realm `! Cannot set computer password: Access denied`
Cannot set computer password: Access denied
The error message seems pretty straightforward to me. The user you're attempting to join as doesn't appear to have permissions to reset the password on the existing "myLocalhost" computer account in that Employee Computers OU.
Should it? Is "myUserName" in the Domain Admins group? If not, has the user been granted other explicit permissions on computer accounts in that OU? Standard user accounts in a well managed Active Directory typically can't just join computers willy nilly.
![Clément](https://i.stack.imgur.com/QeyFp.png?s=256&g=1)
Clément
Position and presentation LaTeX-lover, linux-user, computer scientist and mathematician (in that order?). Currently (2021) assistant professor at Augusta University. LaTeX Using (mostly) Vanilla Tex on debian stable: This is TeX, Version 3.141592653 (TeX Live 2021) (preloaded format=tex) . Research Have a look at my publication list. I could drop some keywords, like Proof Theory, Complexity Theory, Linear Logic, Concurrency, Automata, Implicit Computational Theory, Category Theory. Linux Freedom-lover and debian-user: Linux travail 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux. Contact If you want to contact me, fell free to use the information displayed at aubert.perso.math.cnrs.fr/#contact and spots.augusta.edu/caubert/#contact.
Updated on September 18, 2022Comments
-
Clément almost 2 years
I'm trying to connect my debian machine to a windows server, and can't make it work.
As root,
kinit -V [email protected]
returnsUsing default cache: /tmp/krb5cc_0 Using principal: [email protected] Password for [email protected]: Authenticated to Kerberos v5
realm discover MYDOMAIN.COM
givesmydomain.com type: kerberos realm-name: MYDOMAIN.COM domain-name: mydomain.com configured: no server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin
I believe I have all the required packages installed, since
dpkg-query -l 'sssd-tools' 'sssd' 'adcli' 'samba-common-bin' 'libnss-sss' 'libpam-sss'
returnsDesired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-===================================-======================-======================-=========================================================================== ii adcli 0.8.2-1+b1 amd64 Tool for performing actions on an Active Directory domain ii libnss-sss:amd64 1.15.0-3 amd64 Nss library for the System Security Services Daemon ii libpam-sss:amd64 1.15.0-3 amd64 Pam module for the System Security Services Daemon ii samba-common-bin 2:4.5.8+dfsg-2+deb9u1+ amd64 Samba common files used by both the server and the client ii sssd 1.15.0-3 amd64 System Security Services Daemon -- metapackage ii sssd-tools 1.15.0-3 amd64 System Security Services Daemon -- tools
So everything seems fine, but I can't join the network.
realm join --membership-software=adcli MYDOMAIN.COM -U [email protected] --verbose
gives* Resolving: _ldap._tcp.mydomain.com * Performing LDAP DSE lookup on: XXX.XX.XXX.XXX * Performing LDAP DSE lookup on: XXX.XX.XXX.XXX * Performing LDAP DSE lookup on: XXX.XX.XXX.XXX * Successfully discovered: mydomain.com Password for [email protected]: * Unconditionally checking packages * Resolving required packages * LANG=C /usr/sbin/adcli join --verbose --domain mydomain.com --domain-realm MYDOMAIN.COM --domain-controller XXX.XX.XXX.XXX --login-type user --login-user [email protected] --stdin-password * Using domain name: mydomain.com * Calculated computer account name from fqdn: myLocalhost * Using domain realm: mydomain.com * Sending netlogon pings to domain controller: ldap://XXX.XX.XXX.XXX * Received NetLogon info from: HI-ROOT03.mydomain.com * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-X6zN48/krb5.d/adcli-krb5-conf-6SRoUP * Authenticated as user: [email protected] * Looked up short domain name: MYSHORTDOMAIN * Using fully qualified name: myLocalhost.mydomain.com * Using domain name: mydomain.com * Using computer account name: myLocalhost * Using domain realm: mydomain.com * Calculated computer account name from fqdn: myLocalhost * Generated 120 character computer password * Using keytab: FILE:/etc/krb5.keytab * Found computer account for myLocalhost$ at: CN=myLocalhost,OU=Employee Computers,OU=Place1,OU=UserDevices,OU=Workstations,OU=ENTERPRISE,DC=mydomain,DC=com ! Cannot set computer password: Access denied adcli: joining domain mydomain.com failed: Cannot set computer password: Access denied ! Insufficient permissions to join the domain realm: Couldn't join realm: Insufficient permissions to join the domain
-
user almost 7 yearsWhat do the logs on the domain controller say?
-
Clément almost 7 yearsHow do I access them?
-
Clément almost 7 yearsWhy the downvote? I believe my question is well-formulated, and reflects an error that other users might encounter. I believe that the links between Debian and active directory are not so well documented, and that such question could be useful.
-
-
Clément almost 7 yearsI probably don't understand the purpose of the
join
command of Active Directory, then. I have an account on the "myLocalhost" computer, I even have root access to it, but no, I'm not part of the Domain Admins groups. I want to connect to that server because I believe that, as long as I am not connected to that server, I can't use the ethernet connection or use the shared printer on my computer. This might be completely unrelated, as I said, I have a very poor understanding of what Active Directory is doing. -
Ryan Bolger almost 7 yearsThe typical reason one "joins" a computer to Active Directory is to enable logging in to the computer with an Active Directory account rather than a local account. I can't really speak to your network or printer issues.