By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

EC2 Linux Domain Join w/ SSM - AWS-JoinDirectoryServiceDomain - winbind vs sssd...

1

Hi all, a bit of a strange one here. I've been trying to rework my environment so that we can enable seamless domain join for any and all instances created moving forward and up until now, we have been manually joining Linux EC2 instances using sssd.

In following the documentation here (https://docs.aws.amazon.com/directoryservice/latest/admin-guide/seamlessly_join_linux_instance.html) I came to find that the AWS-JoinDirectoryServiceDomain SSM Document instead uses winbind, which threw things for a bit of a loop as nearly every component we configured with sssd in the past was not applicable with winbind (limiting ssh access to the instance to specific groups, realm commands were slightly different, fsx for windows mounting commands, etc).

After some reading, it seems that sssd is the preferred method as it is more modern and supports greater flexibility. Is there a reason winbind is being used here? Does AWS plan on updating this document to use sssd instead? Given all of the little challenges initially faced with my first seamless domain joined machine, I'm a little wary of continuing to use this document/method of seamlessly joining machines to my domain.

Thanks!

Topics
Security, Identity, & ComplianceComputeManagement & Governance
Tags
AWS Directory ServiceAmazon EC2AWS Systems ManagerCompute
Language
English
aws-architech
asked a year ago725 views
1 Answer
2
Accepted Answer

sssd is indeed the preferred method to add Linux instances to Active Directory, however, it has one limitation in that it does not support forest trust authentication. RedHat documentation states:

SSSD only supports domains in a single AD forest. If SSSD requires access to multiple domains from multiple forests, consider using IPA with trusts (preferred) or the winbindd service instead of SSSD. See: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory#connecting-to-multiple-domains-different-ad-forests-sssd_connecting-directly-to-ad

Most customers using managed AD today have a Forest trust back to there on-prem and require cross authentication over the trust, using sssd for domain join would block this cross authentication. To workaround this sssd limitation, Winbind which supports Forest trusts by default was used in seamless domain join script.

I will have raise a feature request on your behalf so we could have a separate document that defaults to sssd for Active Directory domain join

rePost-User-5406923
answered a year ago
  • aws-architech
    a year ago

    Thanks for the detailed response and for looking into this further. The organization I'm working with started all on-cloud so there's no on-premise or legacy forest to connect back to. It would be a great alternative to either have the option to select winbind vs. sssd in the document or, if not, just to have a separate document that moves to the newer, preferred method.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content