Amazon Linux join AWS Microsoft AD

Assign a static DNS server


實作將AWS上的Amazon Linux加入到AWS Microsoft AD網域環境,如果是整個VPC下的Server都加入同一個網域,可以透過修改VPC DHCP Options的方式,讓Server在取得IP時就可以自動被賦予指定的DNS Server來源,如果只是單台Amazon Linux可以透過修改/etc/dhcp/dhclient.conf來指定DNS Server



1. 編輯/etc/dhcp/dhclient.conf加入以下設定,注意最後要用分號結尾
sudo vi /etc/dhcp/dhclient.conf
supersede domain-name-servers 172.31.80.147, 172.31.20.221;

2. 重開機後確認可以ping到AWS Microsoft AD網域名稱
reboot
 
[ec2-user@ip-172-31-21-165 ~]$ ping awsad.com
PING awsad.com (172.31.20.221) 56(84) bytes of data.
64 bytes from 172.31.20.221 (172.31.20.221): icmp_seq=1 ttl=128 time=0.635 ms
64 bytes from 172.31.20.221 (172.31.20.221): icmp_seq=2 ttl=128 time=0.599 ms
64 bytes from 172.31.20.221 (172.31.20.221): icmp_seq=3 ttl=128 time=0.592 ms
64 bytes from 172.31.20.221 (172.31.20.221): icmp_seq=4 ttl=128 time=0.579 ms

Join a Linux instance to Microsoft AD directory


1. 先進行更新
sudo yum -y update

2. 安裝需要的套件
sudo yum -y install sssd realmd krb5-workstation samba-common-tools

3. 加入網域
sudo realm join -U admin@awsad.com awsad.com --verbose

4. 加入成功會顯示以下訊息
Successfully enrolled machine in realm

5. 設定SSH service允許password authentication,開啟編輯/etc/ssh/sshd_config,找到PasswordAuthentication設定為yes
sudo vi /etc/ssh/sshd_config
PasswordAuthentication yes

6. 啟用SSSD service
sudo systemctl start sssd.service
sudo service sssd start

7. 重新啟動
reboot

8. 編輯/etc/sudoers為了避免修改錯誤造成權限遺失建議一定要使用指令visudo做修改
sudo visudo
9. 在/etc/sudoers加入以下設定值,這裡需要注意以下事項
a. %百分比符號加注在最前面,表示這是Group不是User
b. 第二行是將一個domainadmin group加入到sudoers清單中,group名稱是連續沒有空白所以沒有太大問題
c. 第三行是將一個"AWS Delegated Administrators"group加入到sudoers清單中,因為group名稱中間有空白,所以必須在空白前加上斜線去建立空白字元"\<space>"
d. 如果不想要每一次切換身分sudo都提示密碼輸入,可以在最後加上NOPASSWD:ALL去取代ALL
## Add the "Domain Admins" group from the awsad.com
%domainadmin@awsad.com  ALL=(ALL:ALL)   ALL
%AWS\ Delegated\ Administrators@awsad.com       ALL=(ALL:ALL)   NOPASSWD:ALL

10. 修改完成進行儲存
:wq!

11. 如果儲存時遇到以下訊息,就必須注意有輸入錯誤,按下e再進行修改,不要按Q強制儲存會造成以下問題
[ec2-user@ip-172-31-21-165 ~]$ sudo visudo
>>> /etc/sudoers: syntax error near line 114 <<<
What now?
Options are:
  (e)dit sudoers file again
  e(x)it without saving changes to sudoers file
  (Q)uit and save changes to sudoers file (DANGER!)

What now?

12. 以下是sudoers損壞會看到的錯誤訊息,必修透過另一台正常的Instance將volume掛載上去修改回來
[root@ip-172-31-21-165 ~]# sudo -i
>>> /etc/sudoers: syntax error near line 21 <<<
sudo: parse error in /etc/sudoers near line 21
sudo: no valid sudoers sources found, quitting
sudo: unable to initialize policy plugin

13. (Option) 救援步驟
sudo mkdir /data
sudo mount -o nouuid /dev/xvdf1 /data
sudo vi -f /data/etc/sudoers
sudo umount -d /dev/xvdf1

14. 預設所有的domain user都可以ssh登入到linux,如果需要限制只在特定group的成員,可以在sssd.conf加上ad_access_filter的功能,注意需要用cn格式來表示群組
sudo vi /etc/sssd/sssd.conf

 
[sssd]
domains = awsad.com
config_file_version = 2
services = nss, pam

[domain/awsad.com]
ad_domain = awsad.com
krb5_realm = AWSAD.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
auth_provider = ad
chpass_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_sasl_authid = IP-172-31-21-16$
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
ad_access_filter = (memberOf=CN=AWS Delegated Administrators,OU=AWS Delegated Groups,DC=awsad,DC=com)

15. 重新啟動sssd service
sudo service sssd restart

留言

這個網誌中的熱門文章

Server 2012-遠端登入時發生驗證錯誤,無法聯絡到本機安全性授權單位