3

I am trying to join a Ubuntu/Linux computer to the Active Directory domain as a normal user-account who is not a member of the domain-admins group.

I can join Windows computers just fine. You do not have to be admin, but have a quota of computers that you can join without being an administrator.

But when I try to bring a Ubuntu Linux computer into the domain, it fails with the error message below. I would appreciate any help on this.

daniel@linux01:~$ sudo realm join -v -U 'daniel@AD.example.com' AD.example.com
[sudo] password for daniel:
 * Resolving: _ldap._tcp.ad.example.com
 * Performing LDAP DSE lookup on: 10.0.0.10
 * Successfully discovered: ad.example.com
Password for daniel@AD.example.com:
 * Unconditionally checking packages
 * Resolving required packages
 * LANG=C /usr/sbin/adcli join --verbose --domain ad.example.com --domain-realm AD.example.com --domain-controller 10.0.0.10 --login-type user --login-user daniel@AD.example.com --stdin-password
 * Using domain name: ad.example.com
 * Calculated computer account name from fqdn: LINUX01
 * Using domain realm: ad.example.com
 * Sending NetLogon ping to domain controller: 10.0.0.10
 * Received NetLogon info from: dc1.ad.example.com
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-iIuXdP/krb5.d/adcli-krb5-conf-eeT5bO
 * Authenticated as user: daniel@AD.example.com
 * Looked up short domain name: AD
 * Looked up domain SID: S-1-5-21-13313029-848207003-2406435418
 * Using fully qualified name: linux01.ad.example.com
 * Using domain name: ad.example.com
 * Using computer account name: LINUX01
 * Using domain realm: ad.example.com
 * Calculated computer account name from fqdn: LINUX01
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Computer account for LINUX01$ does not exist
 * Found well known computer container at: CN=Computers,DC=ad,DC=example,DC=com
 * Calculated computer account: CN=LINUX01,CN=Computers,DC=ad,DC=example,DC=com
 * Encryption type [3] not permitted.
 * Encryption type [1] not permitted.
 ! Insufficient permissions to modify computer account: CN=LINUX01,CN=Computers,DC=ad,DC=example,DC=com: 000020E7: AtrErr: DSID-03153402, #1:
        0: 000020E7: DSID-03153402, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90008 (userAccountControl):len 4

adcli: joining domain ad.example.com failed: Insufficient permissions to modify computer account: CN=LINUX01,CN=Computers,DC=ad,DC=example,DC=com: 000020E7: AtrErr: DSID-03153402, #1:
        0: 000020E7: DSID-03153402, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90008 (userAccountControl):len 4

 ! Insufficient permissions to join the domain
realm: Couldn't join realm: Insufficient permissions to join the domain
Daniel
  • 6,780
  • 5
  • 31
  • 60

2 Answers2

0

You're not providing any Container Name (CN in the error messages) so the Linux01 machine is inserted into the default "Computers" CN. My guess is that your user account hasn't enough privilege to alter this CN, or more probably it doesn't even exist in your AD, so that you must provide a complete CN path.

In Windows, when adding a computer to the AD the GUI allows you to navigate the Domain tree and select the appropriate container (leaf). You should probably add an entry in your realm.conf file, or add the OU information directly to the command line.

/etc/realmd.conf defaults:

[domain.example.com]
computer-ou = OU=Linux Computers,DC=AD,DC=example,DC=com
# computer-ou = OU=Linux Computers,

On the command line:

realm join --user=daniel@AD.example.com AD.example.com --computer-ou='Linux ComputersDC=AD,DC=example,DC=com'

First find the OU/CN with ldapsearch :

ldapsearch -LLL -H ldap://AD.example.com -b adc,dc=example,dc=com -D 'AD\daniel'  -W '(name=web_servers)' dn
wazoox
  • 6,782
  • 4
  • 30
  • 62
  • Thanks for your response, but `Found well known computer container at: CN=Computers,DC=ad,DC=example,DC=com` – Daniel Mar 12 '20 at 19:43
  • This is the default in the realmd.conf config file, that's why it seems dubious to me. This is a catch-all, and nothing proves that your user has enough rights to modify it. – wazoox Mar 13 '20 at 20:34
  • Furthermore it would be nice to provide relevant information such as Ubuntu version, AD version, and realmd.conf. – wazoox Mar 13 '20 at 20:36
  • Client version and AD version are not relevant to the question. This is not about troubleshooting a problem, it's a question about the technical requirement to use the ms-ds-machineaccountquota domain join option. – Daniel Mar 13 '20 at 21:01
  • OK, so that must be that you've already inscribed 10 computers into the domain using this same account. That's the most straightforward explanation according to the information you've provided. – wazoox Mar 13 '20 at 22:33
  • 1
    But not accurate. I joined one client prior to attempting the linux client. – Daniel Mar 13 '20 at 22:56
  • Then your AD may be running Windows 2008 or 2008R2. adcli creates accounts through LDAP, and that fails with these windows versions (versions of AD and client are definitely important). – wazoox Mar 13 '20 at 23:15
  • Definitely an LDAP error any way, see https://support.microsoft.com/en-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties – wazoox Mar 13 '20 at 23:38
  • The article you mention doesn't indicate any LDAP error whatsoever. You're plain wrong. – Daniel Oct 28 '20 at 09:37
  • @Daniel MS documentation never mentions LDAP, but it uses LDAP all the same. As you're systematically hostile, you can sort it out by yourself, mate, I don't feel like helping you anymore. Try being nice next time, uh? – wazoox Oct 28 '20 at 14:31
-1

I had the exact same issue, and it turned out that there are more permissions required to join a Linux system than a Windows system to the domain, though I'm not sure why that is the case.

I added additional permissions to my domain join account following this guide: https://www.computertechblog.com/active-directory-permissions-required-to-join-linux-and-windows-computers-to-a-domain/

From the above link:

Standard permissions required to join systems to AD (Linux and Windows)

  • Reset password
  • Read and write account restrictions
  • Validated write to DNS host name
  • Validated write to service principal name
  • Read and write DNS host name attributes

Additional permissions required by Linux machines to join AD (Linux)

  • Read dNSHostName
  • Write dNSHostName
  • Read msDS-AddtionalSamAccountName
  • Write msDS-AddtionalSamAccountName
  • Read msDS-SupportedEncryptionTypes
  • Write msDS-SupportedEncryptionTypes
  • Read Operating System
  • Write Operating System
  • Read Operating System Version
  • Write Operating System Version
  • Read OperatingSystemServicePack
  • Write OperatingSystemServicePack
  • Read servicePrincipalName
  • Write servicePrincipalName
  • Read userAccountControl
  • Write userAccountControl
  • Read userPrincipal Name
  • Write userPrincipal Name

NOTE: You must show "Property-specific" permissions to see these extra permissions.

Related:

jgstew
  • 86
  • 9
  • Thanks for the reply, but for being marked as an answer, something is missing. Why do you have to give a user account all those permissions for it being able to join a Linux machine, but you don't have to that before using it to join a Windows machine? – Daniel Sep 09 '20 at 06:46
  • I really have no clue, doesn't make much sense to me. It did solve the issue for me though. I am guessing that Windows machines themselves are able to write into those fields once they join the domain using their computer account, but linux machines cannot? That is just a guess. I just followed the advice here: https://www.computertechblog.com/active-directory-permissions-required-to-join-linux-and-windows-computers-to-a-domain/ – jgstew Sep 10 '20 at 14:31