961416 – cannot join AD domain as non-admin user

Bug 961416 - cannot join AD domain as non-admin user

Summary: cannot join AD domain as non-admin user

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	realmd
Sub Component:
Version:	19
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Stef Walter
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-05-09 15:04 UTC by Karel Srot
Modified:	2013-05-13 12:45 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2013-05-13 12:45:26 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Karel Srot 2013-05-09 15:04:27 UTC

Description of problem:

$ sudo realm join --verbose --user=Kif security.baseos.qe
* Resolving: _ldap._tcp.dc._msdcs.security.baseos.qe
* Sending MS-CLDAP ping to: 10.34.36.170
* Successfully discovered: security.baseos.qe
Password for Kif:
* Required files: /usr/sbin/sss_cache, /usr/sbin/sssd, /usr/bin/net
* LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.S1BHWW -U Kif ads join security.baseos.qe
Enter Kif's password:
Failed to join domain: failed to set machine spn: Constraint violation
! Insufficient permissions to join the domain security.baseos.qe
realm: Couldn't join realm: Insufficient permissions to join the domain security.baseos.qe

I was working in ssh console & using sudo.

I was able to login as Kif-admin user. Some guys were able to login as Kif after logging and Kif-admin and leaving the domain. I was able to login as Kif user once but after realmd restart I wasn't able to login anymore.

Cannot find out what may be root cause.

Version-Release number of selected component (if applicable):
realmd-0.14.0-1.fc19.x86_64
krb5-workstation-1.11.2-4.fc19.x86_64

How reproducible:
always

Steps to Reproduce:
1. reported when following the scenario
https://fedoraproject.org/wiki/QA:Testcase_realmd_join_sssd
from the test day. AD servers with Microsoft Server 2008 R2 were preconfigured for the test day. I am afraid I won't be able to re-test later.

Actual results:
cannot join domain..

Expected results:
I can join the domain.

Additional info:

Comment 1 Stef Walter 2013-05-13 12:45:26 UTC

Yes, it is very common not to be able to join AD with a non-admin user. There are any number of cases:

 * The computer account already exists.
 * The user has added more than N machines to the domain (ever), where N
   is something like 5 or 10 (see Windows GPO for your domains default value).
 * adcli is in use. adcli uses LDAP to create computer accounts in the domain.
   Windows Server 2008 has problems when using LDAP to create a computer
   account via LDAP (rather than RPC).
 * Many domains disable non-admin joins.

realmd tells callers that they need to use other credentials (thus the Insufficient permissions) in order to complete the join.

Note You need to log in before you can comment on or make changes to this bug.