Ubuntu 领域加入失败,修改计算机帐户的权限不足 [关闭]

问题描述 投票:0回答:0

操作系统:Ubuntu 20.04

尝试使用以下命令加入 Windows AD 2019 服务器

sudo realm join -U sam local.com --verbose

请注意,上述域帐户“sam”在 Active Directory 服务器上具有管理权限。所以它与权限问题无关。似乎还有其他很奇怪的问题。自从操作系统升级活动后,我们就面临这个问题。

低于错误:

sudo realm join -U sam local.com --verbose

 * Resolving: _ldap._tcp.local.com
 * Performing LDAP DSE lookup on: 10.10.10.150
 * Successfully discovered: local.com
Password for sam:
 * Unconditionally checking packages
 * Resolving required packages
 * Joining using a truncated netbios name: FAKE-TOMCAT9-IN
 * LANG=C /usr/sbin/adcli join --verbose --domain local.com --domain-realm LOCAL.COM --domain-controller 10.10.10.150 --computer-name FAKE-TOMCAT9-IN --login-type user --login-user sam --stdin-password
 * Using domain name: local.com
 * Using computer account name: FAKE-TOMCAT9-IN
 * Using domain realm: local.com
 * Sending NetLogon ping to domain controller: 10.10.10.150
 * Received NetLogon info from: ad.local.com
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-ueHwbQ/krb5.d/adcli-krb5-conf-McsIqO
 * Authenticated as user: [email protected]
 * Using GSS-SPNEGO for SASL bind
 * Looked up short domain name: LOCAL
 * Looked up domain SID: S-1-5-21-2301560059-3867273182-4066887856
 * Using fully qualified name: localhost
 * Using domain name: local.com
 * Using computer account name: FAKE-TOMCAT9-IN
 * Using domain realm: local.com
 * Enrolling computer name: FAKE-TOMCAT9-IN
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Computer account for FAKE-TOMCAT9-IN$ does not exist
 * Found well known computer container at: CN=Computers,DC=local,DC=com
 * Calculated computer account: CN=FAKE-TOMCAT9-IN,CN=Computers,DC=local,DC=com
 * Encryption type [3] not permitted.
 * Encryption type [1] not permitted.
 ! Insufficient permissions to modify computer account: CN=FAKE-TOMCAT9-IN,CN=Computers,DC=local,DC=com: 000021C7: AtrErr: DSID-03200E81, #1:
        0: 000021C7: DSID-03200E81, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)

adcli: joining domain local.com failed: Insufficient permissions to modify computer account: CN=FAKE-TOMCAT9-IN,CN=Computers,DC=local,DC=com: 000021C7: AtrErr: DSID-03200E81, #1:
        0: 000021C7: DSID-03200E81, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)

 ! Insufficient permissions to join the domain
realm: Couldn't join realm: Insufficient permissions to join the domain

试图离开并重新加入没有运气。

尝试删除所有 (sssd realmd krb5-user samba-common packagekit adcli libpam-sss libnss-sss) 包并重新安装仍然没有运气

期待领域加入命令正常工作,只需创建新的计算机对象并加入即可成功完成。

请注意计算机帐户:CN=FAKE-TOMCAT9-IN,CN=Computers,DC=local,DC=com 在活动目录服务器上不存在我已经检查过了。

还使用以下命令尝试搜索未找到任何内容。

Get-ADComputer -LDAPFilter "(Name=FAKE)" -SearchBase "CN=Computers,DC=local,DC=com"

linux ubuntu active-directory domaincontroller sssd
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.