AWS Storage Blog

Access file shares on Amazon FSx for Windows File Server from a Linux environment

An increasing number of customers are looking to move their on-premises Network Attached Storage (NAS) to the cloud in order to benefit from cloud-based storage. Many of the same customers have mixed environments and use workstations with a combination of Windows and Linux operating systems. A common approach for employees using the Windows operating system is to join their computer to an Active Directory and then use a file share to access shared storage. Active Directory is a Microsoft directory service that allows managing access and permission to devices in a network. Joining the computer to Active Directory not only allows them to authenticate via Active Directory, but also gives them appropriate permissions on the shared file system.

Amazon FSx for Windows File Server (Amazon FSx) supports access from mixed Windows and Linux environments by fully supporting the SMB protocol. This includes access from Linux using the Linux SMB client. It allows customers to easily move their shared file storage to the cloud and provides a fully managed, native Windows File Server on AWS. It automatically takes care of setup and provisioning, replication, failover, and maintenance. Moreover, it supports SMB protocol, Windows NTFS, and Active Directory integration, both on-premises integration and in-cloud.

Customers use Amazon FSx in a variety of use cases, such as:

  • Home directories
  • Enterprise business applications
  • Content management
  • Software development environments
  • Media and entertainment
  • Databases
  • Data Analytics

In this blog post, I show you the steps to join a Linux machine to an Active Directory domain. The steps involve installing realmd and then using Kerberos authentication to perform the join. Then I show you the steps to mount a file share from Amazon FSx on that Linux machine, which I do by using the cifs-utils library.

Prerequisites for joining a Linux machine to an Active Directory domain

The first step is to join the Linux machine to an Active Directory domain. To do that, I need the following:

  1. Access to an account on the Active Directory that allows joining a machine to a domain.
  2. The domain name.
  3. KDC (Key distribution center) since Linux uses Kerberos for authentication. You can find these details from the Active Directory identity team.
  4. Root access to the Linux Machine, for which I use an Ubuntu machine.

For this demonstration, I use an AWS Managed Microsoft Active Directory. The following screenshot shows how the Active Directory setup looks. The domain is called ‘EXAMPLE.COM.’

How the Active Directory setup looks

I also create a test user called ‘testUser1.’

Steps to join the Linux machine to Microsoft Active Directory Domain

Now it is time to join the Linux machine to Microsoft Active Directory. For this demonstration, I first create an Ubuntu machine in Amazon EC2. Then I go through the steps to join the machine.

Create an Ubuntu machine

  1. Create the Dynamic Host Configuration Protocol (DHCP) option set, so that the Linux machine can resolve the DNS for the active domain. In a non-AWS environment, I would have added the DNS servers to the Linux box.

Create the Dynamic Host Configuration Protocol (DHCP) option set, so that the Linux machine can resolve the DNS for the active domain.

 

  1. Modify the VPC to use this option set.
  2. Create the Ubuntu machine in the VPC that had this option set. The DHCP option set changes /run/systemd/resolve/resolv.conf and adds the following lines:
nameserver 172.31.9.241
nameserver 172.31.27.108
search example.com

It also changes stub-resolv.conf and looks like this:

nameserver 127.0.0.53
options edns0
search example.com

If you try this on a machine that is not on AWS, then make the necessary changes to fit your machine and operating system.

  1. Log in to the Linux machine as a user with root privileges.
  2. Update the machine:
sudo apt-get update
sudo apt-get -y upgrade
  1. Install the required Ubuntu packages:
sudo apt-get -y install sssd realmd krb5-user samba-common packagekit adcli

When prompted for the default realm, I type in ‘EXAMPLE.COM’ (note the upper case).

  1. Edit /etc/krb5.conf by typing in sudo vi /etc/krb5.conf, which modifies the file so that it looks like this:

How the file looks after modification (2)

Join the machine

  1. Join the machine to an Active Directory domain using this command:
sudo realm join -U service_account@EXAMPLE.COM EXAMPLE.COM –verbose

“Service_account” is the name of the account that has domain joining privileges. After providing the password, I finally saw this message:

* Successfully enrolled machine in realm

This means that the machine was joined to the domain!

  1. There are a few things that I must do before I can log in to the machine as the Active Directory user. When I log in as an Active Directory user, the user did not have a default home directory. To allow creation of a home directory as the user logs in, I follow these steps:
  • Type in:
sudo vi /etc/pam.d/common-session 
  • Add this line:
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
  • Add the preceding line after the line that says:
session required        pam_unix.so
  • By default, the user does not have access to sudo. To allow the user to access sudo, I found out the Active Directory group name for the user and added that group to the sudoers file. I did so by editing the /etc/sudoers file and added the following line:
%Domain\ Users@EXAMPLE.COM ALL=(ALL:ALL) ALL

In this line, “Domain Users” is the name of the group. This gives all users from the group sudo access.

  1. As I am on an Amazon Linux box, before logging in to the box as an Active Directory user, I modify the sshd config file by typing in:
sudo vi /etc/ssh/sshd_config

I also change PasswordAuthentication to yes and restart the sshd by typing in:

sudo service sshd restart
  1. Finally, it is time to log in to the Linux box using the user ‘testUser1.’ I type in:
ssh EXAMPLE.COM\\testUser1@ec2-3-104-54-234.ap-southeast-2.compute.amazonaws.com

Then you must provide the password, and that is it. I am now logged in to the machine using an Active Directory user.

In the next section, I show you how I used cifs-utils to mount the Amazon FSx directory.

Prerequisites to mount an Amazon FSx file share on Ubuntu

Now that I have joined our Linux machine to an Active Directory domain, let me mount the Amazon FSx file share onto it. I begin by creating the Windows file system, and then joined that drive to Active Directory. This is how the Windows file system looks:

I begin by creating the Windows file system, and then joined that drive to Active Directory. This is how the Windows file system looks

I create a minimal capacity FSx for Windows File Server for this demonstration.

Mount an Amazon FSx file share on a Linux machine joined to Active Directory

  1. I use cifs-utils to mount the file share. I log in as a domain user (‘testUser1’) and install cifs-utils by typing in:
sudo apt install cifs-utils keyutils
  1. Create the directory for mounting. Since I am mounting as a user, I must create the directory inside the user’s home directory:
mkdir ~/fsx
  1. Create a Kerberos ticket:
kinit
  1. Mount the filesystem:
sudo mount -t cifs --verbose -o 
vers=3.0,cache=none,user=$USER,cruid=$USER,sec=krb5,uid=$
(id -u),gid=$(id -g),ip=172.31.15.73 "//fs-
08a42c788e24ce540.example.com/share"
/home/testuser1@example.com/fsx/
  1. Replace fs-08a42c788e24ce540.example.com with the DNS of the file system and 172.31.15.73 with the preferred file server IP address of the file system. This can be obtained from the AWS console. If this command fails for you, follow these steps (ignore, if it works for you):
    • Type in klist and check if the key for my user is present.
    • Type in nslookup fs-08a42c788e24ce540.example.com (replace with directory DNS) and look for the canonical name: Look for the canonical name
    • Repeat the mount command but instead of the file server DNS name, use the canonical name.

That’s it! I have successfully mounted the Amazon FSx shared folder on the Linux instance, and hopefully so have you. The file share honors the user file permissions set out in the file share. That means that user ‘testUser1’ is only able to access folders that it has access permissions to.

Cleaning up

After finishing the proof of concept, I cleaned up the resources by deleting the Amazon FSx file system, the AWS Managed Active Directory, and the ubuntu EC2 instance. Doing so should ensure you incur no forthcoming costs from the resources used in this proof of concept.

Summary

In this post, I showed you how I join an Ubuntu instance to an Active Directory and also how I mount an Amazon FSx. Most of the steps above should work on any flavor of Linux systems. Just replace the ‘apt get’ commands with equivalent commands in the target operating system and replace the name of the packages to their equivalent in the target system. You can follow the steps to not only join all your Linux workstations to the domain, but also use the wonderful benefits of Amazon FSx.

Amazon FSx enables customers to easily move their shared file storage to the cloud and provides a fully managed, native Windows File Server on AWS. It automatically takes care of setup and provisioning, replication, failover, and maintenance. It also supports SMB protocol, Windows NTFS, and Active Directory integration, both on-premises integration and in-cloud. It deeply integrates with other services like Amazon CloudWatch, AWS CloudTrail, AWS Managed Microsoft Active Directory, and AWS Key Management Service (AWS KMS).

As always, thanks for reading, and please leave a comment if you have any questions about AWS Storage.

Mithil Shah

Mithil Shah

As a Senior Cloud Architect from AWS Professional Services, Mithil helps customers solve their technical challenges and transform their businesses using AWS. He spends a lot of time helping customers move their data and applications to cloud, and has worked with many public sector offices including universities and government agencies.