Open aareet opened 4 years ago
AWS provides two Directory services. Unfortunately the provider will not work at all with the "Basic Directory" service, because it's essentially a managed Samba instance. The other service they provide is the "Managed AD" service which is a managed Active Directory cluster. The problem with this one is that it does not come with WinRM enabled, nor does it allow you to enable it.
I am currently evaluating this provider, like you say @koikonom Managed AD is effectively a blackbox. My solution so far is to use a companion EC2 administration host (which is AWS recommended for operational use anyway).
Hi @tomwerneruk, This is what I was thinking to try next. I just don't know if the powershell commands the provider runs will work "as is" or if they require any changes (Such as add a -ComputerName parameter or something).
I too am trying to get this to work with AWS Managed AD and a separate admin host. I believe I have managed to connect via Kerberos authentication but am now facing the following error:
`Error: command Get-ADUser exited with a non-zero exit code 1, stderr: #< CLIXML
I would like to run this provider from my laptop, which is not in the AWS private network. The typical way to get into a VPC network isn't by VPN; it's by ssh
or RDP through a bastion host. From the bastion host, which is joined to the domain, the provider could get access to the AD controller, but not with WinRM.
Are there plans to make this work? I would imagine that whatever solution is used for AWS Managed AD would work with other cloud providers.
For future reference (mostly mine) the canonical way to manage AWS Managed Microsoft AD services is using RSAT: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/microsoftadbasestep3.html (see the last step which essentially combines other Install-WindowsFeature
commands elsewhere in the documentation) which is also the canonical way to manage Samba AD-DC servers from Windows. https://wiki.samba.org/index.php/Installing_RSAT (The Powershell command in the AWS documentation and the dism
command in the Samba documentation are functionally equivalent)
So if we can update this provider to be able to be configured to talk the appropriate RSAT protocols, we should be able to manage AWS Managed AD servers and Samba AD-DC servers assuming we can get single-hop access.
It would probably be a safe bet that if you're modifying the AD, then you have AD credentials. If there needs to be a hop, then a bastion server that's running ssh (which could be locked to only talk to the internal network and a few trusted IPs) that is joined to the domain and could start an ssh tunnel using AD credentials could be assumed to exist in some hop scenarios. The credentials may be separate from the AD credentials as well, if a general solution is desired.
Basically, what I just said is like many database GUI clients that have an option to do ssh tunneling before talking to the database instead of directly opening a connection to the database.
@SkUrRiEr I agree, the provider should speak a protocol that the AWS Managed AD understands. It may be that the RSAT actually uses WinRM.
@Type1J, my understanding is that RSAT (which I think refers to the Tools on Windows, not the actual protocol) pre-dates WinRM. I'd expect that the Powershell management commands (e.g. Get-ADUser
) communicate with the AD server on Windows using the same protocol as the RSAT tools.
@SkUrRiEr I hope so. Is the protocol documented?
Hello,
Since WinRM connectivity on an AWS managed DC is not possible we would have to somehow work through an intermediate host. Since this has been requested a few times now I've opened a new issue to discuss about it.
I would love to hear your thoughts on https://github.com/hashicorp/terraform-provider-ad/issues/99 .
Quick update on this issue. Starting with version v0.4.3 it is now possible to use most of the provider's functionality with the AWS managed AD service by leveraging the "double hop" authentication method. See this section in the provider docs that explains how double hop authentication is expected to work.
Pending work:
Can you provide an documentation with steps to configure this provider to manage AWS Managed Active Directory Remotely?
Description
References
Community Note