Open stuhay opened 2 weeks ago
Thanks for opening this issue and the detailed explanation. + @smhmhmd who might have some thoughts
@stuhay Lines 831-836 were added for Amazon Linux where realm join needs a kerberos ticket.
This is what I had in mind
Pull Request: https://github.com/aws/amazon-ssm-agent/pull/576
To fix seamless domain join failures on Redhat/Rocky derivatives due to issues with the realm join
command, update the script to use an uppercase domain in the username. This change aligns with Redhat's updated requirements. By modifying the domain joining script to handle the DOMAIN_USERNAME
with an uppercase domain, seamless domain joins should succeed.
DOMAIN_USERNAME
is being computed with a lowercase domain.if echo "$DOMAIN_USERNAME" | grep "@" 2>&1 > /dev/null; then
echo "do_domainjoin(): Found directory in username as username@directory"
else
DOMAIN_USERNAME=${DOMAIN_USERNAME}@${DIRECTORY_NAME}
fi
if echo "$DOMAIN_USERNAME" | grep "@" 2>&1 > /dev/null; then
echo "do_domainjoin(): Found directory in username as username@directory"
else
DIRNAME_UPPER=$(echo "$DIRECTORY_NAME" | tr '[:lower:]' '[:upper:]')
DOMAIN_USERNAME=${DOMAIN_USERNAME}@${DIRNAME_UPPER}
fi
Fork the Repository:
Clone the Repository:
git clone https://github.com/yourusername/amazon-ssm-agent.git
cd amazon-ssm-agent
Modify the Script:
Open the file using your preferred editor.
vim agent/plugins/domainjoin/domainjoin_unix_script.go
Update lines 831-836 or the necessary parts as per the proposed changes.
Ensure other similar references in the script are also updated if required.
Test Your Changes:
Commit and Push Your Changes:
git add agent/plugins/domainjoin/domainjoin_unix_script.go
git commit -m "Fix: Convert domain name to uppercase in domain join script"
git push origin main
Create a Pull Request:
Updating the domainjoin_unix_script.go
script as described ensures the DOMAIN_USERNAME
includes an uppercase domain, addressing the seamless domain join failures on Redhat/Rocky derivatives. This approach follows Redhat's recent requirements and should resolve the issue effectively.
It seems that recently, our seamless domain joins have all been failing for Redhat/Rocky deriviates.
I narrowed down the problem to the
realm join
command where theDOMAIN_USERNAME
has been computed to be username with a lowercase domain. (when provided with no domain portion in the username)As per Redhat, this is no longer supported https://access.redhat.com/solutions/5592351
When manually updating the script to use an uppercase domain, the domain seems to be successful.
I am guessing we need to update these lines https://github.com/aws/amazon-ssm-agent/blob/mainline/agent/plugins/domainjoin/domainjoin_unix_script.go#L831-L836 to be like this
It seems like part of the script has been patched for that already eg. https://github.com/aws/amazon-ssm-agent/blob/mainline/agent/plugins/domainjoin/domainjoin_unix_script.go#L848 https://github.com/aws/amazon-ssm-agent/blob/mainline/agent/plugins/domainjoin/domainjoin_unix_script.go#L136