Bug 56148 - Autojoin fails when modifying userAccountControl
Summary: Autojoin fails when modifying userAccountControl
Status: RESOLVED FIXED
Alias: None
Product: realmd
Classification: Unclassified
Component: General (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Stef Walter
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-10-18 15:37 UTC by Stef Walter
Modified: 2012-10-20 06:02 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments
Don't try to update userAccountControl for precreated accounts (1.66 KB, patch)
2012-10-20 05:59 UTC, Stef Walter
Details | Splinter Review

Description Stef Walter 2012-10-18 15:37:55 UTC
Autojoin fails when modifying userAccountControl using an account that has been precreated through the AD MMC:

 * Searching for kerberos SRV records for domain: _kerberos._udp.radi08.segad.lab.sjc.redhat.com
 * Searching for MSDCS SRV records on domain: _kerberos._tcp.dc._msdcs.radi08.segad.lab.sjc.redhat.com
 * ad1.radi08.segad.lab.sjc.redhat.com:88 
 * Found kerberos DNS records for: radi08.segad.lab.sjc.redhat.com
 * Found AD style DNS records for: radi08.segad.lab.sjc.redhat.com
 * Successfully discovered: radi08.segad.lab.sjc.redhat.com
 * Required files present: /usr/sbin/sss_cache, /usr/sbin/sssd, /usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --show-details --domain RADI08.SEGAD.LAB.SJC.REDHAT.COM --login-type computer --no-password
 ! Couldn't find qualified domain name, proceeding with local host name instead: live-user.example.com: Name or service not known
 * Using domain name: RADI08.SEGAD.LAB.SJC.REDHAT.COM
 * Calculated computer account name from fqdn: LIVE-USER
 * Calculated domain realm from name: RADI08.SEGAD.LAB.SJC.REDHAT.COM
 * Resolved LDAP urls from SRV record: _ldap._tcp.RADI08.SEGAD.LAB.SJC.REDHAT.COM: ldap://ad1.radi08.segad.lab.sjc.redhat.com:389
 * Authenticated as default/reset computer account: LIVE-USER
 * Looked up short domain name: RADI08
 * Using fully qualified name: live-user.example.com
 * Using domain name: RADI08.SEGAD.LAB.SJC.REDHAT.COM
 * Using computer account name: LIVE-USER
 * Using domain realm: RADI08.SEGAD.LAB.SJC.REDHAT.COM
 * Using LDAP urls: ldap://ad1.radi08.segad.lab.sjc.redhat.com:389
 * Enrolling computer account name calculated from fqdn: LIVE-USER
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Using fully qualified name: live-user.example.com
 * Using domain name: RADI08.SEGAD.LAB.SJC.REDHAT.COM
 * Using computer account name: LIVE-USER
 * Using domain realm: RADI08.SEGAD.LAB.SJC.REDHAT.COM
 * Using LDAP urls: ldap://ad1.radi08.segad.lab.sjc.redhat.com:389
 * Looked up short domain name: RADI08
 * No preferred organizational unit found, using directory base: DC=radi08,DC=segad,DC=lab,DC=sjc,DC=redhat,DC=com
 * Found well known computer container at: CN=Computers,DC=radi08,DC=segad,DC=lab,DC=sjc,DC=redhat,DC=com
 * Calculated computer DN: CN=LIVE-USER,CN=Computers,DC=radi08,DC=segad,DC=lab,DC=sjc,DC=redhat,DC=com
 * Modifying computer account attributes: userAccountControl
 ! Insufficient permissions to modify computer account: CN=LIVE-USER,CN=Computers,DC=radi08,DC=segad,DC=lab,DC=sjc,DC=redhat,DC=com: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

adcli: enroll in RADI08.SEGAD.LAB.SJC.REDHAT.COM domain failed: Insufficient permissions to modify computer account: CN=LIVE-USER,CN=Computers,DC=radi08,DC=segad,DC=lab,DC=sjc,DC=redhat,DC=com: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Comment 1 Stef Walter 2012-10-20 05:59:47 UTC
Created attachment 68827 [details] [review]
Don't try to update userAccountControl for precreated accounts
Comment 2 Stef Walter 2012-10-20 06:02:53 UTC
Attachment 68827 [details] pushed as 77a8f65 - Don't try to update userAccountControl for precreated accounts


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.