Този браузър вече не се поддържа.
Надстройте до Microsoft Edge, за да се възползвате от най-новите функции, актуализации на защитата и техническа поддръжка.
To let users sign in to virtual machines (VMs) in Azure using a single set of credentials, you can join VMs to a Microsoft Entra Domain Services managed domain. When you join a VM to a Domain Services managed domain, user accounts and credentials from the domain can be used to sign in and manage servers. Group memberships from the managed domain are also applied to let you control access to files or services on the VM.
This article shows you how to join a Red Hat Enterprise Linux (RHEL) VM to a managed domain.
To complete this tutorial, you need the following resources and privileges:
If you have an existing RHEL Linux VM in Azure, connect to it using SSH, then continue on to the next step to start configuring the VM.
If you need to create a RHEL Linux VM, or want to create a test VM for use with this article, you can use one of the following methods:
When you create the VM, pay attention to the virtual network settings to make sure that the VM can communicate with the managed domain:
Once the VM is deployed, follow the steps to connect to the VM using SSH.
To make sure that the VM host name is correctly configured for the managed domain, edit the /etc/hosts file and set the hostname:
sudo vi /etc/hosts
In the hosts file, update the localhost address. In the following example:
Update these names with your own values:
127.0.0.1 rhel rhel.aaddscontoso.com
When done, save and exit the hosts file using the :wq command of the editor.
Важно
Keep in consideration Red Hat Enterprise Linux 6.X and Oracle Linux 6.x is already EOL. RHEL 6.10 has available ELS support, which ended on 06/2024.
The VM needs some additional packages to join the VM to the managed domain. To install and configure these packages, update and install the domain-join tools using yum.
sudo yum install adcli sssd authconfig krb5-workstation
Now that the required packages are installed on the VM, join the VM to the managed domain.
Use the adcli info command to discover the managed domain. The following example discovers the realm ADDDSCONTOSO.COM. Specify your own managed domain name in ALL UPPERCASE:
sudo adcli info aaddscontoso.com
If the adcli info command can't find your managed domain, review the following troubleshooting steps:
ping aaddscontoso.com to see if a positive reply is returned.First, join the domain using the adcli join command. This command also creates the keytab to authenticate the machine. Use a user account that's a part of the managed domain.
sudo adcli join aaddscontoso.com -U contosoadmin
Now configure the /ect/krb5.conf and create the /etc/sssd/sssd.conf files to use the aaddscontoso.com Active Directory domain.
Make sure that AADDSCONTOSO.COM is replaced by your own domain name:
Open the /etc/krb5.conf file with an editor:
sudo vi /etc/krb5.conf
Update the krb5.conf file to match the following sample:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AADDSCONTOSO.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
AADDSCONTOSO.COM = {
kdc = AADDSCONTOSO.COM
admin_server = AADDSCONTOSO.COM
}
[domain_realm]
.AADDSCONTOSO.COM = AADDSCONTOSO.COM
AADDSCONTOSO.COM = AADDSCONTOSO.COM
Create the /etc/sssd/sssd.conf file:
sudo vi /etc/sssd/sssd.conf
Update the sssd.conf file to match the following sample:
[sssd]
services = nss, pam, ssh, autofs
config_file_version = 2
domains = AADDSCONTOSO.COM
[domain/AADDSCONTOSO.COM]
id_provider = ad
Make sure /etc/sssd/sssd.conf permissions are 600 and is owned by root user:
sudo chmod 600 /etc/sssd/sssd.conf
sudo chown root:root /etc/sssd/sssd.conf
Use authconfig to instruct the VM about the AD Linux integration:
sudo authconfig --enablesssd --enablesssd auth --update
Start and enable the sssd service:
sudo service sssd start
sudo chkconfig sssd on
If your VM can't successfully complete the domain-join process, make sure that the VM's network security group allows outbound Kerberos traffic on TCP + UDP port 464 to the virtual network subnet for your managed domain.
Now check if you can query user AD information using getent
sudo getent passwd contosoadmin
By default, users can only sign in to a VM using SSH public key-based authentication. Password-based authentication fails. When you join the VM to a managed domain, those domain accounts need to use password-based authentication. Update the SSH configuration to allow password-based authentication as follows.
Open the sshd_conf file with an editor:
sudo vi /etc/ssh/sshd_config
Update the line for PasswordAuthentication to yes:
PasswordAuthentication yes
When done, save and exit the sshd_conf file using the :wq command of the editor.
To apply the changes and let users sign in using a password, restart the SSH service for your RHEL distro version:
sudo service sshd restart
To grant members of the AAD DC Administrators group administrative privileges on the RHEL VM, you add an entry to the /etc/sudoers. Once added, members of the AAD DC Administrators group can use the sudo command on the RHEL VM.
Open the sudoers file for editing:
sudo visudo
Add the following entry to the end of /etc/sudoers file. The AAD DC Administrators group contains whitespace in the name, so include the backslash escape character in the group name. Add your own domain name, such as aaddscontoso.com:
# Add 'AAD DC Administrators' group members as admins.
%AAD\ DC\ Administrators@aaddscontoso.com ALL=(ALL) NOPASSWD:ALL
When done, save and exit the editor using the :wq command of the editor.
To verify that the VM successfully joined to the managed domain, start a new SSH connection using a domain user account. Confirm that a home directory is created, and that group membership from the domain is applied.
Create a new SSH connection from your console. Use a domain account that belongs to the managed domain using the ssh -l command, such as contosoadmin@aaddscontoso.com and then enter the address of your VM, such as rhel.aaddscontoso.com. If you use the Azure Cloud Shell, use the public IP address of the VM rather than the internal DNS name.
ssh -l contosoadmin@AADDSCONTOSO.com rhel.aaddscontoso.com
When you've successfully connected to the VM, verify that the home directory was initialized correctly:
pwd
You should be in the /home directory with your own directory that matches the user account.
Now check that the group memberships are being resolved correctly:
id
You should see your group memberships from the managed domain.
If you signed in to the VM as a member of the AAD DC Administrators group, check that you can correctly use the sudo command:
sudo yum update
If you have problems connecting the VM to the managed domain or signing in with a domain account, see Troubleshooting domain join issues.
Обучение
Модул
Manage users and groups - Training
This module introduces the management of users and groups using Active Directory, and compares the differences between Active Directory Services and Microsoft Entra ID.
Сертифициране
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.