Couldn't join realm: Insufficient permissions to join the domain
I had this problem on a home domain set up using Ubuntu 20.04 (both server with domain controller on samba and all domain members). The solution turned out to be very simple. Before You can succesfully join You need to modify the /etc/hosts
file to map the ip address to the domain controller host(s). You can remove these entries after succesfully joining the domain, as then Your new domain member will use the dns in the domain, but before that happens I think it's kinda lost. To me these entries looked similar to this:
192.168.1.10 primarydc.mydomain.com primarydc
192.168.1.10 primarykrb.mydomain.com primarykrb
Related videos on Youtube
NEO
Updated on September 18, 2022Comments
-
NEO over 1 year
I'm getting the following error when I try to join the linux machine to AD:
$ realm join proxmox.local --computer-ou="CN=TEST,CN=Computers,DC=proxmox" --verbose
* Resolving: _ldap._tcp.proxmox.local * Resolving: proxmox.local * Performing LDAP DSE lookup on: 192.168.1.131 * Successfully discovered: proxmox.local Password for Administrator: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli * LANG=C /usr/sbin/adcli join --verbose --domain proxmox.local --domain-realm PROXMOX.LOCAL --domain-controller 192.168.1.131 --computer-ou CN=TEST,CN=Computers,DC=proxmox --login-type user --login-user Administrator --stdin-password * Using domain name: proxmox.local * Calculated computer account name from fqdn: TEST * Using domain realm: proxmox.local * Sending netlogon pings to domain controller: cldap://192.168.1.131 * Received NetLogon info from: windows.proxmox.local * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-BihhIw/krb5.d/adcli-krb5-conf-PZ0Ypc * Authenticated as user: [email protected] ! Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) adcli: couldn't connect to proxmox.local domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) ! Insufficient permissions to join the domain realm: Couldn't join realm: Insufficient permissions to join the domain
My krb5.conf:
# Configuration snippets may be placed in this directory as well includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false dns_lookup_kdc = false rdns = false pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt # default_realm = PROXMOX.LOCAL forwardable = true default_tgs_enctypes = rc4-hmac des3-hmac-sha1 arcfour-hmac des-hmac-sha1 des-cbc-md5 des-cbc-crc default_tkt_enctypes = rc4-hmac des3-hmac-sha1 arcfour-hmac des-hmac-sha1 des-cbc-md5 des-cbc-crc permitted_enctypes = rc4-hmac des3-hmac-sha1 arcfour-hmac des-hmac-sha1 des-cbc-md5 des-cbc-crc [realms] PROXMOX.LOCAL = { kdc = proxmox.local admin_server = proxmox.local } [domain_realm] .proxmox.local = PROXMOX.LOCAL proxmox.local = PROXMOX.LOCAL
The error message doesn't make sense because I'm using the Administrator account and it has full privileges. Any way to debug this?
-
user1686 about 4 yearsHow did you set up the AD domain? It's a bit weird that it only detects the DC as IP address and not as domain name (and that's actually what causes the GSSAPI error message).
-