AWS Directory Service
管理指南 (版本 1.0)
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

手动加入 Linux 实例

除 Amazon EC2 Windows 实例外,您还可以将特定 Amazon EC2 Linux 实例加入您的 AWS Directory Service for Microsoft Active Directory 目录。支持以下 Linux 实例分发版和版本:

  • Amazon Linux AMI 2015.03

  • Red Hat Enterprise Linux 7.2

  • Ubuntu Server 14.04 LTS

  • CentOS 7

注意

Other Linux distributions and versions may work but have not been tested.

将实例加入目录

Before you can join either an Amazon Linux, CentOS, Red Hat, or Ubuntu instance to your directory, the instance must first be launched as specified in 无缝加入 Windows EC2 实例.

重要

Some of the following procedures, if not performed correctly, can render your instance unreachable or unusable. Therefore, we strongly suggest you make a backup or take a snapshot of your instance before performing these procedures.

将 Linux 实例加入目录

使用以下选项卡之一对特定 Linux 实例执行步骤:

Amazon LinuxCentOSRed HatUbuntu
Amazon Linux
  1. Connect to the instance using any SSH client.

  2. Configure the Linux instance to use the DNS server IP addresses of the AWS Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see How do I assign a static DNS server to a private Amazon EC2 instance in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.

  3. Make sure your Amazon Linux - 64bit instance is up to date.

    sudo yum -y update
  4. Install the required Amazon Linux packages on your Linux instance.

    注意

    Some of these packages may already be installed.

    As you install the packages, you might be presented with several pop-up configuration screens. You can generally leave the fields in these screens blank.

    Amazon Linux 1
    sudo yum -y install sssd realmd krb5-workstation
    Amazon Linux 2
    sudo yum -y install sssd realmd krb5-workstation samba-common-tools

    注意

    For help with determining the Amazon Linux version you are using, see Identifying Amazon Linux Images in the Amazon EC2 User Guide for Linux Instances.

  5. Join the instance to the directory with the following command.

    sudo realm join -U join_account@example.com example.com --verbose
    join_account@example.com

    An account in the example.com domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see 为 AWS Managed Microsoft AD 委派目录加入权限.

    example.com

    The fully-qualified DNS name of your directory.

    ... * Successfully enrolled machine in realm
  6. Set the SSH service to allow password authentication.

    1. Open the /etc/ssh/sshd_config file in a text editor.

      sudo vi /etc/ssh/sshd_config
    2. Set the PasswordAuthentication setting to yes.

      PasswordAuthentication yes
    3. Restart the SSH service.

      sudo systemctl restart sshd.service

      Alternatively:

      sudo service sshd restart
  7. After the instance has restarted, connect to it with any SSH client and add the AWS Delegated Administrators group to the sudoers list by performing the following steps:

    1. Open the sudoers file with the following command:

      sudo visudo
    2. Add the following to the bottom of the sudoers file and save it.

      ## Add the "AWS Delegated Administrators" group from the example.com domain. %AWS\ Delegated\ Administrators@example.com ALL=(ALL:ALL) ALL

      (The above example uses "\<space>" to create the Linux space character.)

CentOS
  1. Connect to the instance using any SSH client.

  2. Configure the Linux instance to use the DNS server IP addresses of the AWS Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see How do I assign a static DNS server to a private Amazon EC2 instance in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.

  3. Make sure your CentOS 7 instance is up to date.

    sudo yum -y update
  4. Install the required CentOS 7 packages on your Linux instance.

    注意

    Some of these packages may already be installed.

    As you install the packages, you might be presented with several pop-up configuration screens. You can generally leave the fields in these screens blank.

    sudo yum -y install sssd realmd krb5-workstation samba-common-tools
  5. Join the instance to the directory with the following command.

    sudo realm join -U join_account@example.com example.com --verbose
    join_account@example.com

    An account in the example.com domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see 为 AWS Managed Microsoft AD 委派目录加入权限.

    example.com

    The fully-qualified DNS name of your directory.

    ... * Successfully enrolled machine in realm
  6. Set the SSH service to allow password authentication.

    1. Open the /etc/ssh/sshd_config file in a text editor.

      sudo vi /etc/ssh/sshd_config
    2. Set the PasswordAuthentication setting to yes.

      PasswordAuthentication yes
    3. Restart the SSH service.

      sudo systemctl restart sshd.service

      Alternatively:

      sudo service sshd restart
  7. After the instance has restarted, connect to it with any SSH client and add the AWS Delegated Administrators group to the sudoers list by performing the following steps:

    1. Open the sudoers file with the following command:

      sudo visudo
    2. Add the following to the bottom of the sudoers file and save it.

      ## Add the "AWS Delegated Administrators" group from the example.com domain. %AWS\ Delegated\ Administrators@example.com ALL=(ALL:ALL) ALL

      (The above example uses "\<space>" to create the Linux space character.)

Red Hat
  1. Connect to the instance using any SSH client.

  2. Configure the Linux instance to use the DNS server IP addresses of the AWS Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see How do I assign a static DNS server to a private Amazon EC2 instance in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.

  3. Make sure the Red Hat - 64bit instance is up to date.

    sudo yum -y update
  4. Install the required Red Hat packages on your Linux instance.

    注意

    Some of these packages may already be installed.

    As you install the packages, you might be presented with several pop-up configuration screens. You can generally leave the fields in these screens blank.

    sudo yum -y install sssd realmd krb5-workstation samba-common-tools
  5. Join the instance to the directory with the following command.

    sudo realm join -v -U join_account example.com --install=/
    join_account

    An account in the example.com domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see 为 AWS Managed Microsoft AD 委派目录加入权限.

    example.com

    The fully-qualified DNS name of your directory.

    ... * Successfully enrolled machine in realm
  6. Set the SSH service to allow password authentication.

    1. Open the /etc/ssh/sshd_config file in a text editor.

      sudo vi /etc/ssh/sshd_config
    2. Set the PasswordAuthentication setting to yes.

      PasswordAuthentication yes
    3. Restart the SSH service.

      sudo systemctl restart sshd.service

      Alternatively:

      sudo service sshd restart
  7. After the instance has restarted, connect to it with any SSH client and add the AWS Delegated Administrators group to the sudoers list by performing the following steps:

    1. Open the sudoers file with the following command:

      sudo visudo
    2. Add the following to the bottom of the sudoers file and save it.

      ## Add the "AWS Delegated Administrators" group from the example.com domain. %AWS\ Delegated\ Administrators@example.com ALL=(ALL:ALL) ALL

      (The above example uses "\<space>" to create the Linux space character.)

Ubuntu
  1. Connect to the instance using any SSH client.

  2. Configure the Linux instance to use the DNS server IP addresses of the AWS Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see How do I assign a static DNS server to a private Amazon EC2 instance in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.

  3. Make sure your Ubuntu - 64bit instance is up to date.

    sudo apt-get update sudo apt-get -y upgrade
  4. Install the required Ubuntu packages on your Linux instance.

    注意

    Some of these packages may already be installed.

    As you install the packages, you might be presented with several pop-up configuration screens. You can generally leave the fields in these screens blank.

    sudo apt-get -y install sssd realmd krb5-user samba-common packagekit adcli
  5. Disable Reverse DNS resolution. Ubuntu Instances must be reverse-resolvable in DNS before the realm will work. Otherwise, you have to disable reverse DNS in /etc/krb5.conf as follows:

    [libdefaults] default_realm = EXAMPLE.COM rdns = false
  6. Join the instance to the directory with the following command.

    sudo realm join -U join_account@example.com example.com --verbose

    注意

    If you are using Ubuntu 16.04, you must enter the domain name portion of the username with all capital letters. For example, join_account@EXAMPLE.COM example.com --verbose.

    join_account@example.com

    An account in the example.com domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see 为 AWS Managed Microsoft AD 委派目录加入权限.

    example.com

    The fully-qualified DNS name of your directory.

    ... * Successfully enrolled machine in realm
  7. Set the SSH service to allow password authentication.

    1. Open the /etc/ssh/sshd_config file in a text editor.

      sudo vi /etc/ssh/sshd_config
    2. Set the PasswordAuthentication setting to yes.

      PasswordAuthentication yes
    3. Restart the SSH service.

      sudo systemctl restart sshd.service

      Alternatively:

      sudo service sshd restart
  8. After the instance has restarted, connect to it with any SSH client and add the AWS Delegated Administrators group to the sudoers list by performing the following steps:

    1. Open the sudoers file with the following command:

      sudo visudo
    2. Add the following to the bottom of the sudoers file and save it.

      ## Add the "AWS Delegated Administrators" group from the example.com domain. %AWS\ Delegated\ Administrators@example.com ALL=(ALL:ALL) ALL

      (The above example uses "\<space>" to create the Linux space character.)

限制账户登录访问

Since all accounts are defined in Active Directory, by default, all the users in the directory can log in to the instance. You can allow only specific users to log in to the instance with ad_access_filter in sssd.conf. For example:

ad_access_filter = (memberOf=cn=admins,ou=Testou,dc=example,dc=com)
memberOf

Indicates that users should only be allowed access to the instance if they are a member of a specific group.

cn

The canonical name of the group that should have access. In this example, the group name is admins.

ou

This is the organizational unit in which the above group is located. In this example, the OU is Testou.

dc

This is the domain component of your domain. In this example, example.

dc

This is an additional domain component. In this example, com.

You must manually add ad_access_filter to your /etc/sssd/sssd.conf. After you do this, your sssd.conf might look like this:

[sssd] domains = example.com config_file_version = 2 services = nss, pam [domain/example.com] ad_domain = example.com krb5_realm = EXAMPLE.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad ad_access_filter = (memberOf=cn=admins,ou=Testou,dc=example,dc=com)

In order for the configuration to take affect you need to restart the sssd service:

sudo systemctl restart sssd.service

Alternatively, you could use:

sudo service sssd start

连接到实例

When a user connects to the instance using an SSH client, they are prompted for their username. The user can enter the username in either the username@example.com or EXAMPLE\username format. The response will appear similar to the following:

login as: johndoe@example.com johndoe@example.com's password: Last login: Thu Jun 25 16:26:28 2015 from XX.XX.XX.XX