Couldn't join realm: Insufficient permissions to join the domain

linux active-directory kerberos realmd

12,182

I had this problem on a home domain set up using Ubuntu 20.04 (both server with domain controller on samba and all domain members). The solution turned out to be very simple. Before You can succesfully join You need to modify the /etc/hosts file to map the ip address to the domain controller host(s). You can remove these entries after succesfully joining the domain, as then Your new domain member will use the dns in the domain, but before that happens I think it's kinda lost. To me these entries looked similar to this:

192.168.1.10 primarydc.mydomain.com primarydc
192.168.1.10 primarykrb.mydomain.com primarykrb

12,182

NEO

Updated on September 18, 2022

Comments

NEO over 1 year

I'm getting the following error when I try to join the linux machine to AD:

$ realm join proxmox.local --computer-ou="CN=TEST,CN=Computers,DC=proxmox" --verbose

* Resolving: _ldap._tcp.proxmox.local
 * Resolving: proxmox.local
 * Performing LDAP DSE lookup on: 192.168.1.131
 * Successfully discovered: proxmox.local
Password for Administrator: 
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --domain proxmox.local --domain-realm PROXMOX.LOCAL --domain-controller 192.168.1.131 --computer-ou CN=TEST,CN=Computers,DC=proxmox --login-type user --login-user Administrator --stdin-password
 * Using domain name: proxmox.local
 * Calculated computer account name from fqdn: TEST
 * Using domain realm: proxmox.local
 * Sending netlogon pings to domain controller: cldap://192.168.1.131
 * Received NetLogon info from: windows.proxmox.local
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-BihhIw/krb5.d/adcli-krb5-conf-PZ0Ypc
 * Authenticated as user: [email protected]
 ! Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
adcli: couldn't connect to proxmox.local domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)
 ! Insufficient permissions to join the domain
realm: Couldn't join realm: Insufficient permissions to join the domain

My krb5.conf:

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc = false
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
 # default_realm = PROXMOX.LOCAL 
 forwardable = true 
 default_tgs_enctypes = rc4-hmac des3-hmac-sha1 arcfour-hmac des-hmac-sha1 des-cbc-md5 des-cbc-crc
 default_tkt_enctypes = rc4-hmac des3-hmac-sha1 arcfour-hmac des-hmac-sha1 des-cbc-md5 des-cbc-crc
 permitted_enctypes = rc4-hmac des3-hmac-sha1 arcfour-hmac des-hmac-sha1 des-cbc-md5 des-cbc-crc

[realms]
 PROXMOX.LOCAL = {
   kdc = proxmox.local
   admin_server = proxmox.local
  }

[domain_realm]
 .proxmox.local = PROXMOX.LOCAL
 proxmox.local = PROXMOX.LOCAL

The error message doesn't make sense because I'm using the Administrator account and it has full privileges. Any way to debug this?

user1686 about 4 years

How did you set up the AD domain? It's a bit weird that it only detects the DC as IP address and not as domain name (and that's actually what causes the GSSAPI error message).