阅读时man realm我看到以下内容:
--computer-ou=OU=xxx
The distinguished name of an organizational unit to create the computer account. The exact format of the distinguished name depends on the
membership software. You can usually omit the root DSE portion of distinguished name. This is an Active Directory specific option.
我将其解释为realm能够根据需要在活动目录中创建计算机帐户。
对其进行测试,但失败了:
[root@client ~]# realm join --user=svc-linux-join --computer-ou=OU=servers,OU=linux,DC=domain,DC=bls --os-name=CentOS --os-version=7 --automatic-id-mapping=no domain.bls < <(echo 'L3t-m3-in')
Password for svc-linux-join:
See: journalctl REALMD_OPERATION=r1695.2763
realm: Couldn't join realm: Joining the domain domain.bls failed
[root@client ~]# journalctl REALMD_OPERATION=r1695.2763
-- Logs begin at Thu 2019-09-19 22:00:08 CEST, end at Thu 2019-09-19 22:28:25 CEST. --
Sep 19 22:28:25 client realmd[2759]: * Resolving: _ldap._tcp.domain.bls
Sep 19 22:28:25 client realmd[2759]: * Performing LDAP DSE lookup on: 10.0.2.15
Sep 19 22:28:25 client realmd[2759]: * Successfully discovered: domain.bls
Sep 19 22:28:25 client realmd[2759]: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
Sep 19 22:28:25 client realmd[2759]: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.2B8L8Z -U svc-linux-join ads join domain.bls createcomputer=linux/serve
Sep 19 22:28:25 client realmd[2759]: Enter svc-linux-join's password:
Sep 19 22:28:25 client realmd[2759]: Failed to join domain: failed to precreate account in ou ou=servers,ou=linux,dc=DOMAIN,dc=BLS: No such object
Sep 19 22:28:25 client realmd[2759]: ! Joining the domain domain.bls failed
我首先认为这是对授予的特权的限制,svc-linux-join所以我让[电子邮件受保护]也尝试一下,结果相同:
[root@client ~]# realm join --computer-ou=OU=servers,OU=linux,DC=domain,DC=bls --os-name=CentOS --os-version=7 --automatic-id-mapping=no domain.bls
Password for Administrator:
See: journalctl REALMD_OPERATION=r1740.2772
realm: Couldn't join realm: Joining the domain domain.bls failed
[root@client ~]# journalctl REALMD_OPERATION=r1740.2772
-- Logs begin at Thu 2019-09-19 22:00:08 CEST, end at Thu 2019-09-19 22:29:14 CEST. --
Sep 19 22:29:11 client realmd[2759]: * Resolving: _ldap._tcp.domain.bls
Sep 19 22:29:11 client realmd[2759]: * Performing LDAP DSE lookup on: 10.0.2.15
Sep 19 22:29:11 client realmd[2759]: * Successfully discovered: domain.bls
Sep 19 22:29:14 client realmd[2759]: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
Sep 19 22:29:14 client realmd[2759]: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.UK8T8Z -U Administrator ads join domain.bls createcomputer=linux/server
Sep 19 22:29:14 client realmd[2759]: Enter Administrator's password:
Sep 19 22:29:14 client realmd[2759]: Failed to join domain: failed to precreate account in ou ou=servers,ou=linux,dc=DOMAIN,dc=BLS: No such object
Sep 19 22:29:14 client realmd[2759]: ! Joining the domain domain.bls failed
然后我尝试预先创建计算机帐户:
并再次加入:
[root@client ~]# realm join --user=svc-linux-join --computer-ou=OU=servers,OU=linux,DC=domain,DC=bls --os-name=CentOS --os-version=7 --automatic-id-mapping=no domain.bls < <(echo 'L3t-m3-in')
Password for svc-linux-join:
See: journalctl REALMD_OPERATION=r2567.12844
realm: Couldn't join realm: Insufficient permissions to join the domain domain.bls
[root@client ~]# journalctl REALMD_OPERATION=r2567.12844
-- Logs begin at Thu 2019-09-19 22:00:08 CEST, end at Thu 2019-09-19 22:47:21 CEST. --
Sep 19 22:42:58 client realmd[12848]: * Resolving: _ldap._tcp.domain.bls
Sep 19 22:42:58 client realmd[12848]: * Performing LDAP DSE lookup on: 10.0.2.15
Sep 19 22:42:58 client realmd[12848]: * Successfully discovered: domain.bls
Sep 19 22:42:58 client realmd[12848]: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
Sep 19 22:42:58 client realmd[12848]: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.F0897Z -U svc-linux-join ads join domain.bls createcomputer=linux/serv
Sep 19 22:42:58 client realmd[12848]: Enter svc-linux-join's password:
Sep 19 22:42:58 client realmd[12848]: Failed to join domain: Failed to set password for machine account (NT_STATUS_ACCESS_DENIED)
Sep 19 22:42:58 client realmd[12848]:
Sep 19 22:42:58 client realmd[12848]: ! Insufficient permissions to join the domain domain.bls
现在该帐户已存在,我收到另一个错误。以管理员身份返回:
[root@client ~]# realm join --computer-ou=OU=servers,OU=linux,DC=domain,DC=bls --os-name=CentOS --os-version=7 --automatic-id-mapping=no domain.bls
Password for Administrator:
它就是有效的。
如果我删除计算机帐户并重新加入域而不指定计算机帐户所需的 OU,它也可以工作:
[root@client ~]# realm leave --remove
Password for Administrator:
[root@client ~]# realm join domain.bls
Password for Administrator:
[root@client ~]# ldapsearch -LLL -x -h server -b dc=domain,dc=bls -D svc-linux-join -w L3t-m3-in cn=client distinguishedName | grep -v -e ^# -e ^$
dn: CN=client,CN=Computers,DC=domain,DC=bls
distinguishedName: CN=client,CN=Computers,DC=domain,DC=bls
我是否应该无法realm join使用具有 OU 委派权限的帐户在指定 OU 中创建计算机帐户?
答案1
应使用向此处概述的 OU 委派一组最小权限的帐户:https://social.technet.microsoft.com/Forums/scriptcenter/en-US/1f72f4d9-7343-4a7c-a03f-3713cafdd152/delegate-athority-in-a-ou-to-a-sinle-user-to-加入计算机到域?forum=winserverpowershell
最终应该是这样的:
话说回来...
您是否安装了 samba-common-tools-4.9.1-6.el7.x86_64?尝试降级到 4.8.3-6.el7_6.x86_64 或将“--membership-software=adcli”添加到您的领域加入命令中。这是一个已知的问题在此版本的 samba-common-tools 中。
例子:
[root@client ~]# realm join --membership-software=adcli --user=svc-linux-join --computer-ou="OU=servers,OU=linux,DC=domain,DC=bls" --os-name=CentOS --os-version=7 --automatic-id-mapping=no domain.bls < <(echo 'L3t-m3-in')
Password for svc-linux-join: