* Modifying computer account: dNSHostName * Retrieved kvno '2' for computer account in directory: CN=LABDEBIAN,OU=SERVERS,dc=domain,dc=com
* Created computer account: CN=LABDEBIAN,OU=SERVERS,dc=domain,dc=com
* Calculated computer account: CN=LABDEBIAN,OU=SERVERS,dc=domain,dc=com ! Couldn't find a computer container in the ou, creating computer account directly in: OU=SERVERS,dc=domain,dc=com
* Computer account for LABDEBIAN$ does not exist
* Generated 120 character computer password * Authenticated as user: Looked up short domain name: DOMAIN * Wrote out nf snippet to /var/cache/realmd/adcli-krb5-o4dezD/krb5.d/adcli-krb5-conf-9pCpsi * Sending netlogon pings to domain controller: ldap://192.168.194.1 * Calculated computer account name from fqdn: LABDEBIAN * LANG=C /usr/sbin/adcli join -verbose -domain -domain-realm DOMAIN.COM -domain-controller 192.168.194.1 -computer-ou OU=SERVERS,dc=domain,dc=com -os-name GNU/Linux -os-version Linux 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2 () -login-type user -login-user user1 -stdin-password Maybe you will see something like this as output: $ sudo realm join domain -U 'user1' -computer-ou=OU=SERVERS-os-name="`uname -o`" -os-version="`uname -rsv`" -install='/' -verbose The –install=’/’ in case just in case it returns an error saying it cannot find the required packages (altough they were installed in the previous section). When joining an AD domain the value is store in the matching AD attribute.į.e: –os-version=`uname -rsv` sudo realm join -U 'user1' -computer-ou=OU=SERVERS -os-name="`uname -o`" -os-version="`uname -rsv`" -install='/' -verbose –os-version=xxx The version of the operation system of the client. When joining an AD domain the value is store in the matching AD attribute. –os-name=xxx The name of the operation system of the client. This is an Active Directory specific option. You can usually omit the root DSE portion of distinguished name.
The exact format of the distinguished name depends on the client software and membershipsoftware. –computer-ou=OU=xxx The distinguished name of an organizational unit to create the computer account. If you read the manpages of the realm command, there is a “join” action with some parameters i think very interesting:
So, run the command:Īpt-get install sssd-tools sssd libnss-sss libpam-sss adcli samba-common-bin Command to join the domain Required-package: samba-common-bin Install more required packagesĪs you can see in the output of the “realm discover” command, there are some packages needed to allow joining the windows domain. Now it should return something like this: sudo realm discover To fix it install the policykit-1 package sudo apt-get install policykit-1 Realm: Couldn't discover realms: Not authorized to perform this action It may happen that the command returns an error like this: sudo realm discover Install needed packages Install realmd apt-get install realmd
3 Check the machine has joined succesfully.Now the question becomes: why does KB5008380 prevent changing the password of another user with kerberos? Microsoft does not mention this at all in the documentation about PacRequestorEnforcement. I wonder why google could not find this (maybe not crawled in the last 1 day?).Īnd plenty of more looking around took me finally to RH Bugzilla where there is a test build of adcli, version adcli-0.8.1-16.el7_9.1sb1 which works. Damn you RH.Īfter a lot of time wasted digging around, I come to which explains it all.
Really nobody else has encountered this?! Google-fu comes almost empty with only the Red Hat "solution" and another "discussion" about it with no clues.Įdit: adcli package got updated on Jun 2021 in 0.8.1-15 to include patch for "#1762633" which I suspect is about this issue - but June is very early compared to the November release of KB5008380. I wonder if that "solution" is to turn PacRequestorEnforcement back to 1? Red Hat seems to have a "solution" for this which is only available for subscribers. After installing KB5008380 on DCs and changing PacRequestorEnforcement to 2, CentOS 7/8 fails to join to domain with adcli/realm: ! Cannot set computer password: Authentication error