Joining AD with realm join fails

Support for security such as Firewalls and securing linux
Post Reply
spacefrog
Posts: 2
Joined: 2019/11/06 18:47:42

Joining AD with realm join fails

Post by spacefrog » 2019/11/06 18:51:34

Hello,
I'm trying to join AD with CentOS 8, but it fails. I am able to join the same DC with CentOS7, with very minimal effort.
I am using the "realm join -U" command, on both versions of CentOS. I've installed sssd realmd krb5-workstation samba-common-tools on both machines.

The error i get is:
-- Logs begin at Wed 2019-11-06 09:21:59 PST, end at Wed 2019-11-06 10:46:27 PST. --
Nov 06 10:34:17 nixsrv01 realmd[29165]: * Resolving: _ldap._tcp.southwind.local
Nov 06 10:34:17 nixsrv01 realmd[29165]: * Performing LDAP DSE lookup on: 10.2.1.55
Nov 06 10:34:17 nixsrv01 realmd[29165]: * Successfully discovered: SOUTHWIND.local
Nov 06 10:34:27 nixsrv01 realmd[29165]: * Couldn't find file: /usr/sbin/oddjobd
Nov 06 10:34:27 nixsrv01 realmd[29165]: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
Nov 06 10:34:27 nixsrv01 realmd[29165]: * Resolving required packages
Nov 06 10:34:36 nixsrv01 realmd[29165]: * Installing necessary packages: oddjob oddjob-mkhomedir
Nov 06 10:34:38 nixsrv01 realmd[29165]: * LANG=C /usr/sbin/adcli join --verbose --domain SOUTHWIND.local --domain-realm SOUTHWIND.LOCAL --domain-controller 10.2.1.55 --login-type user --login-user netadmin --stdin-password
Nov 06 10:34:38 nixsrv01 realmd[29165]: * Using domain name: SOUTHWIND.local
Nov 06 10:34:38 nixsrv01 realmd[29165]: * Calculated computer account name from fqdn: NIXSRV01
Nov 06 10:34:38 nixsrv01 realmd[29165]: * Using domain realm: SOUTHWIND.local
Nov 06 10:34:38 nixsrv01 realmd[29165]: * Sending netlogon pings to domain controller: cldap://10.2.1.55
Nov 06 10:34:38 nixsrv01 realmd[29165]: * Received NetLogon info from: winsrv01.SOUTHWIND.local
Nov 06 10:34:38 nixsrv01 realmd[29165]: * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-mQNY6U/krb5.d/adcli-krb5-conf-K1fHth
Nov 06 10:34:38 nixsrv01 realmd[29165]: * Authenticated as user: netadmin@SOUTHWIND.LOCAL
Nov 06 10:34:38 nixsrv01 realmd[29165]: * Looked up short domain name: SOUTHWIND
Nov 06 10:34:38 nixsrv01 realmd[29165]: * Looked up domain SID: S-1-5-21-2364394821-108924599-3870040844
Nov 06 10:34:38 nixsrv01 realmd[29165]: * Using fully qualified name: nixsrv01
Nov 06 10:34:38 nixsrv01 realmd[29165]: * Using domain name: SOUTHWIND.local
Nov 06 10:34:38 nixsrv01 realmd[29165]: * Using computer account name: NIXSRV01
Nov 06 10:34:38 nixsrv01 realmd[29165]: * Using domain realm: SOUTHWIND.local
Nov 06 10:34:38 nixsrv01 realmd[29165]: * Calculated computer account name from fqdn: NIXSRV01
Nov 06 10:34:38 nixsrv01 realmd[29165]: * Generated 120 character computer password
Nov 06 10:34:38 nixsrv01 realmd[29165]: * Using keytab: FILE:/etc/krb5.keytab
Nov 06 10:34:38 nixsrv01 realmd[29165]: * Computer account for NIXSRV01$ does not exist
Nov 06 10:34:38 nixsrv01 realmd[29165]: * Found well known computer container at: CN=Computers,DC=SOUTHWIND,DC=local
Nov 06 10:34:38 nixsrv01 realmd[29165]: * Calculated computer account: CN=NIXSRV01,CN=Computers,DC=SOUTHWIND,DC=local
Nov 06 10:34:38 nixsrv01 realmd[29165]: ! Couldn't create computer account: CN=NIXSRV01,CN=Computers,DC=SOUTHWIND,DC=local: 00002083: AtrErr: DSID-0315182E, #2:
Nov 06 10:34:38 nixsrv01 realmd[29165]: 0: 00002083: DSID-0315182E, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90303 (servicePrincipalName):len 26
Nov 06 10:34:38 nixsrv01 realmd[29165]: 1: 00002083: DSID-0315182E, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90303 (servicePrincipalName):len 52
Nov 06 10:34:38 nixsrv01 realmd[29165]:
Nov 06 10:34:38 nixsrv01 realmd[29165]: adcli: joining domain SOUTHWIND.local failed: Couldn't create computer account: CN=NIXSRV01,CN=Computers,DC=SOUTHWIND,DC=local: 00002083: AtrErr: DSID-0315182E, #2:
Nov 06 10:34:38 nixsrv01 realmd[29165]: 0: 00002083: DSID-0315182E, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90303 (servicePrincipalName):len 26
Nov 06 10:34:38 nixsrv01 realmd[29165]: 1: 00002083: DSID-0315182E, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 90303 (servicePrincipalName):len 52
Nov 06 10:34:38 nixsrv01 realmd[29165]:
Nov 06 10:34:38 nixsrv01 realmd[29165]: ! Failed to join the domain


spacefrog
Posts: 2
Joined: 2019/11/06 18:47:42

Re: Joining AD with realm join fails

Post by spacefrog » 2019/11/11 17:41:58

Thanks for the link BShT,
But the information is not very useful. I've double, and triple checked my Window side, and it's configured properly.
I am able to join AD with CentOS7 vms. It's as easy as running 2 commands, realm discover, then realm join.
Unfortunately, CentOS8 does not join the domain, even when i manually give it most of the information required.

BShT
Posts: 120
Joined: 2019/10/09 12:31:40

Re: Joining AD with realm join fails

Post by BShT » 2019/11/11 18:13:43

firewall, selinux?

Post Reply

Return to “CentOS 8 - Security Support”