# Join an Amazon EC2 Linux instance to your Simple AD Active Directory
You can launch and join an Amazon EC2 Linux instance to your Simple AD in the AWS Management Console. You can also manually join EC2 Linux instance to your Simple AD.
The following Linux instance distributions and versions are supported:
+ Amazon Linux AMI 2018.03.0
+ Amazon Linux 2 (64-bit x86)
+ Red Hat Enterprise Linux 8 (HVM) (64-bit x86)
+ Ubuntu Server 18.04 LTS & Ubuntu Server 16.04 LTS
+ CentOS 7 x86-64
+ SUSE Linux Enterprise Server 15 SP1
**Note**
Distributions prior to Ubuntu 14 and Red Hat Enterprise Linux 7 and 8 do not support the seamless domain join feature.
**Topics**
+ [Seamlessly join an Amazon EC2 Linux instance to your Simple AD Active Directory](simple_ad_seamlessly_join_linux_instance.md)
+ [Manually join an Amazon EC2 Linux instance to your Simple AD Active Directory](simple_ad_join_linux_instance.md)
# Seamlessly join an Amazon EC2 Linux instance to your Simple AD Active Directory
This procedure seamlessly joins an Amazon EC2 Linux instance to your Simple AD Active Directory.
The following Linux instance distributions and versions are supported:
+ Amazon Linux AMI 2018.03.0
+ Amazon Linux 2 (64-bit x86)
+ Red Hat Enterprise Linux 8 (HVM) (64-bit x86)
+ Ubuntu Server 18.04 LTS & Ubuntu Server 16.04 LTS
+ CentOS 7 x86-64
+ SUSE Linux Enterprise Server 15 SP1
**Note**
Distributions prior to Ubuntu 14 and Red Hat Enterprise Linux 7 and 8 do not support the seamless domain join feature.
## Prerequisites
Before you can set up seamless domain join to a Linux instance, you need to complete the procedures in this section.
### Select your seamless domain join service account
You can seamlessly join Linux computers to your Simple AD domain. To do that, you must create a user account with create computer account permissions to join the computers to the domain. Although members of the *Domain Admins* or other groups may have sufficient privileges to join computers to the domain, we do not recommend this. As a best practice, we recommend you use a service account that has the minimum privileges necessary to join the computers to the domain.
For information about how to process and delegate permissions to your service account for computer account creation, see [Delegate privileges to your service account](ad_connector_getting_started.md#connect_delegate_privileges).
### Create the secrets to store the domain service account
You can use AWS Secrets Manager to store the domain service account. For more information, see [Create an AWS Secrets Manager secret](https://docs.aws.amazon.com//secretsmanager/latest/userguide/create_secret.html).
**Note**
There are fees associated with Secrets Manager. For more information see, [Pricing](https://docs.aws.amazon.com//secretsmanager/latest/userguide/intro.html#asm_pricing) in the *AWS Secrets Manager User Guide*.
**To create secrets and store the domain service account information**
1. Sign in to the AWS Management Console and open the AWS Secrets Manager console at [https://console.aws.amazon.com/secretsmanager/](https://console.aws.amazon.com/secretsmanager/).
1. Choose **Store a new secret**.
1. On the **Store a new secret** page, do the following:
1. Under **Secret type**, choose **Other type of secrets**.
1. Under **Key/value pairs**, do the following:
1. In the first box, enter **awsSeamlessDomainUsername**. On the same row, in the next box, enter the username for your service account. For example, if you used the PowerShell command previously, the service account name would be **awsSeamlessDomain**.
**Note**
You must enter **awsSeamlessDomainUsername** exactly as it is. Make sure there are not any leading or ending spaces. Otherwise the domain join will fail.
![\[In the AWS Secrets Manager console on the choose a secret type page. Other type of secret is selected under secret type and awsSeamlessDomainUsername is entered as the key value.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/secrets_manager_1.png)
1. Choose **Add row**.
1. On the new row, in the first box, enter **awsSeamlessDomainPassword**. On the same row, in the next box, enter the password for your service account.
**Note**
You must enter **awsSeamlessDomainPassword** exactly as it is. Make sure there are not any leading or ending spaces. Otherwise the domain join will fail.
1. Under **Encryption key, ** leave the default value `aws/secretsmanager`. AWS Secrets Manager always encrypts the secret when you choose this option. You also may choose a key you created.
1. Choose **Next**.
1. Under **Secret name**, enter a secret name that includes your directory ID using the following format, replacing *d-xxxxxxxxx* with your directory ID:
```
aws/directory-services/d-xxxxxxxxx/seamless-domain-join
```
This will be used to retrieve secrets in the application.
**Note**
You must enter **aws/directory-services/*d-xxxxxxxxx*/seamless-domain-join** exactly as it is but replace *d-xxxxxxxxxx* with your directory ID. Make sure that there are no leading or ending spaces. Otherwise the domain join will fail.
![\[In the AWS Secrets Manager console on the configure secret page. The secret name is entered and highlighted.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/secrets_manager_2.png)
1. Leave everything else set to defaults, and then choose **Next**.
1. Under **Configure automatic rotation**, choose **Disable automatic rotation**, and then choose **Next**.
You can turn on rotation for this secret after you store it.
1. Review the settings, and then choose **Store** to save your changes. The Secrets Manager console returns you to the list of secrets in your account with your new secret now included in the list.
1. Choose your newly created secret name from the list, and take note of the **Secret ARN** value. You will need it in the next section.
### Turn on rotation for the domain service account secret
We recommend that you regularly rotate secrets to improve your security posture.
**To turn on rotation for the domain service account secret**
+ Follow the instructions in [Set up automatic rotation for AWS Secrets Manager secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_turn-on-for-other.html) in the *AWS Secrets Manager User Guide*.
For Step 5, use the rotation template [Microsoft Active Directory credentials](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_available-rotation-templates.html#template-AD-password) in the *AWS Secrets Manager User Guide*.
For help, see [Troubleshoot AWS Secrets Manager rotation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot_rotation.html) in the *AWS Secrets Manager User Guide*.
### Create the required IAM policy and role
Use the following prerequisite steps to create a custom policy that allows read-only access to your Secrets Manager seamless domain join secret (which you created earlier), and to create a new LinuxEC2DomainJoin IAM role.
#### Create the Secrets Manager IAM read policy
You use the IAM console to create a policy that grants read-only access to your Secrets Manager secret.
**To create the Secrets Manager IAM read policy**
1. Sign in to the AWS Management Console as a user that has permission to create IAM policies. Then open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, **Access Management**, choose **Policies**.
1. Choose **Create policy**.
1. Choose the **JSON** tab and copy the text from the following JSON policy document. Then paste it into the **JSON** text box.
**Note**
Make sure you replace the Region and Resource ARN with the actual Region and ARN of the secret that you created earlier.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Resource": [
"arn:aws:secretsmanager:us-east-1:xxxxxxxxx:secret:aws/directory-services/d-xxxxxxxxx/seamless-domain-join"
]
}
]
}
```
1. When you are finished, choose **Next**. The policy validator reports any syntax errors. For more information, see [Validating IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_policy-validator.html).
1. On the **Review policy** page, enter a policy name, such as **SM-Secret-Linux-DJ-*d-xxxxxxxxxx*-Read**. Review the **Summary** section to see the permissions that your policy grants. Then choose **Create policy** to save your changes. The new policy appears in the list of managed policies and is now ready to attach to an identity.
**Note**
We recommend you create one policy per secret. Doing so ensures that instances only have access to the appropriate secret and minimizes the impact if an instance is compromised.
#### Create the LinuxEC2DomainJoin role
You use the IAM console to create the role that you will use to domain join your Linux EC2 instance.
**To create the LinuxEC2DomainJoin role**
1. Sign in to the AWS Management Console as a user that has permission to create IAM policies. Then open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane, under **Access Management**, choose **Roles**.
1. In the content pane, choose **Create role**.
1. Under **Select type of trusted entity**, choose **AWS service**.
1. Under **Use case**, choose **EC2**, and then choose **Next**.
![\[In the IAM console on the select trusted entity page. AWS service and EC2 are selected.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/iam-console-trusted-entity.png)
1. For **Filter policies**, do the following:
1. Enter **AmazonSSMManagedInstanceCore**. Then select the check box for that item in the list.
1. Enter **AmazonSSMDirectoryServiceAccess**. Then select the check box for that item in the list.
1. Enter **SM-Secret-Linux-DJ-*d-xxxxxxxxxx*-Read** (or the name of the policy that you created in the previous procedure). Then select the check box for that item in the list.
1. After adding the three policies listed above, select **Create role**.
**Note**
AmazonSSMDirectoryServiceAccess provides the permissions to join instances to an Active Directory managed by Directory Service. AmazonSSMManagedInstanceCore provides the minimum permissions necessary to use the AWS Systems Manager service. For more information about creating a role with these permissions, and for information about other permissions and policies you can assign to your IAM role, see [Create an IAM instance profile for Systems Manager](https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html) in the *AWS Systems Manager User Guide*.
1. Enter a name for your new role, such as **LinuxEC2DomainJoin** or another name that you prefer in the **Role name** field.
1. (Optional) For **Role description**, enter a description.
1. (Optional) Choose **Add new tag** under **Step 3: Add tags** to add tags. Tag key-value pairs are used to organize, track, or control access for this role.
1. Choose **Create role**.
## Seamlessly join a Linux instance to your Simple AD Active Directory
**To seamlessly join your Linux instance**
1. Sign in to the AWS Management Console and open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
1. From the Region selector in the navigation bar, choose the same AWS Region as the existing directory.
1. On the **EC2 Dashboard**, in the **Launch instance** section, choose **Launch instance**.
1. On the **Launch an instance** page, under the **Name and Tags** section, enter the name you would like to use for your Linux EC2 instance.
1. *(Optional)* Choose **Add additional tags** to add one or more tag key-value pairs to organize, track, or control access for this EC2 instance.
1. In the **Application and OS Image (Amazon Machine Image)** section, choose a Linux AMI you wish to launch.
**Note**
The AMI used must have AWS Systems Manager (SSM Agent) version 2.3.1644.0 or higher. To check the installed SSM Agent version in your AMI by launching an instance from that AMI, see [Getting the currently installed SSM Agent version](https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-get-version.html). If you need to upgrade the SSM Agent, see [Installing and configuring SSM Agent on EC2 instances for Linux](https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-install-ssm-agent.html).
SSM uses the `aws:domainJoin` plugin when joining a Linux instance to a Active Directory domain. The plugin changes the hostname for the Linux instances to the format EC2AMAZ-*XXXXXXX*. For more information about `aws:domainJoin`, see [AWS Systems Manager command document plugin reference](https://docs.aws.amazon.com//systems-manager/latest/userguide/documents-command-ssm-plugin-reference.html#aws-domainJoin) in the *AWS Systems Manager User Guide*.
1. In the **Instance type** section, choose the instance type you would like to use from **Instance type** dropdown list.
1. In the **Key pair (login)** section, you can either choose to create a new key pair or choose from an existing key pair. To create a new key pair, choose **Create new key pair**. Enter a name for the key pair and select an option for the **Key pair type** and **Private key file format**. To save the private key in a format that can be used with OpenSSH, choose **.pem**. To save the private key in a format that can be used with PuTTY, choose **.ppk**. Choose **create key pair**. The private key file is automatically downloaded by your browser. Save the private key file in a safe place.
**Important**
This is the only chance for you to save the private key file.
1. On the **Launch an instance** page, under **Network settings** section, choose **Edit**. Choose the **VPC** that your directory was created in from the **VPC -* required*** dropdown list.
1. Choose one of the public subnets in your VPC from the **Subnet** dropdown list. The subnet you choose must have all external traffic routed to an internet gateway. If this is not the case, you won't be able to connect to the instance remotely.
For more information on how to connect to a internet gateway, see [Connect to the internet using an internet gateway](https://docs.aws.amazon.com//vpc/latest/userguide/VPC_Internet_Gateway.html) in the *Amazon VPC User Guide*.
1. Under **Auto-assign public IP**, choose **Enable**.
For more information about public and private IP addressing, see [Amazon EC2 instance IP addressing](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/using-instance-addressing.html) in the *Amazon EC2 User Guide*.
1. For **Firewall (security groups)** settings, you can use the default settings or make changes to meet your needs.
1. For **Configure storage** settings, you can use the default settings or make changes to meet your needs.
1. Select **Advanced details** section, choose your domain from the **Domain join directory** dropdown list.
**Note**
After choosing the Domain join directory, you may see:
![\[An error message when selecting your Domain join directory. There is an error with your existing SSM document.\]](http://docs.aws.amazon.com/directoryservice/latest/admin-guide/images/SSM-Error-Message.png)
This error occurs if the EC2 launch wizard identifies an existing SSM document with unexpected properties. You can do one of the following:
If you previously edited the SSM document and the properties are expected, choose close and proceed to launch the EC2 instance with no changes.
Select the delete the existing SSM document here link to delete the SSM document. This will allow for the creation of an SSM document with the correct properties. The SSM document will automatically be created when you launch the EC2 instance.
1. For **IAM instance profile**, choose the IAM role that you previously created in the prerequisites section **Step 2: Create the LinuxEC2DomainJoin role**.
1. Choose **Launch instance**.
**Note**
If you are performing a seamless domain join with SUSE Linux, a reboot is required before authentications will work. To reboot SUSE from the Linux terminal, type **sudo reboot**.
# Manually join an Amazon EC2 Linux instance to your Simple AD Active Directory
In addition to Amazon EC2 Windows instances, you can also join certain Amazon EC2 Linux instances to your Simple AD Active Directory. The following Linux instance distributions and versions are supported:
+ Amazon Linux AMI 2018.03.0
+ Amazon Linux 2 (64-bit x86)
+ Amazon Linux 2023 AMI
+ Red Hat Enterprise Linux 8 (HVM) (64-bit x86)
+ Ubuntu Server 18.04 LTS & Ubuntu Server 16.04 LTS
+ CentOS 7 x86-64
+ SUSE Linux Enterprise Server 15 SP1
**Note**
Other Linux distributions and versions may work but have not been tested.
## Prerequisites
Before you can join either an Amazon Linux, CentOS, Red Hat, or Ubuntu instance to your directory, the instance must first be launched as specified in [Seamlessly join an Amazon EC2 Linux instance to your Simple AD Active Directory](simple_ad_seamlessly_join_linux_instance.md).
**Important**
Some of the following procedures, if not performed correctly, can render your instance unreachable or unusable. Therefore, we strongly suggest you make a backup or take a snapshot of your instance before performing these procedures.
**To join a Linux instance to your directory**
Follow the steps for your specific Linux instance using one of the following tabs:
------
#### [ Amazon Linux ]
1. Connect to the instance using any SSH client.
1. Configure the Linux instance to use the DNS server IP addresses of the Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see [How do I assign a static DNS server to a private Amazon EC2 instance](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-static-dns-ubuntu-debian/) in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.
1. Make sure your Amazon Linux - 64bit instance is up to date.
```
sudo yum -y update
```
1. Install the required Amazon Linux packages on your Linux instance.
**Note**
Some of these packages may already be installed.
As you install the packages, you might be presented with several pop-up configuration screens. You can generally leave the fields in these screens blank.
Amazon Linux
```
sudo yum install samba-common-tools realmd oddjob oddjob-mkhomedir sssd adcli krb5-workstation
```
**Note**
For help with determining the Amazon Linux version you are using, see [Identifying Amazon Linux images](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/amazon-linux-ami-basics.html#amazon-linux-image-id) in the *Amazon EC2 User Guide for Linux Instances*.
1. Join the instance to the directory with the following command.
```
sudo realm join -U join_account@EXAMPLE.COM example.com --verbose
```
*join\$1account@EXAMPLE.COM*
An account in the *example.com* domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see [Delegating directory join privileges for AWS Managed Microsoft AD](directory_join_privileges.md).
*example.com*
The fully qualified DNS name of your directory.
```
...
* Successfully enrolled machine in realm
```
1. Set the SSH service to allow password authentication.
1. Open the `/etc/ssh/sshd_config` file in a text editor.
```
sudo vi /etc/ssh/sshd_config
```
1. Set the `PasswordAuthentication` setting to `yes`.
```
PasswordAuthentication yes
```
1. Restart the SSH service.
```
sudo systemctl restart sshd.service
```
Alternatively:
```
sudo service sshd restart
```
1. After the instance has restarted, connect to it with any SSH client and add the domain admins group to the sudoers list by performing the following steps:
1. Open the `sudoers` file with the following command:
```
sudo visudo
```
1. Add the following to the bottom of the `sudoers` file and save it.
```
## Add the "Domain Admins" group from the example.com domain.
%Domain\ Admins@example.com ALL=(ALL:ALL) ALL
```
(The above example uses "\$1" to create the Linux space character.)
------
#### [ CentOS ]
1. Connect to the instance using any SSH client.
1. Configure the Linux instance to use the DNS server IP addresses of the Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see [How do I assign a static DNS server to a private Amazon EC2 instance](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-static-dns-ubuntu-debian/) in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.
1. Make sure your CentOS 7 instance is up to date.
```
sudo yum -y update
```
1. Install the required CentOS 7 packages on your Linux instance.
**Note**
Some of these packages may already be installed.
As you install the packages, you might be presented with several pop-up configuration screens. You can generally leave the fields in these screens blank.
```
sudo yum -y install sssd realmd krb5-workstation samba-common-tools
```
1. Join the instance to the directory with the following command.
```
sudo realm join -U join_account@example.com example.com --verbose
```
*join\$1account@example.com*
An account in the *example.com* domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see [Delegating directory join privileges for AWS Managed Microsoft AD](directory_join_privileges.md).
*example.com*
The fully qualified DNS name of your directory.
```
...
* Successfully enrolled machine in realm
```
1. Set the SSH service to allow password authentication.
1. Open the `/etc/ssh/sshd_config` file in a text editor.
```
sudo vi /etc/ssh/sshd_config
```
1. Set the `PasswordAuthentication` setting to `yes`.
```
PasswordAuthentication yes
```
1. Restart the SSH service.
```
sudo systemctl restart sshd.service
```
Alternatively:
```
sudo service sshd restart
```
1. After the instance has restarted, connect to it with any SSH client and add the domain admins group to the sudoers list by performing the following steps:
1. Open the `sudoers` file with the following command:
```
sudo visudo
```
1. Add the following to the bottom of the `sudoers` file and save it.
```
## Add the "Domain Admins" group from the example.com domain.
%Domain\ Admins@example.com ALL=(ALL:ALL) ALL
```
(The above example uses "\$1" to create the Linux space character.)
------
#### [ Red hat ]
1. Connect to the instance using any SSH client.
1. Configure the Linux instance to use the DNS server IP addresses of the Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see [How do I assign a static DNS server to a private Amazon EC2 instance](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-static-dns-ubuntu-debian/) in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.
1. Make sure the Red Hat - 64bit instance is up to date.
```
sudo yum -y update
```
1. Install the required Red Hat packages on your Linux instance.
**Note**
Some of these packages may already be installed.
As you install the packages, you might be presented with several pop-up configuration screens. You can generally leave the fields in these screens blank.
```
sudo yum -y install sssd realmd krb5-workstation samba-common-tools
```
1. Join the instance to the directory with the following command.
```
sudo realm join -v -U join_account example.com --install=/
```
*join\$1account*
The **sAMAccountName** for an account in the *example.com* domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see [Delegating directory join privileges for AWS Managed Microsoft AD](directory_join_privileges.md).
*example.com*
The fully qualified DNS name of your directory.
```
...
* Successfully enrolled machine in realm
```
1. Set the SSH service to allow password authentication.
1. Open the `/etc/ssh/sshd_config` file in a text editor.
```
sudo vi /etc/ssh/sshd_config
```
1. Set the `PasswordAuthentication` setting to `yes`.
```
PasswordAuthentication yes
```
1. Restart the SSH service.
```
sudo systemctl restart sshd.service
```
Alternatively:
```
sudo service sshd restart
```
1. After the instance has restarted, connect to it with any SSH client and add the domain admins group to the sudoers list by performing the following steps:
1. Open the `sudoers` file with the following command:
```
sudo visudo
```
1. Add the following to the bottom of the `sudoers` file and save it.
```
## Add the "Domain Admins" group from the example.com domain.
%Domain\ Admins@example.com ALL=(ALL:ALL) ALL
```
(The above example uses "\$1" to create the Linux space character.)
------
#### [ Ubuntu ]
1. Connect to the instance using any SSH client.
1. Configure the Linux instance to use the DNS server IP addresses of the Directory Service-provided DNS servers. You can do this either by setting it up in the DHCP Options set attached to the VPC or by setting it manually on the instance. If you want to set it manually, see [How do I assign a static DNS server to a private Amazon EC2 instance](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-static-dns-ubuntu-debian/) in the AWS Knowledge Center for guidance on setting the persistent DNS server for your particular Linux distribution and version.
1. Make sure your Ubuntu - 64bit instance is up to date.
```
sudo apt-get update
sudo apt-get -y upgrade
```
1. Install the required Ubuntu packages on your Linux instance.
**Note**
Some of these packages may already be installed.
As you install the packages, you might be presented with several pop-up configuration screens. You can generally leave the fields in these screens blank.
```
sudo apt-get -y install sssd realmd krb5-user samba-common packagekit adcli
```
1. Disable Reverse DNS resolution and set the default realm to your domain's FQDN. Ubuntu Instances **must** be reverse-resolvable in DNS before the realm will work. Otherwise, you have to disable reverse DNS in /etc/krb5.conf as follows:
```
sudo vi /etc/krb5.conf
```
```
[libdefaults]
default_realm = EXAMPLE.COM
rdns = false
```
1. Join the instance to the directory with the following command.
```
sudo realm join -U join_account example.com --verbose
```
*join\$1account@example.com*
The **sAMAccountName** for an account in the *example.com* domain that has domain join privileges. Enter the password for the account when prompted. For more information about delegating these privileges, see [Delegating directory join privileges for AWS Managed Microsoft AD](directory_join_privileges.md).
*example.com*
The fully qualified DNS name of your directory.
```
...
* Successfully enrolled machine in realm
```
1. Set the SSH service to allow password authentication.
1. Open the `/etc/ssh/sshd_config` file in a text editor.
```
sudo vi /etc/ssh/sshd_config
```
1. Set the `PasswordAuthentication` setting to `yes`.
```
PasswordAuthentication yes
```
1. Restart the SSH service.
```
sudo systemctl restart sshd.service
```
Alternatively:
```
sudo service sshd restart
```
1. After the instance has restarted, connect to it with any SSH client and add the domain admins group to the sudoers list by performing the following steps:
1. Open the `sudoers` file with the following command:
```
sudo visudo
```
1. Add the following to the bottom of the `sudoers` file and save it.
```
## Add the "Domain Admins" group from the example.com domain.
%Domain\ Admins@example.com ALL=(ALL:ALL) ALL
```
(The above example uses "\$1" to create the Linux space character.)
------
**Note**
When using Simple AD, if you create a user account on a Linux instance with the option "Force user to change password at first login," that user will not be able to initially change their password using **kpasswd**. In order to change the password the first time, a domain administrator must update the user password using the Active Directory Management Tools.
## Manage accounts from a Linux instance
To manage accounts in Simple AD from a Linux instance, you must update specific configuration files on your Linux instance as follows:
1. Set **krb5\$1use\$1kdcinfo** to **False** in the **/etc/sssd/sssd.conf** file. For example:
```
[domain/example.com]
krb5_use_kdcinfo = False
```
1. In order for the configuration to take affect you need to restart the sssd service:
```
$ sudo systemctl restart sssd.service
```
Alternatively, you could use:
```
$ sudo service sssd start
```
1. If you will be managing users from a CentOS Linux instance, you must also edit the file **/etc/smb.conf** to include:
```
[global]
workgroup = EXAMPLE.COM
realm = EXAMPLE.COM
netbios name = EXAMPLE
security = ads
```
## Restricting account login access
Since all accounts are defined in Active Directory, by default, all the users in the directory can log in to the instance. You can allow only specific users to log in to the instance with **ad\$1access\$1filter** in **sssd.conf**. For example:
```
ad_access_filter = (memberOf=cn=admins,ou=Testou,dc=example,dc=com)
```
*memberOf*
Indicates that users should only be allowed access to the instance if they are a member of a specific group.
*cn*
The common name of the group that should have access. In this example, the group name is *admins*.
*ou*
This is the organizational unit in which the above group is located. In this example, the OU is *Testou*.
*dc*
This is the domain component of your domain. In this example, *example*.
*dc*
This is an additional domain component. In this example, *com*.
You must manually add **ad\$1access\$1filter** to your **/etc/sssd/sssd.conf**.
Open the **/etc/sssd/sssd.conf** file in a text editor.
```
sudo vi /etc/sssd/sssd.conf
```
After you do this, your **sssd.conf** might look like this:
```
[sssd]
domains = example.com
config_file_version = 2
services = nss, pam
[domain/example.com]
ad_domain = example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
ad_access_filter = (memberOf=cn=admins,ou=Testou,dc=example,dc=com)
```
In order for the configuration to take effect, you need to restart the sssd service:
```
sudo systemctl restart sssd.service
```
Alternatively, you could use:
```
sudo service sssd restart
```
## ID Mapping
ID mapping can be performed by two methods to maintain a unified experience between UNIX/Linux User Identifier (UID) and Group Identifier (GID) and Windows and Active Directory Security Identifier (SID) identities. These methods are:
1. Centralized
1. Distributed
**Note**
Centralized user identity mapping in Active Directory requires Portable Operating System Interface or POSIX.
**Centralized user identity mapping**
Active Directory or another Lightweight Directory Access Protocol (LDAP) service provides UID and GID to the Linux users. In Active Directory, these identifiers are stored in the users' attributes if the POSIX extension is configured:
+ UID - The Linux username (String)
+ UID Number - The Linux User ID number (Integer)
+ GID Number - The Linux Group ID number (Integer)
To configure a Linux instance to use the UID and GID from Active Directory, set `ldap_id_mapping = False` in the sssd.conf file. Before setting this value, verify you have added a UID, UID number and GID number to the users and groups in Active Directory.
**Distributed user identity mapping**
If Active Directory doesn't have the POSIX extension or if you choose not to centrally manage identity mapping, Linux can calculate the UID and GID values. Linux uses the user's unique Security Identifier (SID) to maintain consistency.
To configure distributed user ID mapping, set `ldap_id_mapping = True` in the sssd.conf file.
**Common issues**
If you set `ldap_id_mapping = False`, sometimes starting the SSSD service will fail. The reason for this failure is due to changing UIDs not supported. We recommend you delete the SSSD cache whenever you change from ID mapping to POSIX attributes or from POSIX attributes to ID mapping. For further details about ID mapping and the ldap\$1id\$1mapping parameters, see the sssd-ldap(8) man page in the Linux command line.
## Connect to the Linux instance
When a user connects to the instance using an SSH client, they are prompted for their username. The user can enter the username in either the `username@example.com` or `EXAMPLE\username` format. The response will appear similar to the following, depending on which Linux distribution you are using:
**Amazon Linux, Red Hat Enterprise Linux, and CentOS Linux**
```
login as: johndoe@example.com
johndoe@example.com's password:
Last login: Thu Jun 25 16:26:28 2015 from XX.XX.XX.XX
```
**SUSE Linux**
```
SUSE Linux Enterprise Server 15 SP1 x86_64 (64-bit)
As "root" (sudo or sudo -i) use the:
- zypper command for package management
- yast command for configuration management
Management and Config: https://www.suse.com/suse-in-the-cloud-basics
Documentation: https://www.suse.com/documentation/sles-15/
Forum: https://forums.suse.com/forumdisplay.php?93-SUSE-Public-Cloud
Have a lot of fun...
```
**Ubuntu Linux**
```
login as: admin@example.com
admin@example.com@10.24.34.0's password:
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-1057-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat Apr 18 22:03:35 UTC 2020
System load: 0.01 Processes: 102
Usage of /: 18.6% of 7.69GB Users logged in: 2
Memory usage: 16% IP address for eth0: 10.24.34.1
Swap usage: 0%
```