How To Join Linux EC2 Instances To AD Domain

In this blog post , We will learn how to Join Linux EC2 Instances to the existing AWS managed Directory services.

Check this details articles on ,

How to setup AWS managed AD services

How to join windows EC2 instance to Domain

Once the AD setup is ready , Lets go ahead and Join the existing Linux EC2 Instance to the Active directory Domain services.

Joining Linux EC2 Instances To AD Domain

The following Linux Instance versions and Distributions are supported.

  • Ubuntu Server 18.04 LTS & Ubuntu Server 16.04 LTS
  • Amazon Linux AMI 2018.03.0
  • Red Hat Enterprise Linux 8 (HVM) (64-bit x86)
  • Amazon Linux 2 (64-bit x86)
  • SUSE Linux Enterprise Server 15 SP1
  • CentOS 7 x86-64

To join Ubuntu EC2 Instances to the Domain , We should or the instance should be in the same region as of the Directory service.

Login to the Ubuntu EC2 instance using SSH client or the Sessions Manager.

Let us manually configure the static DNS on the instance.We will be using the DNS addresses of the Directory Services.

We will see , how to configure static DNS addresses on the Linux EC2 instance of different distributions.

Setting DNS : Amazon Linux , Amazon Linux 2

Login to the Amazon Linux EC2 instance using the SSH client.

Open the /etc/dhcp/dhclient.conf file

vi /etc/dhcp/dhclient.conf

Add add the below line , Replace xxx.xxx.xxx.xxx with the IP address with the DNS addressess of the Directory services.

supersede domain-name-servers xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx;

Once added Save and Close the file.

Set the PEERDNS=yes in all the network interfaces attached with the EC2 instance , Such as : /etc/sysconfig/network-scripts/ifcfg-eth0

Once added , We need to reboot the instance for the changes to take effect.

After reboot , The DNS addresses will be reflected in /etc/resolv.conf.

Setting DNS : Ubuntu 18.04

On Ubuntu 18.04 EC2 instances , The network interface configurations are handled by netpack.io packages.

Also the systemd-resolved service is enabled to handle DNS queries using stub resolver.

So in order to change the DNS servers , We need to follow the below procedures.

Netplan stores the configurations in /etc/netplan folder.We need a create a file inside this folder and setup DNS configurations there.

Create a file named 99-custom-dns.yaml and add the below contents into the file and don’t forget to replace x.x.x.x with the DNS adressess of the directory services.

network:
     version: 2
     ethernets:
       eth0:
         nameservers:
              addresses: [x.x.x.x, x.x.x.x]
         dhcp4-overrides:
              use-dns: false

Once the configurations ate added , Save and close the file.

For the changes to take effect , We need to reboot the instance.

After the instance reboot , We should verify whether the DNS records are updated by running the below command.

systemd-resolve --status

For the network interface (eth0) , You should see that the DNS records are updated properly.

Now we have the Amazon Linux and the Ubuntu EC2 instances configured with the DNS addressess of the Directory services.

Lets start joining the Instance to the Active directory Domain.

Joining Ubuntu EC2 Instance to Domain

First We need to make sure that the instance are up to date.

sudo apt-get update -y
sudo apt-get upgrade -y

Then we need to install the required packages in the ubuntu machine.

sudo apt-get -y install sssd realmd krb5-user samba-common packagekit adcli

Once the packages are installed , We need to disable the Reverse DNS resolution and set the default realm to DNS name of the Active directory.

Open /etc/krb5.conf file and make changes as shown below.

Once done ,Save and close the file.

To join the instance to the Active directory domain , Run the below command.

realm join -U Admin ad.fitdevops.in --verbose

Now We have successfully joined the instance to the Active directory Domain.

Make sure to reboot the instance once.

We have to enable Paswword based authentication on the Linux EC2 instance.

Open /etc/ssh/sshd_config file

nano /etc/ssh/sshd_config

PasswordAuthentication was set to no by default , We need to change it to yes

Save and close the file.

We need to restart the SSH service for the changes to take effect.

systemctl restart sshd

Check the status of the SSH service.

systemctl status sshd

For the users in Active directory to perform activities on the EC2 instance we need to add an entry in the sudoers file.

sudo visudo

Add the below configuration , Don’t forget to replace it with the DNS name of the Active directory.

##Add the "AWS Delegated Administrators" group from the ad.fitdevops.in domain.
%AWS\ Delegated\ Administrators@ad.fitdevops.in ALL=(ALL:ALL) ALL

Once added , Reboot the instance.

Login As Domain User To Ubuntu EC2 Instance

Now We can directly login as an Administrator of the Directory service from the SSH client using the below command.

We do not require .pem file to login to the instance.

ssh admin@ad.fitdevops.in@13.126.97.243

Enter the Admin password of the Directory service.

As you can see here , I have successfully logged in as an admin of the directory service.

We can create multiple users on the Active directory and the users can login and they will be authenticated with the respective username and password.

By doing so , We can join multiple instance to the Active directory domain services and they can be authenticated with the domain users.

Conclusion

We have successfully configured DNS and joined the Linux instances to the AWS managed Active directory domain services

Also We have tested the same by authenticating the Domain admin user from the Linux instance.

Hope you find it helpful.Check out my other articles.