AWS Directory Service
管理指南 (版本 1.0)
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 Amazon AWS 入门

手动加入 Linux 实例

除 Amazon EC2 Windows 实例外,您还可以将特定 Amazon EC2 Linux 实例加入您的 Simple AD 目录。支持以下 Linux 实例分发版和版本:

  • Amazon Linux AMI 2015.03

  • Red Hat Enterprise Linux 7.2

  • Ubuntu Server 14.04 LTS

  • CentOS 7

注意

Other Linux distributions and versions may work but have not been tested.

将实例加入目录

Before you can join either an Amazon Linux, CentOS, Red Hat, or Ubuntu instance to your directory, the instance must first be launched as specified in 无缝加入 Windows EC2 实例.

重要

Some of the following procedures, if not performed correctly, can render your instance unreachable or unusable. Therefore, we strongly suggest you make a backup or take a snapshot of your instance before performing these procedures.

将 Linux 实例加入目录

使用以下选项卡之一对特定 Linux 实例执行步骤:

Amazon LinuxCentOSRed HatUbuntu
Amazon Linux
  1. Connect to the instance using any SSH client.

  2. Configure the Linux instance to use the DNS server IP addresses of the AWS Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see How do I assign a static DNS server to a private Amazon EC2 instance in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.

  3. Make sure your Amazon Linux - 64bit instance is up to date.

    $ sudo yum -y update
  4. Install the required Amazon Linux packages on your Linux instance.

    注意

    Some of these packages may already be installed.

    As you install the packages, you might be presented with several pop-up configuration screens. You can generally leave the fields in these screens blank.

    Amazon Linux 1
    $ sudo yum -y install sssd realmd krb5-workstation
    Amazon Linux 2
    $ sudo yum -y install sssd realmd krb5-workstation samba-common-tools
  5. Join the instance to the directory with the following command.

    $ sudo realm join -U join_account@example.com example.com --verbose
    join_account@example.com

    An account in the example.com domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see 为 AWS Managed Microsoft AD 委派目录加入权限.

    example.com

    The fully-qualified DNS name of your directory.

    ... * Successfully enrolled machine in realm
  6. Set the SSH service to allow password authentication.

    1. Open the /etc/ssh/sshd_config file in a text editor.

      sudo vi /etc/ssh/sshd_config
    2. Set the PasswordAuthentication setting to yes.

      PasswordAuthentication yes
  7. Start the SSSD service.

    $ sudo systemctl start sssd.service

    Alternatively:

    $ sudo service sssd start
  8. Restart the instance.

  9. After the instance has restarted, connect to it with any SSH client and add the domain admins group to the sudoers list by performing the following steps:

    1. Open the sudoers file with the following command:

      $ sudo visudo
    2. Add the following to the bottom of the sudoers file and save it.

      ## Add the "Domain Admins" group from the example.com domain. %Domain\ Admins@example.com ALL=(ALL:ALL) ALL

      (The above example uses "\<space>" to create the Linux space character.)

CentOS
  1. Connect to the instance using any SSH client.

  2. Configure the Linux instance to use the DNS server IP addresses of the AWS Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see How do I assign a static DNS server to a private Amazon EC2 instance in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.

  3. Make sure your CentOS 7 instance is up to date.

    $ sudo yum -y update
  4. Install the required CentOS 7 packages on your Linux instance.

    注意

    Some of these packages may already be installed.

    As you install the packages, you might be presented with several pop-up configuration screens. You can generally leave the fields in these screens blank.

    $ sudo yum -y install sssd realmd krb5-workstation samba-common-tools
  5. Join the instance to the directory with the following command.

    $ sudo realm join -U join_account@example.com example.com --verbose
    join_account@example.com

    An account in the example.com domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see 为 AWS Managed Microsoft AD 委派目录加入权限.

    example.com

    The fully-qualified DNS name of your directory.

    ... * Successfully enrolled machine in realm
  6. Set the SSH service to allow password authentication.

    1. Open the /etc/ssh/sshd_config file in a text editor.

      sudo vi /etc/ssh/sshd_config
    2. Set the PasswordAuthentication setting to yes.

      PasswordAuthentication yes
  7. Start the SSSD service.

    $ sudo systemctl start sssd.service

    Alternatively:

    $ sudo service sssd start
  8. Restart the instance.

  9. After the instance has restarted, connect to it with any SSH client and add the domain admins group to the sudoers list by performing the following steps:

    1. Open the sudoers file with the following command:

      $ sudo visudo
    2. Add the following to the bottom of the sudoers file and save it.

      ## Add the "Domain Admins" group from the example.com domain. %Domain\ Admins@example.com ALL=(ALL:ALL) ALL

      (The above example uses "\<space>" to create the Linux space character.)

Red Hat
  1. Connect to the instance using any SSH client.

  2. Configure the Linux instance to use the DNS server IP addresses of the AWS Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see How do I assign a static DNS server to a private Amazon EC2 instance in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.

  3. Make sure the Red Hat - 64bit instance is up to date.

    $ sudo yum -y update
  4. Install the required Red Hat packages on your Linux instance.

    注意

    Some of these packages may already be installed.

    As you install the packages, you might be presented with several pop-up configuration screens. You can generally leave the fields in these screens blank.

    $ sudo yum -y install sssd realmd krb5-workstation samba-common-tools
  5. Join the instance to the directory with the following command.

    $ sudo realm join -U join_account@example.com example.com --verbose
    join_account@example.com

    An account in the example.com domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see 为 AWS Managed Microsoft AD 委派目录加入权限.

    example.com

    The fully-qualified DNS name of your directory.

    ... * Successfully enrolled machine in realm
  6. Set the SSH service to allow password authentication.

    1. Open the /etc/ssh/sshd_config file in a text editor.

      sudo vi /etc/ssh/sshd_config
    2. Set the PasswordAuthentication setting to yes.

      PasswordAuthentication yes
  7. Start the SSSD service.

    $ sudo systemctl start sssd.service

    Alternatively:

    $ sudo service sssd start
  8. Restart the instance.

  9. After the instance has restarted, connect to it with any SSH client and add the domain admins group to the sudoers list by performing the following steps:

    1. Open the sudoers file with the following command:

      $ sudo visudo
    2. Add the following to the bottom of the sudoers file and save it.

      ## Add the "Domain Admins" group from the example.com domain. %Domain\ Admins@example.com ALL=(ALL:ALL) ALL

      (The above example uses "\<space>" to create the Linux space character.)

Ubuntu
  1. Connect to the instance using any SSH client.

  2. Configure the Linux instance to use the DNS server IP addresses of the AWS Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see How do I assign a static DNS server to a private Amazon EC2 instance in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.

  3. Make sure your Ubuntu - 64bit instance is up to date.

    $ sudo apt-get update $ sudo apt-get -y upgrade
  4. Install the required Ubuntu packages on your Linux instance.

    注意

    Some of these packages may already be installed.

    As you install the packages, you might be presented with several pop-up configuration screens. You can generally leave the fields in these screens blank.

    $ sudo apt-get -y install sssd realmd krb5-user samba-common packagekit adcli
  5. Join the instance to the directory with the following command.

    $ sudo realm join -U join_account@example.com example.com --verbose

    注意

    If you are using Ubuntu 16.04, you must enter the domain name portion of the username with all capital letters. For example, join_account@EXAMPLE.COM example.com --verbose.

    join_account@example.com

    An account in the example.com domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see 为 AWS Managed Microsoft AD 委派目录加入权限.

    example.com

    The fully-qualified DNS name of your directory.

    ... * Successfully enrolled machine in realm
  6. Set the SSH service to allow password authentication.

    1. Open the /etc/ssh/sshd_config file in a text editor.

      sudo vi /etc/ssh/sshd_config
    2. Set the PasswordAuthentication setting to yes.

      PasswordAuthentication yes
  7. Start the SSSD service.

    $ sudo systemctl start sssd.service

    Alternatively:

    $ sudo service sssd start
  8. Restart the instance.

  9. After the instance has restarted, connect to it with any SSH client and add the domain admins group to the sudoers list by performing the following steps:

    1. Open the sudoers file with the following command:

      $ sudo visudo
    2. Add the following to the bottom of the sudoers file and save it.

      ## Add the "Domain Admins" group from the example.com domain. %Domain\ Admins@example.com ALL=(ALL:ALL) ALL

      (The above example uses "\<space>" to create the Linux space character.)

注意

使用 Simple AD 时,如果在 Linux 实例上创建用户账户时使用了“Force user to change password at first login (强制用户在首次登录时更改密码)”选项,则该用户无法使用 kpasswd 首次更改其密码。要首次更改密码,域管理员必须使用 Active Directory 管理工具更新用户密码。

通过 Linux 实例管理账户

要通过 Linux 实例管理 Simple AD 中的账户,您必须更新您的 Linux 实例上的特定配置文件,如下所示:

  1. /etc/sssd/sssd.conf 文件中将 krb5_use_kdcinfo 设置为 False。例如:

    [domain/example.com] krb5_use_kdcinfo = False
  2. 需要重启 sssd 服务配置才能生效:

    $ sudo systemctl restart sssd.service

    或者,您也可以使用:

    $ sudo service sssd start
  3. 如果您将通过 CentOS Linux 实例管理用户,还必须编辑文件 /etc/smb.conf 以包括:

    [global] workgroup = EXAMPLE.COM realm = EXAMPLE.COM netbios name = EXAMPLE security = ads

限制账户登录访问

Since all accounts are defined in Active Directory, by default, all the users in the directory can log in to the instance. You can allow only specific users to log in to the instance with ad_access_filter in sssd.conf. For example:

ad_access_filter = (memberOf=cn=admins,ou=Testou,dc=example,dc=com)
memberOf

Indicates that users should only be allowed access to the instance if they are a member of a specific group.

cn

The canonical name of the group that should have access. In this example, the group name is admins.

ou

This is the organizational unit in which the above group is located. In this example, the OU is Testou.

dc

This is the domain component of your domain. In this example, example.

dc

This is an additional domain component. In this example, com.

You must manually add ad_access_filter to your /etc/sssd/sssd.conf. After you do this, your sssd.conf might look like this:

[sssd] domains = example.com config_file_version = 2 services = nss, pam [domain/example.com] ad_domain = example.com krb5_realm = EXAMPLE.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad ad_access_filter = (memberOf=cn=admins,ou=Testou,dc=example,dc=com)

In order for the configuration to take affect you need to restart the sssd service:

$ sudo systemctl restart sssd.service

Alternatively, you could use:

$ sudo service sssd start

连接到实例

When a user connects to the instance using an SSH client, they are prompted for their username. The user can enter the username in either the username@example.com or EXAMPLE\username format. The response will appear similar to the following:

login as: johndoe@example.com johndoe@example.com's password: Last login: Thu Jun 25 16:26:28 2015 from XX.XX.XX.XX