3

I am trying to join a Linux server to Active Directory. I want to set OS Name and OS Version attributes upon joining the domain using this command:

/usr/bin/net ads join -k -S adserver.example.local osName=CentOS osVer=6.5

I've delegated permissions to a bind account so that it can read/write to OS Name and OS Version properties for computer objects. When I try to join domain, I am hit with this error:

Failed to join domain: failed to set machine os attributes: Insufficient access

I have no issues joining the domain when leaving off osName and osVer. Just to verify that this account has the right permissions, I manually set these two properties on the computer objects using ADSI.

Python Novice
  • 341
  • 1
  • 4
  • 12

3 Answers3

1

It's usually easier to pre-stage the computer account, and assign permissions/owner to the account that will be joining it to the domain.

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • I've automated the process from the Linux side and what you described sounds a lot more complicated than what is currently working. – Python Novice Aug 12 '15 at 10:18
  • From a security perspective, it's safer to have a separate computer account prestage process/web service than using a shared provisioning account with elevated permissions in the domain/forest that probably has the credentials saved in a config file. – Greg Askew Aug 12 '15 at 11:51
1

From packet analysis, learned that the account being used to join the domain was missing permissions to read/write to Operating System Service Pack. That attribute was automatically being set to the version of samba that was installed.

Python Novice
  • 341
  • 1
  • 4
  • 12
0

I had the exact same issue, and it turned out that there are more permissions required to join a Linux system than a Windows system to the domain.

I added additional permissions to my domain join account following this guide: https://www.computertechblog.com/active-directory-permissions-required-to-join-linux-and-windows-computers-to-a-domain/

From the above link:

Standard permissions required to join systems to AD (Linux and Windows)

  • Reset password
  • Read and write account restrictions
  • Validated write to DNS host name
  • Validated write to service principal name
  • Read and write DNS host name attributes

Additional permissions required by Linux machines to join AD (Linux)

  • Read dNSHostName
  • Write dNSHostName
  • Read msDS-AddtionalSamAccountName
  • Write msDS-AddtionalSamAccountName
  • Read msDS-SupportedEncryptionTypes
  • Write msDS-SupportedEncryptionTypes
  • Read Operating System
  • Write Operating System
  • Read Operating System Version
  • Write Operating System Version
  • Read OperatingSystemServicePack
  • Write OperatingSystemServicePack
  • Read servicePrincipalName
  • Write servicePrincipalName
  • Read userAccountControl
  • Write userAccountControl
  • Read userPrincipal Name
  • Write userPrincipal Name

NOTE: You must show "Property-specific" permissions to see these extra permissions.

Related:

jgstew
  • 86
  • 9