Can't add my Red Hat 7 machine to our company's Active Directory
RHEL7 includes realmd
which is excellent. Try this.
As the machine account exists, you probably will not need admin privileges in AD. Also, you do not need to extend the AD schema to cover rfc2307.
Related videos on Youtube
BIfrost
Updated on September 18, 2022Comments
-
BIfrost over 1 year
I'm trying to join my RHEL 7 VM machine to our company's AD. I can validate my login credentials just fine with
kinit
(No return if I enter the correct password, error if I enter the wrong one), however, when I try to join using realmd it says I have insufficient permissions to join. Usingnet ads join --user=MyUser
returns "Failed to set account flags for machine account (NT_STATUS_ACCESS_DENIED)". I do not have administrative access to the AD, however, one of the administrators added my RHEL machine to the AD. I've tried reinstalling samba and krb but that didnt help. I've also played around with the configs but I just can't seem to get it working. Any help would be much appreciated.-
Andy over 9 yearsIf you have insufficient privileges to join a host to the domain, you're not going to be able to join it to the domain. It sounds like kerberos is working fine, but logons are failing. Please post a sanitised /var/log/secure as a starting point. Nvm, chris has this one.
-
-
BIfrost over 9 yearsThanks for the answer. I've used
realm list
before and it shows that I am connected to our domain, however, I can not log in with my domain username. -
BIfrost over 9 yearsThanks for the answer. I've been following that guide initially, which also lead me to the same error.
-
chriscowley over 9 yearsWhat does it say in
/var/log/secure
Edit: What is the output ofrealm list
? -
BIfrost over 9 years"Failed password for invalid user [email protected] from 192.168.xx.xx port 60517 ssh2" (Tried to connect using putty)
-
chriscowley over 9 yearsand
realm list
? Looks like the LDAP lookup is failing, which may kerberos (DNS perhaps?) I notice that you have already tried doing SSSD, are you in a position to start from clean and just follow my instructions, perhaps ask an AD guy to come and enter the credentials to join (as they would with Windows). -
BIfrost over 9 years
realm list
outpout: xx.local type: kerberos realm-name: XX.LOCAL domain-name: xx.local configured: kerberos-member server-software: active-directory client-software: winbind required-package: oddjob-mkhomedir required-package: oddjob required-package: samba-winbind-clients required-package: samba-winbind required-package: samba-common login-formats: %U login-policy: allow-any-login I can start from a VM snapshot before the installation, but I should/need to be able to do this without having to call an admin over. EDIT: Comment formatting is bad. -
chriscowley over 9 yearsNo you shouldn't, because a certain level of rights is required to add an account to the domain. It is the same with Windows clients. They could give your account permission to write to a certain OU, in which case you could join using your own credentials.
-
BIfrost over 9 yearsThe machine name (in my case srv-x008) itself was already added to the AD manually by an admin. Is that not enough? I should be able to log in on that machine using my domain account that I use for windows too, correct?