search

aws / amazon-ssm-agent

An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs).
https://aws.amazon.com/systems-manager/
Apache License 2.0
1.06k stars 326 forks source link

Linux domainjoin fails with "Failed: Cannot find parent directory Id" #461

Open fleetcaptain opened 2 years ago

fleetcaptain commented 2 years ago

This issue may be related to #418.

I'm testing AWS Directory Services and getting the error "Failed: Cannot find parent directory Id" when trying to use the aws-domainjoin plugin in Systems Manager.

The aws_domainjoin.sh script at https://github.com/aws/amazon-ssm-agent/blob/mainline/agent/plugins/domainjoin/domainjoin_unix_script.go has function get_servicecreds() which looks like:

get_servicecreds() { SECRET_ID="${SECRET_ID_PREFIX}/$DIRECTORY_ID/seamless-domain-join" SECRET_VALUE=$($AWSCLI secretsmanager get-secret-value --secret-id "$SECRET_ID" --region $REGION --query "SecretString" --output text 2>/dev/null) if [ $? -ne 0 ]; then PARENT_DIRECTORY_ID=$($AWSCLI ds describe-directories --region $REGION --query "DirectoryDescriptions[?DirectoryId =='$DIRECTORY_ID'].OwnerDirectoryDescription.DirectoryId | [0]" | sed 's/"//g') if [ $? -ne 0 ] || [ -z "$PARENT_DIRECTORY_ID" ] || [ "$PARENT_DIRECTORY_ID" = null ]; then echo "Failed: Cannot find parent directory Id" exit 1 fi PARENT_ACCOUNT_ID=$($AWSCLI ds describe-directories --region $REGION --query "DirectoryDescriptions[?DirectoryId =='$DIRECTORY_ID'].OwnerDirectoryDescription.AccountId | [0]" | sed 's/"//g') if [ $? -ne 0 ] || [ -z "$PARENT_ACCOUNT_ID" ] || [ "$PARENT_ACCOUNT_ID" = null ]; then echo "Failed: Cannot find parent account Id" exit 1 fi SECRET_ID="arn:aws:secretsmanager:${REGION}:${PARENT_ACCOUNT_ID}:secret:aws/directory-services/${PARENT_DIRECTORY_ID}/seamless-domain-join" SECRET_VALUE=$($AWSCLI secretsmanager get-secret-value --secret-id "$SECRET_ID" --region $REGION --query 'SecretString' --output text 2>/dev/null) if [ $? -ne 0 ] || [ -z "$SECRET_VALUE" ]; then echo "***Failed: aws secretsmanager get-secret-value" exit 1 fi fi

If I understand correctly, the "***Failed: Cannot find parent directory Id" message is generated if this AWS cli command fails: AWSCLI ds describe-directories --region $REGION --query "DirectoryDescriptions[?DirectoryId =='$DIRECTORY_ID'].OwnerDirectoryDescription.DirectoryId | [0]" | sed 's/"//g'

If I run a subset of that command manually: aws ds describe-directories --region us-east-2 ...the JSON value OwnerDirectoryDescription does not seem to appear in the output. Did describe-directories change the output format recently?

Wondering if I missed something else.

smhmhmd commented 2 years ago

@fleetcaptain , If you have root access you can go to the corresponding /var/lib directory and run the aws_domainjoin.sh yourself with parameters and paste the error. The parameters can be seen in /var/log/amazon/ssm/amazon.log I am assuming you have setup secrets manager access.

smhmhmd commented 2 years ago

@fleetcaptain

If I run a subset of that command manually: aws ds describe-directories --region us-east-2 ...the JSON value OwnerDirectoryDescription does not seem to appear in the output. Did describe-directories change the output format recently

Works for me

% aws ds describe-directories --region us-east-2
{
    "DirectoryDescriptions": [
        {
fleetcaptain commented 2 years ago

Thanks, I'll try running the script manually and see what happens.

fleetcaptain commented 2 years ago

Running the command manually appears to have resolved my issue. Thank you!

digihunch commented 1 month ago

I also came across this issue with my client where the absence of OwnerDirectoryDescription from the response of describe-directories causes the seamless joining script to fail. Can this be reviewed and fixed because the manual approach would create a lot of toils.

The OwnerDirectoryDescription seems to be present only when the Directory is shared via "Scale and Share" from a different account. That means the script won't work for:

  1. if the instance lives in the same account with the Directory (not shared thus no "OwnerDirectory")
  2. when the directory is AD connector (AD connector doesn't support sharing at all so no "OwnerDirectory" either)
smhmhmd commented 1 month ago

Tagging @rhaoran-aws @VishnuKarthikRavindran

VishnuKarthikRavindran commented 1 month ago

Thanks for reaching us @digihunch. We will look into it

philipakash commented 3 weeks ago

Does this mean that we cannot use the Runcommand for domain join with AD Connectors?