Centralized Linux User and Permission Management using AWS Simple AD

In our previous blog http://blog.powerupcloud.com/2016/02/21/aws-directory-services-an-overview-and-step-by-step/ , we have posted about the AWS Directory Service. Also, we have shown the step by step installation guide for Simple AD.

Simple AD supports commonly used Active Directory features such as user accounts, group memberships, domain-joining Amazon Elastic Compute Cloud (Amazon EC2) instances running Linux and Microsoft Windows, Kerberos-based single sign-on (SSO), and group policies. This makes it even easier to manage Amazon EC2 instances running Linux and Windows, and deploy Windows applications in the AWS cloud.

In this blog post, we will show the following things:

  • Creation of SimpleAD
  • Creating Users in SimpleAD
  • Joining a Linux server to Simple AD
  • Permission management through Simple AD

Set up Active Directory

We have a VPC already created that is being used for this demo to launch the servers within the subnet range.

Create a domain in AWS Directory Service. Refer to our previous blog for creation of SimpleAD:
http://blog.powerupcloud.com/2016/02/21/aws-directory-services-an-overview-and-step-by-step/

Launch a Windows Instance with the above domain. Select your domain in Domain join directory. We have launched a Windows 2012 R2 base server.

Log into the Windows Server. Go to Network Settings and change the Domain name Servers in IPv4 Properties. Provide DNS of your Directory.

Go to Computer Settings and change Domain.

Provide Username and Password for the Domain.

Once the credentials are validated, you will get a welcome message for the domain.

Restart the Server.
Connect to the server again and install Active Directory tools using Server Manager.

Logout and login as Active Directory Administrator.

rdesktop -0 -f -u 'puc.com\Administrator' -p'xxxxxxx' ec2-xx-xxx-xxx-xxx.compute-1.amazonaws.com  

User Creation in SimpleAD

After log into the server as the directory administrator, go to Active Directory Users and Computers. You should be able to see your domain there.

Create a user. We have created a user named “user1”.

Enter the password in the next screen.

Join the Linux Server to Simple AD

We have a Windows instance and a Linux instance running in same VPC as SimpleAD.

To integrate the Linux Server with our Directory, follow the steps below:
Update DHCP option set with DNS servers provided by Simple AD

Once the DHCP option set is created. Go to your VPC and edit the DHCP option set. Choose the one which you have created and Save it.

Log into the Linux Server. You can verify the connectivity between the server and the directory by pinging the directory domain. Execute the following command and install the required packages:

sudo yum -y install sssd realmd krb5-workstation  

Join the directory as the Administrator of your domain.

sudo realm join -U Administrator@puc.com puc.com --verbose  

Enter the password for the Administrator user when prompted.

Set “Password Authentication” to yes in /etc/ssh/sshd_config.

sudo service sshd restart  

You will be able to log into the Linux instance with users created in your active directory. Try doing ssh with one of the user available in your directory.

ssh 'user1@puc.com'@xx.xxx.xxx.xxx  

If you try to switch to root user, it will show as user is unauthorized.

Provide Root Privileges to the Active Directory User:

Create a group named “admins”. The users in this group will have the admin rights in the server.

Create a user in the directory. We have created a user named “pucadmin”.

Provide the password in the next screen for this user.

Once the user is created, you can add the user to the admins group which you have created earlier in the above step:

Log into the Linux Server and open the sudoers file:

sudo visudo -f /etc/sudoers  

Add the following line to delegate root privileges to the admins group in the directory:

%puc.com\\admins      ALL=(ALL) ALL

Now, login with the user present in the admins group. In our case, its “pucadmin”. Now, you should be able to switch to the root user.

and that’s it. Hope you found it useful. Happy Centralizing..!! :)

Priyanka Sharma

Priyanka is Senior Cloud and DevOps Engineer. She can churn out CloudFormation templates at a moment's notice and play with Chef/Ansible. Dancing, music, badminton and word games are her hobbies

comments powered by Disqus