Join Amazon Linux to Domain Controller

I recently had a case where Linux machines were joined to a domain alongside the windows machines. Domain users and groups were accessible and configurable in Linux machines using Samaba. The good thing about domain configuration was that it simple was possible to assign domain accounts to users and they use it to login in both windows and linux machines.

There is no need to manage users on each linux machine which is a great deal for enterprises. Below I walk you through the linux setup and configuration for using Samba, Kerberos and LDAP.

I strongly suggest to backup your data before doing anything. It is a better idea if you can just use a staging machine to test new setup instead of start running commands on your production environment.

The first step is to install Samba; but since Amazon Linux does not include Samba repository we add it and then install it.

wget http://ftp.sernet.de/pub/samba/3.5/centos/5/sernet-samba.repo
mv sernet-samba.repo /etc/yum.repos.d/
yum install samba -y

And then installing Kerberos:

yum install krb5-workstation -y

Obviously the important part is always configuration! just for reference here is the list of config file you may need to change:

  1. /etc/resolve.conf: contains the name servers and you may want to add the domain nameserver too or else you will not able to join it.
  2. /etc/sysconfig/network: contains the network configuations and you may need to change localhost name to a DQDN (fully qualified domain name) like abcd.mydomain.local
  3. /etc/krb5: contains Kerberos network authentication protocol configurations and for sure you will need to update it.
  4. /etc/samba/smb.conf: contains the Samba configurations and necessary for everything to work.
  5. /etc/openldap/ldap.conf: contains LDAP (lightweight directory access protocol) configurations
  6. /etc/hosts: contains local records of hosts’ ip addresses. You might need to change some host’s ip here specially if you changed hostname.

I have copied my configurations as appendices so you can use them as a working reference.

At the end there is a last piece of configuration that needs to be done before trying to join domain. Here we enable some of the authentication configuration:

authconfig --enablekrb5 --enablewinbind --enablemkhomedir --update

Finally we can join to domain by “net ads” command as follow:

net ads join -W MYDOMAIN.LOCAL -U adadminuser -S ad.mydomain.local

Appendix 1: resolve.cong

search ap-southeast-1.compute.internal mydomain.local
nameserver 10.x.x.x
nameserver 10.1.0.2

Appendix 2: kbr5.conf

# make sure server name is capital.

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = MYDOMAIN.LOCAL
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 MYDOMAIN.LOCAL = {
 }

[domain_realm]
 .mydomain.local = MYDOMAIN.LOCAL
 mydomain.local = MYDOMAIN.LOCAL

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Appendix 3: smb.conf

[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.LOCAL
security = ads
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template homedir = /home/MYDOMAIN/%U
template shell = /bin/bash
winbind use default domain = true
winbind offline logon = false
server string = Samba Server Version %v

log file = /var/log/samba/log.%m
max log size = 50

passdb backend = tdbsam

load printers = yes
cups options = raw

[homes]
comment = Home Directories
browseable = no
writable = yes

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes

Further info:
http://www.server-world.info/en/note?os=CentOS_7&p=samba&f=3
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

Advertisements

Preparing web server in Amazon Linux

Once you install an EC2 instance with Amazon Linux AMI you will need to install web server and other requirement of setting up a website.

We are going to install httpd (webserver), php (scripting), mysqli (db client) and memcached (caching).

First things first, we do a clean up in case this has been used before:

yum update -y 
yum remove -y mysql*
yum remove -y http*
yum remove -y php*

and let the installation begin:

yum install -y httpd24 
yum install -y mod24_security memcached 
yum install -y php55 php55-mysqlnd php55-pecl-memcached php-pear php55-gd php55-devel php-channel-phpunit php-channel-amazon php55-cli  
yum install -y mysql55 mysql55-devel mysql55-libs 

Next, we need to do some httpd configurations like enabling mod-rewrite (if we need it!) and turning off signatures for security:

vi /etc/httpd/conf/httpd.conf

We a re going to add this to end of the file:

# Disable ETag headers
FileETag none

# Hide Apache and PHP info
Header unset Server
Header unset X-Powered-By

# Don't expose server versions
ServerSignature Off
ServerTokens Prod

# Enable server-status for internal IP
<Location /server-status>
   SetHandler server-status
   Order Deny,Allow
   Deny from all
   Allow from 127.0.0.1
</Location>

# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
KeepAlive On

# Configure /var/www/html
<Directory "/var/www/html">
	Options FollowSymLinks
	AllowOverride All
	DirectoryIndex index.html index.php
	Order allow,deny
	Allow from all
</Directory>

We also need to do minor php configurations to enable sessions being saved in centralized memcached server (if you dont want to store sessions in memcached then just ignore this):

vi /etc/php.ini

And adding/editing the followings. The time zone should be changed to your own timezone, memory limit is 128 by default and you may want to increase it.

date.timezone = Asia/Kuala_Lumpur
memory_limit = 256M
session.save_handler = memcached
session.save_path = "192.168.1.2:11211"

*Please note, in case you are going to use memcache instead of memcached (which are two different things) you should specify protocol in save_path (i.e. tcp://192.168.1.2:11211).

At the end we need to do some Linux stuff!! Here is the explanation in order: making www group, adding current user to that group, take ownership of website directory, grant default permissions to website directory, grant specific permission to directories, grant specific permission to files, auto-start httpd service, auto-start memcached service, start httpd, start memcached.

groupadd www
usermod -a -G www ec2-user
chown -R root:www /var/www
chmod 2775 /var/www
find /var/www -type d -exec chmod 2775 {} +
find /var/www -type f -exec chmod 0664 {} +
chkconfig httpd on
chkconfig memcached on
service httpd start
service memcached start

echo "<?php phpinfo(); ?>" > /var/www/html/info.php

And we are all set ;)