权限不足,无法加入域

tag-icon tag-icon linux samba4
权限不足,无法加入域

我正在尝试将一台 Linux 计算机加入到现有的 SAMBA4 AD 域,但是无法做到:

LANG=C realm -v join --user=ldap example.com
 * Resolving: _ldap._tcp.example.com
 * Performing LDAP DSE lookup on: 10.0.0.40
 * Successfully discovered: example.com
Password for ldap:
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
 * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.MX0TS0 -U ldap ads join example.com
Enter ldap's password:ads_print_error: AD LDAP ERROR: 50 (Insufficient access): acl: unable to get access to CN=SOPORTE-TEST,CN=Computers,DC=example,DC=com

文件 /etc/krb5.conf 包含:

includedir /etc/krb5.conf.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}
[realms]
[domain_realm]
.example.com = example.COM
example.com = example.COM

SAMBA4 上的文件 log.smbd 包含:

[2020/10/22 16:09:18.801778,  3] ../../auth/auth_log.c:647(log_authentication_event_human_readable)
  Auth: [SMB2,NTLMSSP] user [example]\[ldap] at [jue, 22 oct 2020 16:09:18.801737 -03] with [NTLMv2] status [NT_STATUS_OK] workstation [SOPORTE-TEST] remo
te host [ipv4:10.0.0.51:56900] became [example]\[ldap] [S-1-5-21-263441624-2929051306-2964644464-1146]. local host [ipv4:10.0.0.40:445] 
  {"timestamp": "2020-10-22T16:09:18.802272-0300", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 1}, "eventId": 4624, "log
onType": 3, "status": "NT_STATUS_OK", "localAddress": "ipv4:10.0.0.40:445", "remoteAddress": "ipv4:10.0.0.51:56900", "serviceDescription": "SMB2", "authDe
scription": "NTLMSSP", "clientDomain": "example", "clientAccount": "ldap", "workstation": "SOPORTE-TEST", "becameAccount": "ldap", "becameDomain": "exampl
e", "becameSid": "S-1-5-21-263441624-2929051306-2964644464-1146", "mappedAccount": "ldap", "mappedDomain": "example", "netlogonComputer": null, "netlogonT
rustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "du
ration": 10612}} 

Failed to join domain: User specified does not have administrator privileges
 ! Insufficient permissions to join the domain example.com
realm: Couldn't join realm: Insufficient permissions to join the domain example.com

我遗漏了什么吗?我该怎么做才能获得足够的权限?

相关内容