Recently, was working on a project where I needed to enable customers to join their Linux EC2s to their on-premises Windows AD domain. I noticed that I was occasionally getting errors like:
adcli: couldn't connect to dev.lab domain: Couldn't authenticate as: svc_dev_joiner@DEV.LAB: Client's credentials have been revoked
Initially, I'd thought I was triggering the lockup by trying to rejoin the same host to the domain in too quick of succession. But then I suspected that I might actually be running into a broader-scope rate-limiting problem with the joiner-account. So, I set up a userData file that contained a block like:
hostnamectl set-hostname "ip-$( cat /dev/urandom | \ tr -dc '[:alpha:]' | \ tr '[:upper:]' '[:lower:]' | \ fold -w ${1:-11} | \ head -n 1 ).dev.lab"
Then updated my `aws ec2 run-instances …` command to include a `--count 12` option. The above code-snippet ensures that I get an randomized FQDN where the node-name consists of the string "ip-" followed by 11 (relatively) random characters. This creates a 15-character node-name …necessitated by the domain-controller's refusal to allow domain-joins by clients that want node-names longer than the NETBIOS character-limit (because the DC is running in 2003 compatibility-mode). I had previously tried using:
hostnamectl set-hostname "$( printf '%02X' $( hostname -I | sed 's/\./ /g' ) ).dev.lab"
However, with my testing subnet being small, I realized that I might be generating hostnames that were already in the AD domain, which might cause its own problems. Thus, the desire for greater uniqueness in my node-names.
In either case, the domain-owners are going to be pissed that I'm dicking up their domain database with a crapton of "nonconformant" hostnames.
No comments:
Post a Comment