AWS EC2 - Domain Join RHEL7

This example shows how to join a RedHat 7 EC2 instance to an Active Directory Domain.

Enable Persistent Hostnames

The first issue to deal with when trying to join RedHat AWS EC2 instances to a Microsoft Domain is that Amazon’s automated hostname creation (and updating) produces a hostname with too many characters to be Netbios compatible.   Even when you change the hostname, a reboot has the automated value return.  With RHEL7, the best way of ensuring the hostname is not reset is by commenting out the “update_hostname” process from running from the EC2 cloud configuration file (/etc/cloud/cloud.cfg).  

With this example, I have AWS DHCP Options sets setting my domain name and a Microsoft DNS.

My domain is called mydomain.com and uses a Domain Controller called server2012.mydomain.com

Changing the Hostname

NetBIOS names can be a maximum of 15 characters which happens to be exactly the same length of the largest IP address in string notation (XXX.XXX.XXX.XXX).  Unfortunately, AWS also prepends “ip-“ to its generated hostnames which produces an illegal hostname (as far as Windows is concerned).  The simple option is to strip the prepended “ip-“ from the front of the hostname.

Using the hostname command, I can see the problematic string.

Changing the hostname is as simple as running with sudo and specifying the new value.  In this case:

   sudo hostname 172-31-27-218.mydomain.com

The new hostname value must also be updated in the hostname file.  Using your favourite text editor (in my case nano), amend the existing hostname value within /etc/hostname

   sudo nano /etc/hostname

In preparation for domain joining with Samba, I also need to modify the hosts file to include an entry for new hostname with the AWS assigned private IP address.  In this instance, the entry will be:

 

172.31.27.218 172-31-27-218.mydomain.com 172-31-27-218

The amended /etc/hosts will look like:

Install Kerberos and Samba packages

I need to install Kerberos and Samba packages on the linux machine.  Using Yum as a package manager I do this with:

   sudo yum install -y krb5-workstation krb5-devel krb5-libs

   sudo yum install -y samba pam-krb5 samba-client.x86_64 samba-winbind.x86_64 samba-winbind-modules.x86_64

Edit Kerberos

The Kerberos configuration is contained in the file krb5.conf.  The only alteration I will make is to add my domin details for mydomain.com under realms and domain_realms.  Note these details are in UPPERCASE.  Kdc and admin_server entries are both set to my domain controller (server2012.mydomain.com)

   sudo nano /etc/krb5.conf

Configure Samba

I’ll enable samba to start automatically at boot time

   sudo systemctl enable smb

I also need to ensure that the samba configuration file is updated to reference my domain (mydomain.com)

At this point I should be ready to join my domain.  Before I do so, I am going to reboot because I’ve changed the hostname and I want to make certain that I have ensured that AWS wont change it bck again.

   sudo reboot

After the reboot I run the “hostname” command again to verify that my amended hostname remains set.

Join to Domain

Assuming my hostname has stayed correctly set, I can now join my domain with:

   sudo net ads join -U DominJoinUser

The command will tell me that I am successfully joined.

The RHEL7 machine will now also be visible in Active Directory Users and Computers.

 

 

 

 

 

Tags: