search

ubuntu / adsys

Active Directory bridging tool suite
GNU General Public License v3.0
183 stars 42 forks source link

AWS Managed AD and Azure AD DS are not supported #712

Open 1Dimitri opened 1 year ago

1Dimitri commented 1 year ago

Description

PaaS offers for Active Directory from AWS and Microsoft Azure do not grant administrators the needed rights to install the GPO policies at the suggested file location.

Reproduction

For AWS

  1. Create a AWS Managed AD environment from the Directory and wait for the initial replication to complete
  2. Create an EC2 instance and join it to the domain
  3. Try to follow the steps in [https://github.com/ubuntu/adsys/wiki/07.-Scripts-execution] by creating the Ubuntu folder
  4. You receive an Access Denied Error

For Azure AD DS

  1. Create a Azure AD DS environment from the marketplace and wait for the initial replication to complete
  2. Put one Azure AD user in the "AAD DC Administrators*" Azure AD Group
  3. Wait for this group membership to be updated
  4. Create an Azure VM
  5. Join this Azure VM to the domain (do not Azure AD join it)
  6. Try to follow the steps in [https://github.com/ubuntu/adsys/wiki/07.-Scripts-execution] by creating the Ubuntu folder
  7. You receive an Access Denied Error

Environment

Installed versions

Additional context

AWS and Azure offer managed AD service, where you do not have access to the VMs which are the Domain Controllers of the created single-domain forest In order to avoid corruption, you are not granted "Domain Admins" group membership but membership to specific created groups which can through delegation do many Domain Admins actions, but not all

In particular, for the SYSVOL folder:

enidevops commented 1 year ago

any update on this? we are facing the same issue.

denisonbarbosa commented 1 year ago

Hey @1Dimitri, thanks for reporting the issue! I'll mark it a feature request since it's not something that we can tackle without deeper research and quite some changes in the way we set up the project. Does this happen only for policies that require the creation of the SYSVOL/Ubuntu directory?

1Dimitri commented 1 year ago

Hello Yes. The culprit is that you are not delegated enough rights in this PaaS offer to create folder at the Sysvol level. Therefore you cannot use GPOs which need that folder (login scripts basically) If you decided that the distribution id is no longer named "Ubuntu" but "awesomebuntu" the same problem would arise. If you were willing to have no problem with any of those providers, the adsys client should have a way to search for scripts under the sysvol\scripts\ folder for each gpo like the Windows native client does.

I've already asked the AWS Support to enter a feature request for the AWS Directory Service team so if you have contacts at Amazon I can provide you with the ticket number