realm join unable to create computer account
Should work an account delegated a minimal set of permissions to an OU outlined here: https://social.technet.microsoft.com/Forums/scriptcenter/en-US/1f72f4d9-7343-4a7c-a03f-3713cafdd152/delegate-athority-in-a-ou-to-a-sinle-user-to-join-computers-to-domain?forum=winserverpowershell
Having said that...
Do you have samba-common-tools-4.9.1-6.el7.x86_64 installed? Try downgrading to 4.8.3-6.el7_6.x86_64 or add "--membership-software=adcli" to your realm join command. This is a known issue in this release of samba-common-tools.
Example:
[root@client ~]# realm join --membership-software=adcli --user=svc-linux-join --computer-ou="OU=servers,OU=linux,DC=domain,DC=bls" --os-name=CentOS --os-version=7 --automatic-id-mapping=no domain.bls < <(echo 'L3t-m3-in')
Password for svc-linux-join:
Related videos on Youtube
azzid
Updated on September 18, 2022Comments
-
azzid almost 2 years
Reading
man realm
I see the following:--computer-ou=OU=xxx The distinguished name of an organizational unit to create the computer account. The exact format of the distinguished name depends on the membership software. You can usually omit the root DSE portion of distinguished name. This is an Active Directory specific option.
I interpret that as
realm
beeing able to create a computer account as needed in active directory.Putting it to the test however it fails:
[root@client ~]# realm join --user=svc-linux-join --computer-ou=OU=servers,OU=linux,DC=domain,DC=bls --os-name=CentOS --os-version=7 --automatic-id-mapping=no domain.bls < <(echo 'L3t-m3-in') Password for svc-linux-join: See: journalctl REALMD_OPERATION=r1695.2763 realm: Couldn't join realm: Joining the domain domain.bls failed [root@client ~]# journalctl REALMD_OPERATION=r1695.2763 -- Logs begin at Thu 2019-09-19 22:00:08 CEST, end at Thu 2019-09-19 22:28:25 CEST. -- Sep 19 22:28:25 client realmd[2759]: * Resolving: _ldap._tcp.domain.bls Sep 19 22:28:25 client realmd[2759]: * Performing LDAP DSE lookup on: 10.0.2.15 Sep 19 22:28:25 client realmd[2759]: * Successfully discovered: domain.bls Sep 19 22:28:25 client realmd[2759]: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net Sep 19 22:28:25 client realmd[2759]: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.2B8L8Z -U svc-linux-join ads join domain.bls createcomputer=linux/serve Sep 19 22:28:25 client realmd[2759]: Enter svc-linux-join's password: Sep 19 22:28:25 client realmd[2759]: Failed to join domain: failed to precreate account in ou ou=servers,ou=linux,dc=DOMAIN,dc=BLS: No such object Sep 19 22:28:25 client realmd[2759]: ! Joining the domain domain.bls failed
I first believed it to be a limitation of the privileges delegated to
svc-linux-join
so I let [email protected] have a go as well, same result:[root@client ~]# realm join --computer-ou=OU=servers,OU=linux,DC=domain,DC=bls --os-name=CentOS --os-version=7 --automatic-id-mapping=no domain.bls Password for Administrator: See: journalctl REALMD_OPERATION=r1740.2772 realm: Couldn't join realm: Joining the domain domain.bls failed [root@client ~]# journalctl REALMD_OPERATION=r1740.2772 -- Logs begin at Thu 2019-09-19 22:00:08 CEST, end at Thu 2019-09-19 22:29:14 CEST. -- Sep 19 22:29:11 client realmd[2759]: * Resolving: _ldap._tcp.domain.bls Sep 19 22:29:11 client realmd[2759]: * Performing LDAP DSE lookup on: 10.0.2.15 Sep 19 22:29:11 client realmd[2759]: * Successfully discovered: domain.bls Sep 19 22:29:14 client realmd[2759]: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net Sep 19 22:29:14 client realmd[2759]: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.UK8T8Z -U Administrator ads join domain.bls createcomputer=linux/server Sep 19 22:29:14 client realmd[2759]: Enter Administrator's password: Sep 19 22:29:14 client realmd[2759]: Failed to join domain: failed to precreate account in ou ou=servers,ou=linux,dc=DOMAIN,dc=BLS: No such object Sep 19 22:29:14 client realmd[2759]: ! Joining the domain domain.bls failed
I then tried pre-creating the computer account:
And join again:
[root@client ~]# realm join --user=svc-linux-join --computer-ou=OU=servers,OU=linux,DC=domain,DC=bls --os-name=CentOS --os-version=7 --automatic-id-mapping=no domain.bls < <(echo 'L3t-m3-in') Password for svc-linux-join: See: journalctl REALMD_OPERATION=r2567.12844 realm: Couldn't join realm: Insufficient permissions to join the domain domain.bls [root@client ~]# journalctl REALMD_OPERATION=r2567.12844 -- Logs begin at Thu 2019-09-19 22:00:08 CEST, end at Thu 2019-09-19 22:47:21 CEST. -- Sep 19 22:42:58 client realmd[12848]: * Resolving: _ldap._tcp.domain.bls Sep 19 22:42:58 client realmd[12848]: * Performing LDAP DSE lookup on: 10.0.2.15 Sep 19 22:42:58 client realmd[12848]: * Successfully discovered: domain.bls Sep 19 22:42:58 client realmd[12848]: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net Sep 19 22:42:58 client realmd[12848]: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.F0897Z -U svc-linux-join ads join domain.bls createcomputer=linux/serv Sep 19 22:42:58 client realmd[12848]: Enter svc-linux-join's password: Sep 19 22:42:58 client realmd[12848]: Failed to join domain: Failed to set password for machine account (NT_STATUS_ACCESS_DENIED) Sep 19 22:42:58 client realmd[12848]: Sep 19 22:42:58 client realmd[12848]: ! Insufficient permissions to join the domain domain.bls
Now that the account exists I get another error. Going back as administrator:
[root@client ~]# realm join --computer-ou=OU=servers,OU=linux,DC=domain,DC=bls --os-name=CentOS --os-version=7 --automatic-id-mapping=no domain.bls Password for Administrator:
It just works.
If I delete the computer account and re-join the domain without specifying the desired OU for the computer account it works as well:
[root@client ~]# realm leave --remove Password for Administrator: [root@client ~]# realm join domain.bls Password for Administrator: [root@client ~]# ldapsearch -LLL -x -h server -b dc=domain,dc=bls -D svc-linux-join -w L3t-m3-in cn=client distinguishedName | grep -v -e ^# -e ^$ dn: CN=client,CN=Computers,DC=domain,DC=bls distinguishedName: CN=client,CN=Computers,DC=domain,DC=bls
Should I not be able to let
realm join
create computer accounts in a specified OU using the account with delegated privileges to the OU? -
azzid almost 5 yearsI do have
samba-common-tools-4.9.1-6.el7.x86_64
. -
azzid almost 5 yearsSetting the user privileges as describe in the link and forcing the use of adcli as membership software works as expected!
-
azzid almost 5 years
samba-common-tools-4.8.3-6.el7_6.x86_64
does not seem to be available in the repos for current CentOS 7, so I think that downgrade should be avoided. -
azzid almost 5 yearsFound samba-common-tools-4.8.3-4.el7.x86_64 on mirror.nsc.liu.se/centos/7.6.1810/os/x86_64/Packages/… but
yum downgrade samba-common-tools-4.8.3-4.el7.x86_64.rpm
failed due to failed dependencies, really don't think downgrade is a viable option.