Bug 961416

Summary: cannot join AD domain as non-admin user
Product: [Fedora] Fedora Reporter: Karel Srot <ksrot>
Component: realmdAssignee: Stef Walter <stefw>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 19CC: jhrozek, stefw, yelley
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-05-13 12:45:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Karel Srot 2013-05-09 15:04:27 UTC 
Description of problem:

$ sudo realm join --verbose --user=Kif security.baseos.qe
 * Resolving: _ldap._tcp.dc._msdcs.security.baseos.qe
 * Sending MS-CLDAP ping to: 10.34.36.170
 * Successfully discovered: security.baseos.qe
Password for Kif: 
 * Required files: /usr/sbin/sss_cache, /usr/sbin/sssd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.S1BHWW -U Kif ads join security.baseos.qe
Enter Kif's password:
Failed to join domain: failed to set machine spn: Constraint violation
 ! Insufficient permissions to join the domain security.baseos.qe
realm: Couldn't join realm: Insufficient permissions to join the domain security.baseos.qe

I was working in ssh console & using sudo.

I was able to login as Kif-admin user. Some guys were able to login as Kif after logging and Kif-admin and leaving the domain. I was able to login as Kif user once but after realmd restart I wasn't able to login anymore. 

Cannot find out what may be root cause.


Version-Release number of selected component (if applicable):
realmd-0.14.0-1.fc19.x86_64
krb5-workstation-1.11.2-4.fc19.x86_64

How reproducible:
always

Steps to Reproduce:
1. reported when following the scenario 
https://fedoraproject.org/wiki/QA:Testcase_realmd_join_sssd
from the test day. AD servers with Microsoft Server 2008 R2 were preconfigured for the test day. I am afraid I won't be able to re-test later.
  
Actual results:
cannot join domain.. 

Expected results:
I can join the domain.

Additional info:
Comment 1 Stef Walter 2013-05-13 12:45:26 UTC 
Yes, it is very common not to be able to join AD with a non-admin user. There are any number of cases:

 * The computer account already exists.
 * The user has added more than N machines to the domain (ever), where N
   is something like 5 or 10 (see Windows GPO for your domains default value).
 * adcli is in use. adcli uses LDAP to create computer accounts in the domain.
   Windows Server 2008 has problems when using LDAP to create a computer
   account via LDAP (rather than RPC).
 * Many domains disable non-admin joins.

realmd tells callers that they need to use other credentials (thus the Insufficient permissions) in order to complete the join.