 -fstype=cifs,multiuser,cruid=root,sec=krb5,vers=2.0 ://kanade.c.nkmi.me/nvme2010

nvme2504b -fstype=cifs,multiuser,cruid=root,sec=krb5,vers=2.0 ://kanade.c.nkmi.me/nvme2504b

magnetic2204 -fstype=cifs,multiuser,cruid=root,sec=krb5,vers=2.0 ://kanade.c.nkmi.me/magnetic2204

magnetic2407 -fstype=cifs,multiuser,cruid=root,sec=krb5,vers=2.0 ://kanade.c.nkmi.me/magnetic2407

home -fstype=cifs,multiuser,cruid=root,sec=krb5,vers=2.0 ://kanade.c.nkmi.me/Users/sorah

shell

code:a.sh

sudo sss_override user-add sorah -s /bin/zsh

sudo systemctl restart sssd