- Newest
- Most votes
- Most comments
sssd is indeed the preferred method to add Linux instances to Active Directory, however, it has one limitation in that it does not support forest trust authentication. RedHat documentation states:
SSSD only supports domains in a single AD forest. If SSSD requires access to multiple domains from multiple forests, consider using IPA with trusts (preferred) or the winbindd service instead of SSSD. See: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory#connecting-to-multiple-domains-different-ad-forests-sssd_connecting-directly-to-ad
Most customers using managed AD today have a Forest trust back to there on-prem and require cross authentication over the trust, using sssd for domain join would block this cross authentication. To workaround this sssd limitation, Winbind which supports Forest trusts by default was used in seamless domain join script.
I will have raise a feature request on your behalf so we could have a separate document that defaults to sssd for Active Directory domain join
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 14 days ago
- AWS OFFICIALUpdated a year ago
Thanks for the detailed response and for looking into this further. The organization I'm working with started all on-cloud so there's no on-premise or legacy forest to connect back to. It would be a great alternative to either have the option to select winbind vs. sssd in the document or, if not, just to have a separate document that moves to the newer, preferred method.