Can't add my Red Hat 7 machine to our company's Active Directory

I'm trying to join my RHEL 7 VM machine to our company's AD. I can validate my login credentials just fine with kinit (No return if I enter the correct password, error if I enter the wrong one), however, when I try to join using realmd it says I have insufficient permissions to join. Using net ads join --user=MyUser returns "Failed to set account flags for machine account (NT_STATUS_ACCESS_DENIED)". I do not have administrative access to the AD, however, one of the administrators added my RHEL machine to the AD. I've tried reinstalling samba and krb but that didnt help. I've also played around with the configs but I just can't seem to get it working. Any help would be much appreciated.

Thanks for the answer. I've used realm list before and it shows that I am connected to our domain, however, I can not log in with my domain username.

Thanks for the answer. I've been following that guide initially, which also lead me to the same error.

What does it say in /var/log/secure Edit: What is the output of realm list?

"Failed password for invalid user [email protected] from 192.168.xx.xx port 60517 ssh2" (Tried to connect using putty)

and realm list? Looks like the LDAP lookup is failing, which may kerberos (DNS perhaps?) I notice that you have already tried doing SSSD, are you in a position to start from clean and just follow my instructions, perhaps ask an AD guy to come and enter the credentials to join (as they would with Windows).

realm list outpout: xx.local type: kerberos realm-name: XX.LOCAL domain-name: xx.local configured: kerberos-member server-software: active-directory client-software: winbind required-package: oddjob-mkhomedir required-package: oddjob required-package: samba-winbind-clients required-package: samba-winbind required-package: samba-common login-formats: %U login-policy: allow-any-login I can start from a VM snapshot before the installation, but I should/need to be able to do this without having to call an admin over. EDIT: Comment formatting is bad.

No you shouldn't, because a certain level of rights is required to add an account to the domain. It is the same with Windows clients. They could give your account permission to write to a certain OU, in which case you could join using your own credentials.

The machine name (in my case srv-x008) itself was already added to the AD manually by an admin. Is that not enough? I should be able to log in on that machine using my domain account that I use for windows too, correct?