Add support for pre existing Active Directory user

[michalpristas]

Waiting on custom windows image for testing with AD e2e.

New flags are introduced

• user
• group
• password (windows only)

These flags are taken into account only when --unprivileged is used.

New user is added same permissions as elastic-agent user when created in order to be able to log on as a service (otherwise agent won't start)

Custom user won't be created and needs to be present

Testing steps

Create a windows VM (windows server 2022)

Run script 1 that will prepare Active Directory

Script will also wait for AD services to start

$domainname = 'testing.local'
$addsSecurePass = ConvertTo-SecureString 'Changeme123+' -AsPlainText -Force

# install ad domain services
Install-WindowsFeature -name AD-Domain-Services -IncludeManagementTools


# setup pass for administrator to conform to forest requirements
net user Administrator 'Changeme123+' /passwordreq:yes

# add a new forest testing.com
Install-ADDSForest -DomainName $domainname -InstallDNS -ErrorAction Stop -NoRebootOnCompletion -SafeModeAdministratorPassword $addsSecurePass -Confirm:$false 

# reboot needs to be performed so changes are effective

Reboot to make changes effective

Run script that will prepare user

$domainname = 'testing.local'
$addsSecurePass = ConvertTo-SecureString 'Changeme123+' -AsPlainText -Force

# wait for AD to boot up
$domainFound = $true

$newObjectParameters = @{
    TypeName = 'System.DirectoryServices.ActiveDirectory.DirectoryContext'
    ArgumentList = @(
        "Domain"
        $domainname
    )
}

$DirectoryContext = New-Object @newObjectParameters

$startDate = Get-Date
do {
    try
    {
        [System.DirectoryServices.ActiveDirectory.DomainController]::FindOne($DirectoryContext)
        $domainFound = $true
    }
    catch
    {
        $domainFound = $false
        Start-Sleep -s 2
    }
} until ($domainFound -and $startDate.AddMinutes(5) -gt (Get-Date))


# add user
New-ADUser -Name 'TestingUser' -AccountPassword $addsSecurePass -Enabled $true -ChangePasswordAtLogon $false -PasswordNeverExpires $true

Scenario 1

• install as unpriviledged elastic-agent install --unprivileged --user="testing.local\TestUser" --password=Changeme123+
• check permissions are set to user and service is running as this user

Scenario 2

• install as admin
• switch to unpriviledged elastic-agent unprivileged --user="testing.local\TestUser" --password=Changeme123+
• check permissions are set to user and service is running as this user

Resolves #4585

[elasticmachine]

Pinging @elastic/elastic-agent-control-plane (Team:Elastic-Agent-Control-Plane)

[andrzej-stencel]

Why only allow custom user for unprivileged mode? Do we not allow to specify custom user when installing in privileged mode?

[andrzej-stencel]

Isn't this regex match equivalent to the strings.Contains?

[michalpristas]

yeah basically. but i'd rather change regexp to be more strict and changing regexp and not allow multiple \s instead of using contains
need to check windows reqs for domain and user names

[blakerouse]

This looks good. Thanks for the fixes on checking the domain name in the user.

[amolnater-qasource]

Thank you for the update. @ycombinator
We have setup the Windows VM at our end using above scripts.
Further, we will be testing this as soon as these changes are merged and are available in latest snapshot.

Thanks!

[kilfoyle]

Thanks for the summary @ycombinator!
@michalpristas, here's a PR for the documentation. Please let me know whatever I've missed.

[elastic-sonarqube]

Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 40%)

See analysis details on SonarQube

[ycombinator]

Not sure why SonarQube is reporting 0% coverage when there is a unit test added in this PR. Perhaps it's because it's a Windows-only test file?

The remaining CI checks are green. Force merging as we're trying to get this feature into 8.17.0.

[amolnater-qasource]

Hi @ycombinator

We have revalidated this on latest 8.17.0 BC6 kibana cloud environment and had below observations:

Observations:
Scenario 1:

• Install agent as unpriviledged: elastic-agent install --unprivileged --user="testing.local\TestUser" --password=Changeme123+
• Checked permissions are set to TestUser and service is running as TestUser.
  
  

Scenario 2:

• Installed agent as admin.
• Then switched to unpriviledged: elastic-agent unprivileged --user="testing.local\TestUser" --password=Changeme123+
• Checked permissions are set to TestUser and service is running as TestUser.
  
  
  
  
  

Logs:
elastic-agent-diagnostics-2024-12-11T08-50-00Z-00.zip

Build details:
VERSION: 8.17.0 BC6
BUILD: 80521
COMMIT: e8a820624a03a412433584d3e3df951838e4c63c
Artifact Link: https://staging.elastic.co/8.17.0-6b31e673/downloads/beats/elastic-agent/elastic-agent-8.17.0-windows-x86_64.zip

Hence we are marking this ticket as QA:Validated.

Please let us know if we are missing anything here.

cc: @michalpristas
Thanks!