Bug 56148

Summary: Autojoin fails when modifying userAccountControl
Product: realmd Reporter: Stef Walter <stefw>
Component: GeneralAssignee: Stef Walter <stefw>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium CC: stefw
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: Don't try to update userAccountControl for precreated accounts

Description Stef Walter 2012-10-18 15:37:55 UTC 
Autojoin fails when modifying userAccountControl using an account that has been precreated through the AD MMC:

 * Searching for kerberos SRV records for domain: _kerberos._udp.radi08.segad.lab.sjc.redhat.com
 * Searching for MSDCS SRV records on domain: _kerberos._tcp.dc._msdcs.radi08.segad.lab.sjc.redhat.com
 * ad1.radi08.segad.lab.sjc.redhat.com:88 
 * Found kerberos DNS records for: radi08.segad.lab.sjc.redhat.com
 * Found AD style DNS records for: radi08.segad.lab.sjc.redhat.com
 * Successfully discovered: radi08.segad.lab.sjc.redhat.com
 * Required files present: /usr/sbin/sss_cache, /usr/sbin/sssd, /usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --show-details --domain RADI08.SEGAD.LAB.SJC.REDHAT.COM --login-type computer --no-password
 ! Couldn't find qualified domain name, proceeding with local host name instead: live-user.example.com: Name or service not known
 * Using domain name: RADI08.SEGAD.LAB.SJC.REDHAT.COM
 * Calculated computer account name from fqdn: LIVE-USER
 * Calculated domain realm from name: RADI08.SEGAD.LAB.SJC.REDHAT.COM
 * Resolved LDAP urls from SRV record: _ldap._tcp.RADI08.SEGAD.LAB.SJC.REDHAT.COM: ldap://ad1.radi08.segad.lab.sjc.redhat.com:389
 * Authenticated as default/reset computer account: LIVE-USER
 * Looked up short domain name: RADI08
 * Using fully qualified name: live-user.example.com
 * Using domain name: RADI08.SEGAD.LAB.SJC.REDHAT.COM
 * Using computer account name: LIVE-USER
 * Using domain realm: RADI08.SEGAD.LAB.SJC.REDHAT.COM
 * Using LDAP urls: ldap://ad1.radi08.segad.lab.sjc.redhat.com:389
 * Enrolling computer account name calculated from fqdn: LIVE-USER
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Using fully qualified name: live-user.example.com
 * Using domain name: RADI08.SEGAD.LAB.SJC.REDHAT.COM
 * Using computer account name: LIVE-USER
 * Using domain realm: RADI08.SEGAD.LAB.SJC.REDHAT.COM
 * Using LDAP urls: ldap://ad1.radi08.segad.lab.sjc.redhat.com:389
 * Looked up short domain name: RADI08
 * No preferred organizational unit found, using directory base: DC=radi08,DC=segad,DC=lab,DC=sjc,DC=redhat,DC=com
 * Found well known computer container at: CN=Computers,DC=radi08,DC=segad,DC=lab,DC=sjc,DC=redhat,DC=com
 * Calculated computer DN: CN=LIVE-USER,CN=Computers,DC=radi08,DC=segad,DC=lab,DC=sjc,DC=redhat,DC=com
 * Modifying computer account attributes: userAccountControl
 ! Insufficient permissions to modify computer account: CN=LIVE-USER,CN=Computers,DC=radi08,DC=segad,DC=lab,DC=sjc,DC=redhat,DC=com: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

adcli: enroll in RADI08.SEGAD.LAB.SJC.REDHAT.COM domain failed: Insufficient permissions to modify computer account: CN=LIVE-USER,CN=Computers,DC=radi08,DC=segad,DC=lab,DC=sjc,DC=redhat,DC=com: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Comment 1 Stef Walter 2012-10-20 05:59:47 UTC 
Created attachment 68827 [details] [review]
Don't try to update userAccountControl for precreated accounts
Comment 2 Stef Walter 2012-10-20 06:02:53 UTC 
Attachment 68827 [details] pushed as 77a8f65 - Don't try to update userAccountControl for precreated accounts

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.