0

I'm trying to join my RHEL 7 VM machine to our company's AD. I can validate my login credentials just fine with kinit (No return if I enter the correct password, error if I enter the wrong one), however, when I try to join using realmd it says I have insufficient permissions to join. Using net ads join --user=MyUser returns "Failed to set account flags for machine account (NT_STATUS_ACCESS_DENIED)". I do not have administrative access to the AD, however, one of the administrators added my RHEL machine to the AD. I've tried reinstalling samba and krb but that didnt help. I've also played around with the configs but I just can't seem to get it working. Any help would be much appreciated.

BIfrost
  • 11
  • 2
  • 2
  • 7
  • If you have insufficient privileges to join a host to the domain, you're not going to be able to join it to the domain. It sounds like kerberos is working fine, but logons are failing. Please post a sanitised /var/log/secure as a starting point. Nvm, chris has this one. – Andy Aug 26 '14 at 14:46

2 Answers2

1

RHEL7 includes realmd which is excellent. Try this.

As the machine account exists, you probably will not need admin privileges in AD. Also, you do not need to extend the AD schema to cover rfc2307.

chriscowley
  • 523
  • 4
  • 17
  • Thanks for the answer. I've used `realm list` before and it shows that I am connected to our domain, however, I can not log in with my domain username. – BIfrost Aug 26 '14 at 12:53
  • What does it say in `/var/log/secure` Edit: What is the output of `realm list`? – chriscowley Aug 26 '14 at 13:44
  • "Failed password for invalid user xx@DOMAIN.LOCAL from 192.168.xx.xx port 60517 ssh2" (Tried to connect using putty) – BIfrost Aug 26 '14 at 13:47
  • and `realm list`? Looks like the LDAP lookup is failing, which may kerberos (DNS perhaps?) I notice that you have already tried doing SSSD, are you in a position to start from clean and just follow my instructions, perhaps ask an AD guy to come and enter the credentials to join (as they would with Windows). – chriscowley Aug 26 '14 at 14:02
  • `realm list` outpout: xx.local type: kerberos realm-name: XX.LOCAL domain-name: xx.local configured: kerberos-member server-software: active-directory client-software: winbind required-package: oddjob-mkhomedir required-package: oddjob required-package: samba-winbind-clients required-package: samba-winbind required-package: samba-common login-formats: %U login-policy: allow-any-login I can start from a VM snapshot before the installation, but I should/need to be able to do this without having to call an admin over. EDIT: Comment formatting is bad. – BIfrost Aug 26 '14 at 14:16
  • No you shouldn't, because a certain level of rights is required to add an account to the domain. It is the same with Windows clients. They could give your account permission to write to a certain OU, in which case you could join using your own credentials. – chriscowley Aug 26 '14 at 14:21
  • The machine name (in my case srv-x008) itself was already added to the AD manually by an admin. Is that not enough? I should be able to log in on that machine using my domain account that I use for windows too, correct? – BIfrost Aug 26 '14 at 14:23
0

In case you have configured kerberos correctly (klist shows krb ticket after kinit) probably there's issue with your machine account in the AD. Joining AD requires Administrator account or one with permissions to join clients in the domain, because it had to create machine account with unique SID for your pc. The next thing you need to do is verify kerberos keytab. It is used for holding ticket signing ticket. It is created by net ads join or on AD.

Since you're using RHEL7 i would recommend using SSSD

configure SSSD to authenticate with a Windows 2008 or later Domain Server

fireto
  • 164
  • 3
  • Thanks for the answer. I've been following that guide initially, which also lead me to the same error. – BIfrost Aug 26 '14 at 12:58