search

aws / amazon-ssm-agent

An agent to enable remote management of your EC2 instances, on-premises servers, or virtual machines (VMs).
https://aws.amazon.com/systems-manager/
Apache License 2.0
1.03k stars 323 forks source link

Seamless Domain join not working for Redhat 9 & Rocky 9 #575

Open stuhay opened 2 weeks ago

stuhay commented 2 weeks ago

It seems that recently, our seamless domain joins have all been failing for Redhat/Rocky deriviates.

I narrowed down the problem to the realm join command where the DOMAIN_USERNAME has been computed to be username with a lowercase domain. (when provided with no domain portion in the username)

As per Redhat, this is no longer supported https://access.redhat.com/solutions/5592351

When manually updating the script to use an uppercase domain, the domain seems to be successful.

I am guessing we need to update these lines https://github.com/aws/amazon-ssm-agent/blob/mainline/agent/plugins/domainjoin/domainjoin_unix_script.go#L831-L836 to be like this

    if echo "$DOMAIN_USERNAME" | grep "@" 2>&1 > /dev/null; then
       # Use username@RemoteTrustedDir (Active Directory Trust) to join
       echo "do_domainjoin(): Found directory in username as username@directory"
    else
       DIRNAME_UPPER=$(echo "$DIRECTORY_NAME" | tr [:lower:] [:upper:])
       DOMAIN_USERNAME=${DOMAIN_USERNAME}@${DIRNAME_UPPER}
    fi

It seems like part of the script has been patched for that already eg. https://github.com/aws/amazon-ssm-agent/blob/mainline/agent/plugins/domainjoin/domainjoin_unix_script.go#L848 https://github.com/aws/amazon-ssm-agent/blob/mainline/agent/plugins/domainjoin/domainjoin_unix_script.go#L136

Beau-Gosse-dev commented 2 weeks ago

Thanks for opening this issue and the detailed explanation. + @smhmhmd who might have some thoughts

smhmhmd commented 2 weeks ago

@stuhay Lines 831-836 were added for Amazon Linux where realm join needs a kerberos ticket.

stuhay commented 2 weeks ago

This is what I had in mind

Pull Request: https://github.com/aws/amazon-ssm-agent/pull/576

taitaitai1777 commented 8 hours ago

Title: Fixing Seamless Domain Join Failures on Redhat/Rocky Derivatives

Summary:

To fix seamless domain join failures on Redhat/Rocky derivatives due to issues with the realm join command, update the script to use an uppercase domain in the username. This change aligns with Redhat's updated requirements. By modifying the domain joining script to handle the DOMAIN_USERNAME with an uppercase domain, seamless domain joins should succeed.

Step-by-Step Guide:

1. Issue Identification:

2. Script Location:

3. Proposed Changes:

Original Code (Simplified for Reference):
if echo "$DOMAIN_USERNAME" | grep "@" 2>&1 > /dev/null; then
    echo "do_domainjoin(): Found directory in username as username@directory"
else
    DOMAIN_USERNAME=${DOMAIN_USERNAME}@${DIRECTORY_NAME}
fi
Updated Code:
if echo "$DOMAIN_USERNAME" | grep "@" 2>&1 > /dev/null; then
    echo "do_domainjoin(): Found directory in username as username@directory"
else
    DIRNAME_UPPER=$(echo "$DIRECTORY_NAME" | tr '[:lower:]' '[:upper:]')
    DOMAIN_USERNAME=${DOMAIN_USERNAME}@${DIRNAME_UPPER}
fi

4. Implementation Steps:

  1. Fork the Repository:

    • Fork the AWS SSM Agent repository to your GitHub account.

  2. Clone the Repository:

    git clone https://github.com/yourusername/amazon-ssm-agent.git
cd amazon-ssm-agent

  3. Modify the Script:

    • Open the file using your preferred editor.

      vim agent/plugins/domainjoin/domainjoin_unix_script.go

    • Update lines 831-836 or the necessary parts as per the proposed changes.

    • Ensure other similar references in the script are also updated if required.

  4. Test Your Changes:

    • Build the modified agent.
    • Test the agent on a Redhat/Rocky derivative instance to ensure the domain join works correctly with the uppercase domain name.

  5. Commit and Push Your Changes:

    git add agent/plugins/domainjoin/domainjoin_unix_script.go
git commit -m "Fix: Convert domain name to uppercase in domain join script"
git push origin main

  6. Create a Pull Request:

    • Navigate to the original repository.
    • Create a pull request from your fork.

Updating the domainjoin_unix_script.go script as described ensures the DOMAIN_USERNAME includes an uppercase domain, addressing the seamless domain join failures on Redhat/Rocky derivatives. This approach follows Redhat's recent requirements and should resolve the issue effectively.