Bug 56148 - Autojoin fails when modifying userAccountControl
Autojoin fails when modifying userAccountControl
Status: RESOLVED FIXED
Product: realmd
Classification: Unclassified
Component: General
unspecified
Other All
: medium normal
Assigned To: Stef Walter
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-18 15:37 UTC by Stef Walter
Modified: 2012-10-20 06:02 UTC (History)
1 user (show)

See Also:
i915 platform:
i915 features:


Attachments
Don't try to update userAccountControl for precreated accounts (1.66 KB, patch)
2012-10-20 05:59 UTC, Stef Walter
Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Stef Walter 2012-10-18 15:37:55 UTC
Autojoin fails when modifying userAccountControl using an account that has been precreated through the AD MMC:

 * Searching for kerberos SRV records for domain: _kerberos._udp.radi08.segad.lab.sjc.redhat.com
 * Searching for MSDCS SRV records on domain: _kerberos._tcp.dc._msdcs.radi08.segad.lab.sjc.redhat.com
 * ad1.radi08.segad.lab.sjc.redhat.com:88 
 * Found kerberos DNS records for: radi08.segad.lab.sjc.redhat.com
 * Found AD style DNS records for: radi08.segad.lab.sjc.redhat.com
 * Successfully discovered: radi08.segad.lab.sjc.redhat.com
 * Required files present: /usr/sbin/sss_cache, /usr/sbin/sssd, /usr/sbin/adcli
 * LANG=C /usr/sbin/adcli join --verbose --show-details --domain RADI08.SEGAD.LAB.SJC.REDHAT.COM --login-type computer --no-password
 ! Couldn't find qualified domain name, proceeding with local host name instead: live-user.example.com: Name or service not known
 * Using domain name: RADI08.SEGAD.LAB.SJC.REDHAT.COM
 * Calculated computer account name from fqdn: LIVE-USER
 * Calculated domain realm from name: RADI08.SEGAD.LAB.SJC.REDHAT.COM
 * Resolved LDAP urls from SRV record: _ldap._tcp.RADI08.SEGAD.LAB.SJC.REDHAT.COM: ldap://ad1.radi08.segad.lab.sjc.redhat.com:389
 * Authenticated as default/reset computer account: LIVE-USER
 * Looked up short domain name: RADI08
 * Using fully qualified name: live-user.example.com
 * Using domain name: RADI08.SEGAD.LAB.SJC.REDHAT.COM
 * Using computer account name: LIVE-USER
 * Using domain realm: RADI08.SEGAD.LAB.SJC.REDHAT.COM
 * Using LDAP urls: ldap://ad1.radi08.segad.lab.sjc.redhat.com:389
 * Enrolling computer account name calculated from fqdn: LIVE-USER
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Using fully qualified name: live-user.example.com
 * Using domain name: RADI08.SEGAD.LAB.SJC.REDHAT.COM
 * Using computer account name: LIVE-USER
 * Using domain realm: RADI08.SEGAD.LAB.SJC.REDHAT.COM
 * Using LDAP urls: ldap://ad1.radi08.segad.lab.sjc.redhat.com:389
 * Looked up short domain name: RADI08
 * No preferred organizational unit found, using directory base: DC=radi08,DC=segad,DC=lab,DC=sjc,DC=redhat,DC=com
 * Found well known computer container at: CN=Computers,DC=radi08,DC=segad,DC=lab,DC=sjc,DC=redhat,DC=com
 * Calculated computer DN: CN=LIVE-USER,CN=Computers,DC=radi08,DC=segad,DC=lab,DC=sjc,DC=redhat,DC=com
 * Modifying computer account attributes: userAccountControl
 ! Insufficient permissions to modify computer account: CN=LIVE-USER,CN=Computers,DC=radi08,DC=segad,DC=lab,DC=sjc,DC=redhat,DC=com: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

adcli: enroll in RADI08.SEGAD.LAB.SJC.REDHAT.COM domain failed: Insufficient permissions to modify computer account: CN=LIVE-USER,CN=Computers,DC=radi08,DC=segad,DC=lab,DC=sjc,DC=redhat,DC=com: 00002098: SecErr: DSID-03150BB9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Comment 1 Stef Walter 2012-10-20 05:59:47 UTC
Created attachment 68827 [details] [review]
Don't try to update userAccountControl for precreated accounts
Comment 2 Stef Walter 2012-10-20 06:02:53 UTC
Attachment 68827 [details] pushed as 77a8f65 - Don't try to update userAccountControl for precreated accounts