I am trying to join a Ubuntu/Linux computer to the Active Directory domain as a normal user-account who is not a member of the domain-admins group.
I can join Windows computers just fine. You do not have to be admin, but have a quota of computers that you can join without being an administrator.
But when I try to bring a Ubuntu Linux computer into the domain, it fails with the error message below. I would appreciate any help on this.
daniel@linux01:~$ sudo realm join -v -U 'daniel@AD.example.com' AD.example.com
[sudo] password for daniel:
* Resolving: _ldap._tcp.ad.example.com
* Performing LDAP DSE lookup on: 10.0.0.10
* Successfully discovered: ad.example.com
Password for daniel@AD.example.com:
* Unconditionally checking packages
* Resolving required packages
* LANG=C /usr/sbin/adcli join --verbose --domain ad.example.com --domain-realm AD.example.com --domain-controller 10.0.0.10 --login-type user --login-user daniel@AD.example.com --stdin-password
* Using domain name: ad.example.com
* Calculated computer account name from fqdn: LINUX01
* Using domain realm: ad.example.com
* Sending NetLogon ping to domain controller: 10.0.0.10
* Received NetLogon info from: dc1.ad.example.com
* Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-iIuXdP/krb5.d/adcli-krb5-conf-eeT5bO
* Authenticated as user: daniel@AD.example.com
* Looked up short domain name: AD
* Looked up domain SID: S-1-5-21-13313029-848207003-2406435418
* Using fully qualified name: linux01.ad.example.com
* Using domain name: ad.example.com
* Using computer account name: LINUX01
* Using domain realm: ad.example.com
* Calculated computer account name from fqdn: LINUX01
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* Computer account for LINUX01$ does not exist
* Found well known computer container at: CN=Computers,DC=ad,DC=example,DC=com
* Calculated computer account: CN=LINUX01,CN=Computers,DC=ad,DC=example,DC=com
* Encryption type [3] not permitted.
* Encryption type [1] not permitted.
! Insufficient permissions to modify computer account: CN=LINUX01,CN=Computers,DC=ad,DC=example,DC=com: 000020E7: AtrErr: DSID-03153402, #1:
0: 000020E7: DSID-03153402, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90008 (userAccountControl):len 4
adcli: joining domain ad.example.com failed: Insufficient permissions to modify computer account: CN=LINUX01,CN=Computers,DC=ad,DC=example,DC=com: 000020E7: AtrErr: DSID-03153402, #1:
0: 000020E7: DSID-03153402, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90008 (userAccountControl):len 4
! Insufficient permissions to join the domain
realm: Couldn't join realm: Insufficient permissions to join the domain
Best Answer
You're not providing any Container Name (CN in the error messages) so the Linux01 machine is inserted into the default "Computers" CN. My guess is that your user account hasn't enough privilege to alter this CN, or more probably it doesn't even exist in your AD, so that you must provide a complete CN path.
In Windows, when adding a computer to the AD the GUI allows you to navigate the Domain tree and select the appropriate container (leaf). You should probably add an entry in your
realm.conffile, or add the OU information directly to the command line./etc/realmd.confdefaults:On the command line:
First find the OU/CN with
ldapsearch: