AWS EC2 - Domain Join RHEL7
This example shows how to join a RedHat 7 EC2 instance to an Active Directory Domain.
Enable Persistent Hostnames
The first issue to deal with when trying to join RedHat AWS EC2 instances to a Microsoft Domain is that Amazon’s automated hostname creation (and updating) produces a hostname with too many characters to be Netbios compatible. Even when you change the hostname, a reboot has the automated value return. With RHEL7, the best way of ensuring the hostname is not reset is by commenting out the “update_hostname” process from running from the EC2 cloud configuration file (/etc/cloud/cloud.cfg).
With this example, I have AWS DHCP Options sets setting my domain name and a Microsoft DNS.
My domain is called mydomain.com and uses a Domain Controller called server2012.mydomain.com
Changing the Hostname
NetBIOS names can be a maximum of 15 characters which happens to be exactly the same length of the largest IP address in string notation (XXX.XXX.XXX.XXX). Unfortunately, AWS also prepends “ip-“ to its generated hostnames which produces an illegal hostname (as far as Windows is concerned). The simple option is to strip the prepended “ip-“ from the front of the hostname.
Using the hostname command, I can see the problematic string.
Changing the hostname is as simple as running with sudo and specifying the new value. In this case:
sudo hostname 172-31-27-218.mydomain.com
The new hostname value must also be updated in the hostname file. Using your favourite text editor (in my case nano), amend the existing hostname value within /etc/hostname
sudo nano /etc/hostname
In preparation for domain joining with Samba, I also need to modify the hosts file to include an entry for new hostname with the AWS assigned private IP address. In this instance, the entry will be:
172.31.27.218 172-31-27-218.mydomain.com 172-31-27-218
The amended /etc/hosts will look like:
Install Kerberos and Samba packages
I need to install Kerberos and Samba packages on the linux machine. Using Yum as a package manager I do this with:
sudo yum install -y krb5-workstation krb5-devel krb5-libs
sudo yum install -y samba pam-krb5 samba-client.x86_64 samba-winbind.x86_64 samba-winbind-modules.x86_64
The Kerberos configuration is contained in the file krb5.conf. The only alteration I will make is to add my domin details for mydomain.com under realms and domain_realms. Note these details are in UPPERCASE. Kdc and admin_server entries are both set to my domain controller (server2012.mydomain.com)
sudo nano /etc/krb5.conf
I’ll enable samba to start automatically at boot time
sudo systemctl enable smb
I also need to ensure that the samba configuration file is updated to reference my domain (mydomain.com)
At this point I should be ready to join my domain. Before I do so, I am going to reboot because I’ve changed the hostname and I want to make certain that I have ensured that AWS wont change it bck again.
After the reboot I run the “hostname” command again to verify that my amended hostname remains set.
Join to Domain
Assuming my hostname has stayed correctly set, I can now join my domain with:
sudo net ads join -U DominJoinUser
The command will tell me that I am successfully joined.
The RHEL7 machine will now also be visible in Active Directory Users and Computers.