Previously I wrote a post about joining your Ubuntu 16.04 server to Active Directory. This works well and what I have done with one of my clients is create an AMI within AWS that handles most of this. But, it still requires some manual interaction because during the realm join you’ll get prompted for a password.
I’m moving all setup over to a combination of Terraform and Ansible, so this is somewhat a stopper, since it shouldn’t require any user interaction to get things setup. So, I’ve put some code into a script and then use a terraform remote-exec command to handle the actual joining of a domain.
My terraform config for the ec2 setup has this towards the end:
1 2 3 4 5 6 7 8 9 10 11 |
provisioner "file" { source = "${path.module}/bootstrap_ad.sh" destination = "/tmp/bootstrap_ad.sh" } provisioner "remote-exec" { inline = [ "sudo chmod +x /tmp/bootstrap_ad.sh", "sudo /tmp/bootstrap_ad.sh $hostname $ad_password", ] } |
In the above, $hostname is the hostname of the new server, and $ad_password is the active directory password to join the domain for the “linux” user below. I grab the $ad_password out of an environment variable so it’s not stored in code.
The bootstrap_ad.sh script below is what actually gets executed to join the domain. The key line is the echo ${PASS} | kinit linux. With this, it does not prompt for a password while doing the actual realm join.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
#!/bin/bash HOST=$1 PASS=$2 sed -i "s/linux-ami/${HOST}/g" /etc/hosts hostnamectl set-hostname ${HOST} realm leave my.domain.com echo ${PASS} | kinit linux realm --verbose join my.domain.com --user-principal=-${HOST}/linux echo 'ad_gpo_access_control = permissive' >> /etc/sssd/sssd.conf service ssh restart systemctl stop sssd rm -rf /var/lib/sss/db/* systemctl start sssd |
A couple things to note above. The default hostname from the AMI, is linux-ami. So, that is changed to the new hostname. The AMI is also joined to the domain, but I want to have the domain join done as the new server. So, we realm leave first before doing a realm join.
We’re also nuking the sssd cache at the end. Without this, the SSSD cache causes some issues, so remote ssh and rdp logins don’t work.