Linux EC2 - Domain Joined via SSM Document, visudo configuration not working

Hi all, I used the following doc to join my Linux EC2 instances to my (Directory Services) domain: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/seamlessly_join_linux_instance.html

I then used this doc to edit the visudo file to provide root privileges to our domain admins: https://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_linux_instance_winbind.html. Specifically, the very bottom, 11b --

"After the instance has restarted, connect to it with any SSH client and add the root privileges for a domain user or group to the sudoers list by performing the following steps -- Add the required groups or users from your Trusting or Trusted domain as follows, and then save it."

Adding Domain Users/Groups.

%domainname\AWS\ Delegated\ Administrators ALL=(ALL:ALL) ALL %domainname\groupname ALL=(ALL:ALL) ALL domainname\username ALL=(ALL:ALL) ALL %Trusted_DomainName\groupname ALL=(ALL:ALL) ALL Trusted_DomainName\username ALL=(ALL:ALL) ALL

However, on adding the default -- AWS Delegated Administrators, this doesn't work. I've tried every combination of capital or lowercase domain name but unfortunately, nothing seems to work.

Topics

Security, Identity, & Compliance Compute

Tags

AWS Directory Service Amazon EC2 Amazon Linux

Language

English

Adrian-Keith

asked 2 months ago424 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Based on the information you've shared, it seems that the issue is specifically with the AWS Delegated Administrators group. The documentation you referenced suggests that you should be able to add this group to the sudoers list to grant the necessary privileges. However, it's possible that the group name or format is not being recognized correctly.

Here are a few things you can try: Verify the group name: Double-check the exact name of the AWS Delegated Administrators group in your directory service. Ensure that the spelling, capitalization, and any spaces are correct. [2]

Try different formats: In the sudoers file, you can try different formats for specifying the group, such as:

%domainname\AWS Delegated Administrators ALL=(ALL:ALL) ALL

%domainname"AWS Delegated Administrators" ALL=(ALL:ALL) ALL

%"domainname\AWS Delegated Administrators" ALL=(ALL:ALL) ALL

Check the domain name: Ensure that you're using the correct domain name for your directory service. Double-check the spelling and capitalization.

Verify the group membership: Confirm that the user or group you're trying to add to the sudoers list is actually a member of the AWS Delegated Administrators group in your directory service.

Try a different user or group: If the AWS Delegated Administrators group is still not working, you can try adding a different user or group from your directory service to the sudoers list to see if that works.

Basel Mohamed

answered 2 months ago

Relevant content

joining an ec2 instance to a customers network/domain
AWS-User-3448174
asked 2 years ago
How to connect LDAP after joining EC2 instance to Directory Service Domain?
Bryan Fang
asked 2 years ago
EC2 Linux Domain Join w/ SSM - AWS-JoinDirectoryServiceDomain - winbind vs sssd...
Accepted Answer
Adrian-Keith
asked 2 years ago
EC2 instance not able to join to AWS managed MS AD domain
thescreenslaver
asked 4 years ago
Why can't I seamlessly join my EC2 Windows instance to an AWS Managed Microsoft AD directory?
AWS OFFICIALUpdated a year ago
How do I use AWS Systems Manager to join a running EC2 Windows instance to my AWS Directory Service domain?
AWS OFFICIALUpdated a year ago
How do I use Systems Manager to join a new Amazon EC2 Windows instance to my Directory Service domain?
AWS OFFICIALUpdated 4 months ago
How I troubleshoot seamless domain join for Windows instances in Systems Manager?
AWS OFFICIALUpdated a year ago
Join us at re:Invent 2022!
EXPERT
Kamran Khan
published 2 years ago
Access a private Amazon Redshift from a local machine via a private EC2 instance
EXPERT
Ziad
published 10 months ago