Redhat – Can’t add the Red Hat 7 machine to our company’s Active Directory

active-directorykerberosredhat

I'm trying to join my RHEL 7 VM machine to our company's AD. I can validate my login credentials just fine with kinit (No return if I enter the correct password, error if I enter the wrong one), however, when I try to join using realmd it says I have insufficient permissions to join. Using net ads join --user=MyUser returns "Failed to set account flags for machine account (NT_STATUS_ACCESS_DENIED)". I do not have administrative access to the AD, however, one of the administrators added my RHEL machine to the AD. I've tried reinstalling samba and krb but that didnt help. I've also played around with the configs but I just can't seem to get it working. Any help would be much appreciated.

Best Answer

RHEL7 includes realmd which is excellent. Try this.

As the machine account exists, you probably will not need admin privileges in AD. Also, you do not need to extend the AD schema to cover rfc2307.

Related Solutions

Linux – Apache SSO through Kerberos using Machine Account

I don't have extended experience setting up kerberos delegation in Apache, but I'm pretty sure the service name defined in apache needs to match the service name in the keytab file.

Set the service name explicitly like this:

<Location /secured>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms DOMAIN.COM
Krb5KeyTab /etc/krb5.keytab
KrbLocalUserMapping On
KrbServiceName HTTP/apache_server.DOMAIN.com
require valid-user
</Location>

The machines account in AD will need to have the HTTP/apache_server.DOMAIN.com SPN set, but it sounds like you already have this in place

Linux – “net ads join” fails in puppet exec but runs OK directly from command line

It turns out I had to explicitly set a few environment variables using the environment parameter in exec, specifically LOGNAME:

exec { 'adjoin':
    command  => "kinit adjoin@AD.EXAMPLE.COM -k -t /etc/krb5.keytab && net ads join createcomputer='Machines/Servers/Linux Servers' osName='${operatingsystem}' osVer=${operatingsystemrelease} -k",
    unless   => "net ads testjoin -k | grep -q 'Join is OK'",
    provider => shell,
    user     => root,
    path     => '/usr/sbin:/usr/bin:/sbin:/bin',
    require  => [
        File['/etc/krb5.conf'],
        File['/etc/krb5.keytab'],
    ],
    logoutput => true,
    environment => [
        'USER=root',
        'LOGNAME=root',
        'HOME=/root',
    ],
}

Two reasons for this:

net ads -k join fails without LOGNAME env variable
LOGNAME, USER, and HOME are specifically unset by puppet during an exec's run. It was a design choice that is detailed in the ticket I linked to.

I also set USER and HOME for sanity's sake, though I'm not sure they are required by net ads.

Best Answer

Related Solutions

Linux – Apache SSO through Kerberos using Machine Account

Linux – “net ads join” fails in puppet exec but runs OK directly from command line

Related Topic