Unable to join Ubuntu/Linux to Active Directory as domain-user. Works with Windows clients

Question

I am trying to join a Ubuntu/Linux computer to the Active Directory domain as a normal user-account who is not a member of the domain-admins group.

I can join Windows computers just fine. You do not have to be admin, but have a quota of computers that you can join without being an administrator.

But when I try to bring a Ubuntu Linux computer into the domain, it fails with the error message below. I would appreciate any help on this.

daniel@linux01:~$ sudo realm join -v -U 'daniel@AD.example.com' AD.example.com
[sudo] password for daniel:
 * Resolving: _ldap._tcp.ad.example.com
 * Performing LDAP DSE lookup on: 10.0.0.10
 * Successfully discovered: ad.example.com
Password for daniel@AD.example.com:
 * Unconditionally checking packages
 * Resolving required packages
 * LANG=C /usr/sbin/adcli join --verbose --domain ad.example.com --domain-realm AD.example.com --domain-controller 10.0.0.10 --login-type user --login-user daniel@AD.example.com --stdin-password
 * Using domain name: ad.example.com
 * Calculated computer account name from fqdn: LINUX01
 * Using domain realm: ad.example.com
 * Sending NetLogon ping to domain controller: 10.0.0.10
 * Received NetLogon info from: dc1.ad.example.com
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-iIuXdP/krb5.d/adcli-krb5-conf-eeT5bO
 * Authenticated as user: daniel@AD.example.com
 * Looked up short domain name: AD
 * Looked up domain SID: S-1-5-21-13313029-848207003-2406435418
 * Using fully qualified name: linux01.ad.example.com
 * Using domain name: ad.example.com
 * Using computer account name: LINUX01
 * Using domain realm: ad.example.com
 * Calculated computer account name from fqdn: LINUX01
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Computer account for LINUX01$ does not exist
 * Found well known computer container at: CN=Computers,DC=ad,DC=example,DC=com
 * Calculated computer account: CN=LINUX01,CN=Computers,DC=ad,DC=example,DC=com
 * Encryption type [3] not permitted.
 * Encryption type [1] not permitted.
 ! Insufficient permissions to modify computer account: CN=LINUX01,CN=Computers,DC=ad,DC=example,DC=com: 000020E7: AtrErr: DSID-03153402, #1:
        0: 000020E7: DSID-03153402, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90008 (userAccountControl):len 4

adcli: joining domain ad.example.com failed: Insufficient permissions to modify computer account: CN=LINUX01,CN=Computers,DC=ad,DC=example,DC=com: 000020E7: AtrErr: DSID-03153402, #1:
        0: 000020E7: DSID-03153402, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90008 (userAccountControl):len 4

 ! Insufficient permissions to join the domain
realm: Couldn't join realm: Insufficient permissions to join the domain

Answer 1

You're not providing any Container Name (CN in the error messages) so the Linux01 machine is inserted into the default "Computers" CN. My guess is that your user account hasn't enough privilege to alter this CN, or more probably it doesn't even exist in your AD, so that you must provide a complete CN path.

In Windows, when adding a computer to the AD the GUI allows you to navigate the Domain tree and select the appropriate container (leaf). You should probably add an entry in your realm.conf file, or add the OU information directly to the command line.

/etc/realmd.conf defaults:

[domain.example.com]
computer-ou = OU=Linux Computers,DC=AD,DC=example,DC=com
# computer-ou = OU=Linux Computers,

On the command line:

realm join --user=daniel@AD.example.com AD.example.com --computer-ou='Linux ComputersDC=AD,DC=example,DC=com'

First find the OU/CN with ldapsearch :

ldapsearch -LLL -H ldap://AD.example.com -b adc,dc=example,dc=com -D 'AD\daniel'  -W '(name=web_servers)' dn

Answer 2

I had the exact same issue, and it turned out that there are more permissions required to join a Linux system than a Windows system to the domain, though I'm not sure why that is the case.

I added additional permissions to my domain join account following this guide: https://web.archive.org/web/20201026034739/https://www.computertechblog.com/active-directory-permissions-required-to-join-linux-and-windows-computers-to-a-domain/

From the above link:

Standard permissions required to join systems to AD (Linux and Windows)

• Reset password
• Read and write account restrictions
• Validated write to DNS host name
• Validated write to service principal name
• Read and write DNS host name attributes

Additional permissions required by Linux machines to join AD (Linux)

• Read dNSHostName
• Write dNSHostName
• Read msDS-AddtionalSamAccountName
• Write msDS-AddtionalSamAccountName
• Read msDS-SupportedEncryptionTypes
• Write msDS-SupportedEncryptionTypes
• Read Operating System
• Write Operating System
• Read Operating System Version
• Write Operating System Version
• Read OperatingSystemServicePack
• Write OperatingSystemServicePack
• Read servicePrincipalName
• Write servicePrincipalName
• Read userAccountControl
• Write userAccountControl
• Read userPrincipal Name
• Write userPrincipal Name

NOTE: You must show "Property-specific" permissions to see these extra permissions.

Related:

• Unable to join domain using samba tool net or realm/sssd
• Account to read AD, join machine to domain, delete computer accounts and move computers to OUs
• Insufficient access when trying to set machine OS attributes when joining Linux server to Active Directory