Author Topic: Insufficient permissions to join the domain  (Read 682 times)

fatdragon

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Insufficient permissions to join the domain
« on: April 01, 2023, 08:03:51 pm »
Hey community!

I'm relatively new Zentyal user (few months), and I love it! But I've ran into a problem I hope someone can help me with.

In my deployment I have two Zentyal servers (`zentyal-1.mydomain.com` and `zentyal-2.mydomain.com`), both running "Domain Controller and File Sharing" service. The idea is to have primary and secondary DC controller. I was using this setup successfully for a few months, meaning that  I've successfully joined several Ubuntu / Windows 11 machines to it, created several users, etc.

The problem happened today when I've tried to join another Ubuntu machine, by following the same exact steps as earlier. This time I've got an error. Here's the command and the complete output (just domain name edited):

Code: [Select]
$ sudo realm join -v mydomain.com
 * Resolving: _ldap._tcp.mydomain.com
 * Performing LDAP DSE lookup on: 172.16.0.101
 * Performing LDAP DSE lookup on: 172.16.0.102
 * Successfully discovered: mydomain.com
Password for Administrator:
 * Unconditionally checking packages
 * Resolving required packages
 * LANG=C /usr/sbin/adcli join --verbose --domain mydomain.com --domain-realm MYDOMAIN.COM --domain-controller 172.16.0.101 --login-type user --login-user Administrator --stdin-password
 * Using domain name: mydomain.com
 * Calculated computer account name from fqdn: GITLAB
 * Using domain realm: mydomain.com
 * Sending NetLogon ping to domain controller: 172.16.0.101
 * Received NetLogon info from: zentyal-1.mydomain.com
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-gKcH27/krb5.d/adcli-krb5-conf-JlLa8m
 * Authenticated as user: Administrator@MYDOMAIN.COM
 * Using GSS-SPNEGO for SASL bind
 * Looked up short domain name: MYDOMAIN
 * Looked up domain SID: S-1-5-21-2787685195-3023692109-2783229274
 * Using fully qualified name: gitlab.mydomain.com
 * Using domain name: mydomain.com
 * Using computer account name: GITLAB
 * Using domain realm: mydomain.com
 * Calculated computer account name from fqdn: GITLAB
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * A computer account for GITLAB$ does not exist
 * Found well known computer container at: CN=Computers,DC=mydomain,DC=com
 * Calculated computer account: CN=GITLAB,CN=Computers,DC=mydomain,DC=com
 * Encryption type [3] not permitted.
 * Encryption type [1] not permitted.
 ! Insufficient permissions to modify computer account: CN=GITLAB,CN=Computers,DC=mydomain,DC=com: 0000202F: ../../ldb_key_value/ldb_kv_index.c:3048: Failed to re-index objectSid in CN=GITLAB,CN=Computers,DC=mydomain,DC=com - ../../ldb_key_value/ldb_kv_index.c:2893: unique index violation on objectSid in CN=GITLAB,CN=Computers,DC=mydomain,DC=com
adcli: joining domain mydomain.com failed: Insufficient permissions to modify computer account: CN=GITLAB,CN=Computers,DC=mydomain,DC=com: 0000202F: ../../ldb_key_value/ldb_kv_index.c:3048: Failed to re-index objectSid in CN=GITLAB,CN=Computers,DC=mydomain,DC=com - ../../ldb_key_value/ldb_kv_index.c:2893: unique index violation on objectSid in CN=GITLAB,CN=Computers,DC=mydomain,DC=com
 ! Insufficient permissions to join the domain
realm: Couldn't join realm: Insufficient permissions to join the domain

As you can see I've used the built-in Administrator account, and according to the output it's authenticated successfully. Yet I'm getting "Insufficient permissions to join the domain".

Any help will be appreciated!

Thanks!
« Last Edit: April 01, 2023, 08:07:34 pm by fatdragon »

fatdragon

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Insufficient permissions to join the domain
« Reply #1 on: April 02, 2023, 08:47:56 am »
It turned out that the database wasn't consistent. The following fixed my problem:

Code: [Select]
$ sudo samba-tool dbcheck --fix

I hope it'll help to others.