Last active
February 27, 2024 17:28
-
-
Save keith-miller/a03355969ef2831d2c0294cbc115bccc to your computer and use it in GitHub Desktop.
User data script to join an Ubuntu 16.04 EC2 instance to an Active Directory domain
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -ex | |
# parameters | |
DOMAIN_CONTROLLER= | |
DOMAIN_CONTROLLER_IP= | |
AD_HOST= | |
BASE_DN= | |
S3_BUCKET= | |
# separate domains with a space | |
SEARCH_DOMAINS= | |
# DO NOT CHANGE ANYTHING BELOW THIS LINE | |
EC2_INSTANCE_ID=`wget -q -O - http://169.254.169.254/latest/meta-data/instance-id` | |
hostname $EC2_INSTANCE_ID | |
# update & upgrade | |
apt-get update | |
apt-get -y upgrade | |
# add ad domain and controller to hosts file | |
cat >> /etc/hosts <<- EOM | |
${DOMAIN_CONTROLLER_IP} ${DOMAIN_CONTROLLER} ${DOMAIN_CONTROLLER} | |
${DOMAIN_CONTROLLER_IP} ${AD_HOST} ${AD_HOST} | |
EOM | |
# set up awscli and get the keytab file | |
apt-get install -y awscli | |
aws s3api get-object --bucket ${S3_BUCKET} --key Administrator.keytab /etc/Administrator.keytab | |
# install default ldap requirements | |
DEBIAN_FRONTEND=noninteractive apt-get -y install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli ntp zsh | |
# update krb5-user with the ad domain | |
sed -i "2s/.*/\tdefault_realm = ${AD_HOST^^}/" /etc/krb5.conf | |
# set ntp server to ad domain controller | |
cat > /etc/ntp.conf <<- EOM | |
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help | |
driftfile /var/lib/ntp/ntp.drift | |
statistics loopstats peerstats clockstats | |
filegen loopstats file loopstats type day enable | |
filegen peerstats file peerstats type day enable | |
filegen clockstats file clockstats type day enable | |
server ${DOMAIN_CONTROLLER} | |
restrict -4 default kod notrap nomodify nopeer noquery limited | |
restrict -6 default kod notrap nomodify nopeer noquery limited | |
restrict 127.0.0.1 | |
restrict ::1 | |
restrict source notrap nomodify noquery | |
EOM | |
service ntp restart | |
# set up realmd to use our ad domain | |
cat > /etc/realmd.conf <<- EOM | |
# /etc/realmd.conf | |
[users] | |
default-home = /home/%D/%U | |
default-shell = /usr/bin/zsh | |
[active-directory] | |
default-client = sssd | |
os-name = Ubuntu Desktop Linux | |
os-version = 16.04 | |
[service] | |
automatic-install = no | |
[${AD_HOST}] | |
fully-qualified-names = no | |
automatic-id-mapping = yes | |
user-principal = yes | |
manage-system = yes | |
EOM | |
# register instance to the domain | |
kinit Administrator@${AD_HOST^^} -k -t /etc/Administrator.keytab | |
realm join ${AD_HOST} --user-principal=${EC2_INSTANCE_ID}/Administrator@${AD_HOST^^} --unattended | |
# create home directory on login | |
cat >> /etc/pam.d/common-session <<- EOM | |
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 | |
EOM | |
#create ssh public key check script | |
mkdir /opt/ldapsshkey/ | |
cat > /opt/ldapsshkey/ldapsshkey.sh <<- EOM | |
#!/bin/bash | |
kinit Administrator@${AD_HOST^^} -k -t /etc/Administrator.keytab | |
ldapsearch -LLL -h ${AD_HOST} -Y GSSAPI -Q -b "${BASE_DN}" "sAMAccountName=\$1" "sshPublicKey" | sed -n '/^ /{H;d};/sshPublicKey:/x;\$g;s/\n *//g;s/sshPublicKey: //gp' | |
EOM | |
chmod 0755 /opt/ldapsshkey/ldapsshkey.sh | |
# update sshd to use the script above | |
cat > /etc/ssh/sshd_config <<- EOM | |
# Package generated configuration file | |
# See the sshd_config(5) manpage for details | |
# What ports, IPs and protocols we listen for | |
Port 22 | |
Protocol 2 | |
# HostKeys for protocol version 2 | |
HostKey /etc/ssh/ssh_host_rsa_key | |
HostKey /etc/ssh/ssh_host_dsa_key | |
HostKey /etc/ssh/ssh_host_ecdsa_key | |
HostKey /etc/ssh/ssh_host_ed25519_key | |
#Privilege Separation is turned on for security | |
UsePrivilegeSeparation yes | |
# Lifetime and size of ephemeral version 1 server key | |
KeyRegenerationInterval 3600 | |
ServerKeyBits 1024 | |
# Logging | |
SyslogFacility AUTH | |
LogLevel INFO | |
# Authentication: | |
LoginGraceTime 120 | |
PermitRootLogin no | |
StrictModes yes | |
RSAAuthentication yes | |
PubkeyAuthentication yes | |
#AuthorizedKeysFile %h/.ssh/authorized_keys | |
IgnoreRhosts yes | |
RhostsRSAAuthentication no | |
HostbasedAuthentication no | |
PermitEmptyPasswords no | |
ChallengeResponseAuthentication no | |
# Change to no to disable tunnelled clear text passwords | |
PasswordAuthentication yes | |
X11Forwarding yes | |
X11DisplayOffset 10 | |
PrintMotd no | |
PrintLastLog yes | |
TCPKeepAlive yes | |
# Allow client to pass locale environment variables | |
AcceptEnv LANG LC_* | |
Subsystem sftp /usr/lib/openssh/sftp-server | |
UsePAM yes | |
AuthorizedKeysCommand /opt/ldapsshkey/ldapsshkey.sh | |
AuthorizedKeysCommandUser nobody | |
EOM | |
service sshd restart | |
# update /etc/sudoers | |
echo "%devops ALL=(ALL) NOPASSWD: ALL" | (EDITOR="tee -a" visudo) | |
# edit /etc/dhcp/dhclient.conf and restart the network | |
sed -i "24s/.*/append domain-name \" ${SEARCH_DOMAINS} ec2.internal\";/" /etc/dhcp/dhclient.conf | |
/etc/init.d/networking restart |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment