I am trying to join a Ubuntu/Linux computer to the Active Directory domain as a normal user-account who is not a member of the domain-admins group.
I can join Windows computers just fine. You do not have to be admin, but have a quota of computers that you can join without being an administrator.
But when I try to bring a Ubuntu Linux computer into the domain, it fails with the error message below. I would appreciate any help on this.
daniel@linux01:~$ sudo realm join -v -U '[email protected]' AD.example.com
[sudo] password for daniel:
* Resolving: _ldap._tcp.ad.example.com
* Performing LDAP DSE lookup on: 10.0.0.10
* Successfully discovered: ad.example.com
Password for [email protected]:
* Unconditionally checking packages
* Resolving required packages
* LANG=C /usr/sbin/adcli join --verbose --domain ad.example.com --domain-realm AD.example.com --domain-controller 10.0.0.10 --login-type user --login-user [email protected] --stdin-password
* Using domain name: ad.example.com
* Calculated computer account name from fqdn: LINUX01
* Using domain realm: ad.example.com
* Sending NetLogon ping to domain controller: 10.0.0.10
* Received NetLogon info from: dc1.ad.example.com
* Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-iIuXdP/krb5.d/adcli-krb5-conf-eeT5bO
* Authenticated as user: [email protected]
* Looked up short domain name: AD
* Looked up domain SID: S-1-5-21-13313029-848207003-2406435418
* Using fully qualified name: linux01.ad.example.com
* Using domain name: ad.example.com
* Using computer account name: LINUX01
* Using domain realm: ad.example.com
* Calculated computer account name from fqdn: LINUX01
* Generated 120 character computer password
* Using keytab: FILE:/etc/krb5.keytab
* Computer account for LINUX01$ does not exist
* Found well known computer container at: CN=Computers,DC=ad,DC=example,DC=com
* Calculated computer account: CN=LINUX01,CN=Computers,DC=ad,DC=example,DC=com
* Encryption type [3] not permitted.
* Encryption type [1] not permitted.
! Insufficient permissions to modify computer account: CN=LINUX01,CN=Computers,DC=ad,DC=example,DC=com: 000020E7: AtrErr: DSID-03153402, #1:
0: 000020E7: DSID-03153402, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90008 (userAccountControl):len 4
adcli: joining domain ad.example.com failed: Insufficient permissions to modify computer account: CN=LINUX01,CN=Computers,DC=ad,DC=example,DC=com: 000020E7: AtrErr: DSID-03153402, #1:
0: 000020E7: DSID-03153402, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90008 (userAccountControl):len 4
! Insufficient permissions to join the domain
realm: Couldn't join realm: Insufficient permissions to join the domain
You're not providing any Container Name (CN in the error messages) so the Linux01 machine is inserted into the default "Computers" CN. My guess is that your user account hasn't enough privilege to alter this CN, or more probably it doesn't even exist in your AD, so that you must provide a complete CN path.
In Windows, when adding a computer to the AD the GUI allows you to navigate the Domain tree and select the appropriate container (leaf). You should probably add an entry in your
realm.conf
file, or add the OU information directly to the command line./etc/realmd.conf
defaults:On the command line:
First find the OU/CN with
ldapsearch
:I had the exact same issue, and it turned out that there are more permissions required to join a Linux system than a Windows system to the domain, though I'm not sure why that is the case.
I added additional permissions to my domain join account following this guide: https://www.computertechblog.com/active-directory-permissions-required-to-join-linux-and-windows-computers-to-a-domain/
From the above link:
Standard permissions required to join systems to AD (Linux and Windows)
Additional permissions required by Linux machines to join AD (Linux)
NOTE: You must show "Property-specific" permissions to see these extra permissions.
Related: