Problem: We need to add an AWS EC2 Linux instance to a domain "lalit.org" which is running in the same VPC and want to authenticate it using domain credentials instead of key pair.
Solution: Before we move ahead with the solution here are few assumptions:Assumptions:
1. An AD Domain Controller is already in place and is working. (In our case lalit.org).
2. A Linux EC2 instance has already been created but it is accessible through Key Pair only.
3. DHCP Option Set is already in place at VPC level to point to the Domain Controller Machine for DNS / DHCP services.
4. The Linux EC2 instance is in the same VPC where the DC is running. (We can add Clients from other VPC also but for that we need VPC peering in place).
Steps:
Please follow these steps to add a Linux EC2 instance to domain running on another EC2 instance in AWS VPC.Step 1: Log on to Linux EC2 instace (Which you want to join to the domain) with default ec2-user and Key Pair through putty or any other terminal window software.
Step2: Update the EC2 instance by running following command:
sudo yum update -y
Step 3: Install packages required for joining the Linux instance to a windows AD domain by running following command:
sudo yum -y install sssd realmd krb5-workstation samba-common-tools
Step 4: Once all these tools installed on Linux instance, run following command to join this server to domain (I am taking lalit.org as the domain name here)
sudo realm join -U admin@lalit.org lalit.org --verbose
If all goes fine.. it will display a message saying : * Successfully enrolled machine in realm
Step 5: Now configure the sshd_config file at location /etc/ssh/sshd_config to configure the machine to allow password authentication
sudo vi /etc/ssh/sshd_config
Set the passwordauthentication value to yes
Step 6: Restart the sshd service with following command:
sudo systemctl restart sshd.service
Step 7: Now update the sudoers file to allow domain users of lalit.org domain to login to the EC2 instance under group %AWS
Add following lines at the bottom of sudoers (visudo)
## Add the "AWS Delegated Administrators" group from the lalit.org domain.
%AWS\ Delegated\ Administrators@lalit.org ALL=(ALL:ALL) ALL
Step 8: We now need to add atleast one user from domain who has root/sudo access to the machine..
add admin@lalit.org user under root in sudoer file (visudo)
Step 9: Now to insure that all the changes have been successfully made, restart the sshd service once again and log off from the terminal (putty session).
Step 10. We now need to test that if we can login to this EC2 Linux machine using our domain credentials or not..
Step 11: Put the public IP of this EC2 Linux instance in putty and click connect ( No need to select key file this time)
If we have configured all the steps correctly, you must get the login as: prompt at putty terminal.
Step 12: put the domain user name (username@domain) .. in my case admin@lalit.org. Enter domain password for the user. You should now be able to login to the EC2 Linux machine using domain credentials. This confirms that your EC2 linux machine has been added to domain successfully and can be authenticated via Active Directory Domain.
You should also be able to do sudo with the same user since it has been added in sudoers file...
Enjoy !!!!!
Thanks for the detailed guide.This step-by-step process makes joining an AWS EC2 Linux instance to a domain much clearer. Appreciate the breakdown of assumptions and Invisible Text clear instructions provided.
ReplyDelete