将 Ubuntu Linux 虚拟机加入到 Azure Active Directory 域服务托管域Join an Ubuntu Linux virtual machine to an Azure Active Directory Domain Services managed domain
若要让用户使用一组凭据登录到 Azure 中的虚拟机 (VM),可以将 VM 加入到 Azure Active Directory 域服务 (Azure AD DS) 托管域。To let users sign in to virtual machines (VMs) in Azure using a single set of credentials, you can join VMs to an Azure Active Directory Domain Services (Azure AD DS) managed domain. 将 VM 加入到 Azure AD DS 托管域时,可以使用域中的用户帐户和凭据来登录和管理服务器。When you join a VM to an Azure AD DS managed domain, user accounts and credentials from the domain can be used to sign in and manage servers. 托管域中的组成员身份也应用于控制对 VM 上的文件或服务的访问。Group memberships from the managed domain are also applied to let you control access to files or services on the VM.
本文介绍如何将 Ubuntu Linux VM 加入托管域。This article shows you how to join an Ubuntu Linux VM to a managed domain.
先决条件Prerequisites
需有以下资源和特权才能完成本教程:To complete this tutorial, you need the following resources and privileges:
- 一个有效的 Azure 订阅。An active Azure subscription.
- 如果你没有 Azure 订阅,请创建一个帐户。If you don't have an Azure subscription, create an account.
- 与订阅关联的 Azure Active Directory 租户,可以与本地目录或仅限云的目录同步。An Azure Active Directory tenant associated with your subscription, either synchronized with an on-premises directory or a cloud-only directory.
- 在 Azure AD 租户中启用并配置 Azure Active Directory 域服务托管域。An Azure Active Directory Domain Services managed domain enabled and configured in your Azure AD tenant.
- 如果需要,请参考第一篇教程创建并配置 Azure Active Directory 域服务托管域。If needed, the first tutorial creates and configures an Azure Active Directory Domain Services managed domain.
- 属于托管域的用户帐户。A user account that's a part of the managed domain.
创建并连接到 Ubuntu Linux VMCreate and connect to an Ubuntu Linux VM
如果 Azure 中有现有的 Ubuntu Linux VM,请使用 SSH 连接到该 VM,然后继续执行下一步,开始配置 VM。If you have an existing Ubuntu Linux VM in Azure, connect to it using SSH, then continue on to the next step to start configuring the VM.
如果需要创建 Ubuntu Linux VM,或者想要创建一个用于本文的测试 VM,可以使用以下方法之一:If you need to create an Ubuntu Linux VM, or want to create a test VM for use with this article, you can use one of the following methods:
创建 VM 时,请注意虚拟网络设置,确保 VM 可以与托管域通信:When you create the VM, pay attention to the virtual network settings to make sure that the VM can communicate with the managed domain:
- 将该 VM 部署到已启用 Azure AD 域服务的虚拟网络或与其对等互连的虚拟网络。Deploy the VM into the same, or a peered, virtual network in which you have enabled Azure AD Domain Services.
- 将 VM 部署到与 Azure AD 域服务托管域不同的子网中。Deploy the VM into a different subnet than your Azure AD Domain Services managed domain.
部署 VM 后,请遵循使用 SSH 连接到 VM 的步骤。Once the VM is deployed, follow the steps to connect to the VM using SSH.
配置主机文件Configure the hosts file
若要确保为托管域正确配置了 VM 主机名,请编辑“/etc/hosts”文件,并设置主机名:To make sure that the VM host name is correctly configured for the managed domain, edit the /etc/hosts file and set the hostname:
sudo vi /etc/hosts
在 hosts 文件中,更新 localhost 地址 。In the hosts file, update the localhost address. 在以下示例中:In the following example:
- aaddscontoso.com 是托管域的 DNS 域名。aaddscontoso.com is the DNS domain name of your managed domain.
- “ubuntu”是你要加入到托管域的 Ubuntu VM 的主机名。ubuntu is the hostname of your Ubuntu VM that you're joining to the managed domain.
将以下名称更新为你自己的值:Update these names with your own values:
127.0.0.1 ubuntu.aaddscontoso.com ubuntu
完成后,使用编辑器的 :wq
命令保存并退出 hosts 文件。When done, save and exit the hosts file using the :wq
command of the editor.
安装所需程序包Install required packages
VM 需要其他一些包才能将 VM 加入托管域。The VM needs some additional packages to join the VM to the managed domain. 若要安装和配置这些包,请使用 apt-get
更新和安装域加入工具To install and configure these packages, update and install the domain-join tools using apt-get
在 Kerberos 安装过程中,“krb5-user”包会提示你以全部大写的形式输入领域名称。During the Kerberos installation, the krb5-user package prompts for the realm name in ALL UPPERCASE. 例如,如果托管域的名称为“aaddscontoso.com”,请输入“AADDSCONTOSO.COM”作为领域 。For example, if the name of your managed domain is aaddscontoso.com, enter AADDSCONTOSO.COM as the realm. 安装会将 [realm]
和 [domain_realm]
部分写入“/etc/krb5.conf”配置文件。The installation writes the [realm]
and [domain_realm]
sections in /etc/krb5.conf configuration file. 请确保以全部大写的形式指定领域:Make sure that you specify the realm an ALL UPPERCASE:
sudo apt-get update
sudo apt-get install krb5-user samba sssd sssd-tools libnss-sss libpam-sss ntp ntpdate realmd adcli
配置网络时间协议 (NTP)Configure Network Time Protocol (NTP)
为了使域通信正常工作,Ubuntu VM 的日期和时间必须与托管域同步。For domain communication to work correctly, the date and time of your Ubuntu VM must synchronize with the managed domain. 将托管域的 NTP 主机名添加到“/etc/ntp.conf”文件。Add your managed domain's NTP hostname to the /etc/ntp.conf file.
使用编辑器打开“ntp.conf”文件:Open the ntp.conf file with an editor:
sudo vi /etc/ntp.conf
在“ntp.conf”文件中,创建一个行以添加托管域的 DNS 名称。In the ntp.conf file, create a line to add your managed domain's DNS name. 在下面的示例中,添加了“aaddscontoso.com”的条目。In the following example, an entry for aaddscontoso.com is added. 使用自己的 DNS 名称:Use your own DNS name:
server aaddscontoso.com
完成后,使用编辑器的
:wq
命令保存并退出“ntp.conf”文件。When done, save and exit the ntp.conf file using the:wq
command of the editor.若要确保 VM 与托管域同步,需要执行以下步骤:To make sure that the VM is synchronized with the managed domain, the following steps are needed:
- 停止 NTP 服务器Stop the NTP server
- 更新托管域中的日期和时间Update the date and time from the managed domain
- 启动 NTP 服务Start the NTP service
运行以下命令来完成这些步骤。Run the following commands to complete these steps. 通过
ntpdate
命令使用自己的 DNS 名称:Use your own DNS name with thentpdate
command:sudo systemctl stop ntp sudo ntpdate aaddscontoso.com sudo systemctl start ntp
将 VM 加入托管域Join VM to the managed domain
现已在 VM 上安装所需包并配置 NTP,请将 VM 加入托管域。Now that the required packages are installed on the VM and NTP is configured, join the VM to the managed domain.
使用
realm discover
命令发现托管域。Use therealm discover
command to discover the managed domain. 以下示例发现领域 AADDSCONTOSO.COM。The following example discovers the realm AADDSCONTOSO.COM. 以全部大写的形式指定你自己的托管域名:Specify your own managed domain name in ALL UPPERCASE:sudo realm discover AADDSCONTOSO.COM
如果
realm discover
命令找不到托管域,请查看以下故障排除步骤:If therealm discover
command can't find your managed domain, review the following troubleshooting steps:- 确保可从该 VM 中访问域。Make sure that the domain is reachable from the VM. 尝试使用
ping aaddscontoso.com
查看是否返回肯定答复。Tryping aaddscontoso.com
to see if a positive reply is returned. - 检查 VM 是否已部署到提供托管域的虚拟网络或与其对等互连的虚拟网络。Check that the VM is deployed to the same, or a peered, virtual network in which the managed domain is available.
- 确认已将虚拟网络的 DNS 服务器设置更新为指向托管域的域控制器。Confirm that the DNS server settings for the virtual network have been updated to point to the domain controllers of the managed domain.
- 确保可从该 VM 中访问域。Make sure that the domain is reachable from the VM. 尝试使用
现在使用
kinit
命令初始化 Kerberos。Now initialize Kerberos using thekinit
command. 指定属于托管域的用户。Specify a user that's a part of the managed domain. 如有必要,将用户帐户添加到 Azure AD 中的组。If needed, add a user account to a group in Azure AD.同样,必须以全部大写的形式输入托管域名。Again, the managed domain name must be entered in ALL UPPERCASE. 在以下示例中,名为
contosoadmin@aaddscontoso.com
的帐户用于初始化 Kerberos。In the following example, the account namedcontosoadmin@aaddscontoso.com
is used to initialize Kerberos. 输入你自己的属于托管域的用户帐户:Enter your own user account that's a part of the managed domain:kinit -V contosoadmin@AADDSCONTOSO.COM
最后,使用
realm join
命令将 VM 加入托管域。Finally, join the VM to the managed domain using therealm join
command. 使用属于在前面的kinit
命令中指定的托管域的相同用户帐户,例如contosoadmin@AADDSCONTOSO.COM
:Use the same user account that's a part of the managed domain that you specified in the previouskinit
command, such ascontosoadmin@AADDSCONTOSO.COM
:sudo realm join --verbose AADDSCONTOSO.COM -U 'contosoadmin@AADDSCONTOSO.COM' --install=/
将 VM 加入托管域需要一点时间。It takes a few moments to join the VM to the managed domain. 以下示例输出显示 VM 已成功加入托管域:The following example output shows the VM has successfully joined to the managed domain:
Successfully enrolled machine in realm
如果 VM 无法成功完成域加入过程,请确保 VM 的网络安全组允许将 TCP + UDP 端口 464 上的出站 Kerberos 流量发送到托管域的虚拟网络子网。If your VM can't successfully complete the domain-join process, make sure that the VM's network security group allows outbound Kerberos traffic on TCP + UDP port 464 to the virtual network subnet for your managed domain.
如果收到错误“未指定的 GSS 故障 。次要代码可能提供详细信息(在 Kerberos 数据库中未找到服务器)”,请打开文件“/etc/krb5.conf”,并在 [libdefaults]
部分添加以下代码,然后重试 :If you received the error Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database), open the file /etc/krb5.conf and add the following code in [libdefaults]
section and try again:
rdns=false
更新 SSSD 配置Update the SSSD configuration
上一个步骤中安装的其中一个包用于系统安全服务守护程序 (SSSD)。One of the packages installed in a previous step was for System Security Services Daemon (SSSD). 当用户尝试使用域凭据登录到 VM 时,SSSD 会将请求中继到身份验证提供程序。When a user tries to sign in to a VM using domain credentials, SSSD relays the request to an authentication provider. 在此方案中,SSSD 使用 Azure AD DS 来对请求进行身份验证。In this scenario, SSSD uses Azure AD DS to authenticate the request.
使用编辑器打开“sssd.conf”文件:Open the sssd.conf file with an editor:
sudo vi /etc/sssd/sssd.conf
注释掉“use_fully_qualified_names”的行,如下所示:Comment out the line for use_fully_qualified_names as follows:
# use_fully_qualified_names = True
完成后,使用编辑器的
:wq
命令保存并退出“sssd.conf”文件。When done, save and exit the sssd.conf file using the:wq
command of the editor.若要应用更改,请重新启动 SSSD 服务:To apply the change, restart the SSSD service:
sudo systemctl restart sssd
配置用户帐户和组设置Configure user account and group settings
将 VM 加入托管域并针对身份验证进行配置后,需要完成一些用户配置选项。With the VM joined to the managed domain and configured for authentication, there are a few user configuration options to complete. 这些配置更改包括允许基于密码的身份验证,以及在域用户首次登录时在本地 VM 上自动创建主目录。These configuration changes include allowing password-based authentication, and automatically creating home directories on the local VM when domain users first sign in.
允许对 SSH 进行密码身份验证Allow password authentication for SSH
默认情况下,用户只能使用基于 SSH 公钥的身份验证登录到 VM。By default, users can only sign in to a VM using SSH public key-based authentication. 基于密码的身份验证失败。Password-based authentication fails. 将 VM 加入托管域时,这些域帐户需要使用基于密码的身份验证。When you join the VM to a managed domain, those domain accounts need to use password-based authentication. 更新 SSH 配置,以允许基于密码的身份验证,如下所示。Update the SSH configuration to allow password-based authentication as follows.
使用编辑器打开 sshd_conf 文件:Open the sshd_conf file with an editor:
sudo vi /etc/ssh/sshd_config
将 PasswordAuthentication 的行更新为 yes :Update the line for PasswordAuthentication to yes:
PasswordAuthentication yes
完成后,使用编辑器的
:wq
命令保存并退出 sshd_conf 文件。When done, save and exit the sshd_conf file using the:wq
command of the editor.若要应用更改并让用户使用密码登录,请重新启动 SSH 服务:To apply the changes and let users sign in using a password, restart the SSH service:
sudo systemctl restart ssh
配置自动主目录创建Configure automatic home directory creation
若要允许在用户首次登录时自动创建主目录,请完成以下步骤:To enable automatic creation of the home directory when a user first signs in, complete the following steps:
在编辑器中打开“/etc/pam.d/common-session”文件:Open the /etc/pam.d/common-session file in an editor:
sudo vi /etc/pam.d/common-session
在此文件中的
session optional pam_sss.so
行之下添加以下行:Add the following line in this file below the linesession optional pam_sss.so
:session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
完成后,使用编辑器的
:wq
命令保存并退出“common-session”文件。When done, save and exit the common-session file using the:wq
command of the editor.
为“AAD DC 管理员”组授予 sudo 特权Grant the 'AAD DC Administrators' group sudo privileges
若要授予“AAD DC Administrators”组成员对 Ubuntu VM 的管理特权,请向“/etc/sudoers”添加一个条目 。To grant members of the AAD DC Administrators group administrative privileges on the Ubuntu VM, you add an entry to the /etc/sudoers. 添加后,“AAD DC 管理员”组的成员可以在 Ubuntu VM 上使用 sudo
命令。Once added, members of the AAD DC Administrators group can use the sudo
command on the Ubuntu VM.
打开 sudoers 文件进行编辑:Open the sudoers file for editing:
sudo visudo
将以下条目添加到“/etc/sudoers”文件的末尾:Add the following entry to the end of /etc/sudoers file:
# Add 'AAD DC Administrators' group members as admins. %AAD\ DC\ Administrators ALL=(ALL) NOPASSWD:ALL
完成后,使用
Ctrl-X
命令保存并退出编辑器。When done, save and exit the editor using theCtrl-X
command.
使用域帐户登录到 VMSign in to the VM using a domain account
若要验证 VM 是否已成功加入托管域,请使用域用户帐户启动新的 SSH 连接。To verify that the VM has been successfully joined to the managed domain, start a new SSH connection using a domain user account. 确认已创建主目录,并且已应用域的组成员身份。Confirm that a home directory has been created, and that group membership from the domain is applied.
从控制台创建新的 SSH 连接。Create a new SSH connection from your console. 通过
ssh -l
命令使用属于托管域的域帐户(例如contosoadmin@aaddscontoso.com
),然后输入 VM 的地址(例如“ubuntu.aaddscontoso.com”)。Use a domain account that belongs to the managed domain using thessh -l
command, such ascontosoadmin@aaddscontoso.com
and then enter the address of your VM, such as ubuntu.aaddscontoso.com.ssh -l contosoadmin@AADDSCONTOSO.com ubuntu.aaddscontoso.com
成功连接到 VM 后,验证是否已正确初始化主目录:When you've successfully connected to the VM, verify that the home directory was initialized correctly:
pwd
你应位于“/home”目录中,并具有你自己的与用户帐户相匹配的目录。You should be in the /home directory with your own directory that matches the user account.
现在请检查是否已正确解析组成员身份:Now check that the group memberships are being resolved correctly:
id
应会看到托管域中的组成员身份。You should see your group memberships from the managed domain.
如果以“AAD DC 管理员”组成员的身份登录到 VM,请检查是否可以正确使用
sudo
命令:If you signed in to the VM as a member of the AAD DC Administrators group, check that you can correctly use thesudo
command:sudo apt-get update
后续步骤Next steps
如果在将 VM 连接到托管域或使用域帐户登录时遇到问题,请参阅域加入问题故障排除。If you have problems connecting the VM to the managed domain or signing in with a domain account, see Troubleshooting domain join issues.