SHOW:
|
|
- or go back to the newest paste.
| 1 | ||
| 2 | ## For further troubleshooting on joining hosts to a Domain: | |
| 3 | [[http://atherbeg.com/2017/02/23/error-insufficient-quota-exists-to-complete-the-operation/]] | |
| 4 | [[https://technet.microsoft.com/en-us/library/cc961817.aspx]] | |
| 5 | - | Tickect cache: FILE:/tmp/krb5cc_0 |
| 5 | + | |
| 6 | - | Default principal: Administrator@MY.EXAMPLE.CORP |
| 6 | + | ## RedHat Documentation for joining host to Active Directory Domain: |
| 7 | - | |
| 7 | + | [[https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ch-Configuring_Authentication.html]] |
| 8 | - | Valid starting Expires Service principal |
| 8 | + | [[https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/pdf/Windows_Integration_Guide/Red_Hat_Enterprise_Linux-7-Windows_Integration_Guide-en-US.pdf]] |
| 9 | - | 24/11/16 10:18:49 24/11/16 20:18:49 krbgt/MY.EXAMPLE.CORP@MY.EXAMPLE.CORP |
| 9 | + | |
| 10 | ||
| 11 | \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ | |
| 12 | - | [libdefaults] |
| 12 | + | |
| 13 | - | default_realm = MY.DOMAIN.CORP |
| 13 | + | Domain Users Cannot Join Workstation or Server to a Domain [[https://support.microsoft.com/en-us/help/251335/domain-users-cannot-join-workstation-or-server-to-a-domain]] |
| 14 | - | |
| 14 | + | ### this document describes 3 methods for joining host to a Domain: |
| 15 | - | .... |
| 15 | + | |
| 16 | - | |
| 16 | + | + Method 1: Pre-Create the User's Computer Account |
| 17 | - | [realms] |
| 17 | + | |
| 18 | - | DOMAIN = { |
| 18 | + | From the Active Directory Users and Computers snap-in, right-click the container where the account resides. |
| 19 | - | kdc = SERVER01.MY.DOMAIN.CORP |
| 19 | + | Click New, and then click Computer. |
| 20 | - | kdc = SERVER02.MY.DOMAIN.CORP |
| 20 | + | In the Computer name box, type the name of the Windows 2000-based computer that you want to add to the domain. |
| 21 | - | admin_server = SERVER01.MY.DOMAIN.CORP SERVER.MY.DOMAIN.CORP |
| 21 | + | |
| 22 | - | default_domain = MY.DOMAIN.CORP |
| 22 | + | |
| 23 | - | } |
| 23 | + | Make sure the computer's name is also entered in the Computer name (pre-Windows 2000) box (this should occur automatically). |
| 24 | - | |
| 24 | + | Click Change. Select the user or group that will be joining this computer to the domain, and then click OK. |
| 25 | - | .... |
| 25 | + | If you want Windows NT 4.0 and previous operating systems to use this computer name object, click to select the Allow pre-Windows 2000 computers to use this account check box, and then click OK. |
| 26 | - | |
| 26 | + | |
| 27 | - | |
| 27 | + | + Method 2: Grant the "Create Computer Objects" and "Delete Computer Objects" Access Control Entries (ACEs) to the User |
| 28 | - | [domain_realm] |
| 28 | + | |
| 29 | - | SERVER01.MY.DOMAIN.CORP = MY.DOMAIN.CORP |
| 29 | + | From the Active Directory Users and Computers snap-in, click Advanced Features on the View menu so that the Security tab is exposed when you click Properties. |
| 30 | - | SERVER02.MY.DOMAIN.CORP = MY.DOMAIN.CORP |
| 30 | + | Right-click the Computers container, and then click Properties. |
| 31 | - | .MY.DOMAIN.CORP = MY.DOMAIN.CORP |
| 31 | + | On the Security tab, click Advanced. |
| 32 | On the Permissions tab, click Authenticated Users, and then click View/Edit. | |
| 33 | ||
| 34 | - | [global] |
| 34 | + | |
| 35 | - | workgroup = MYWORKGROUP |
| 35 | + | NOTE: If the Authenticated Users group is not listed, click Add and add it to the list of permission entries. |
| 36 | - | realm = MY.DOMAIN.CORP |
| 36 | + | Make sure the This object and all child objects option is displayed in the Apply onto box. |
| 37 | - | security = ADS |
| 37 | + | From the Permissions box, click to select the Allow check box next to the Create Computer Objects and Delete Computer Objects ACEs, and then click OK. |
| 38 | - | encrypt passwords = yes |
| 38 | + | |
| 39 | - | password server = SERVER01.MY.DOMAIN.CORP SERVER02.MYDOMAIN.CORP |
| 39 | + | + Method 3: Override the Default Limit of the Number of Computers an Authenticated User Can Join to a Domain |
| 40 | - | idmap uid = 10000-20000 |
| 40 | + | You can override the default limit, using either of the following methods: |
| 41 | - | idmap gid = 10000-20000 |
| 41 | + | |
| 42 | - | winbind enum users = yes |
| 42 | + | Use the Ldp (Ldp.exe) tool included in the Microsoft Windows 2000 Resource Kit. |
| 43 | - | winbind enum groups = yes |
| 43 | + | Use an Active Directory Services Interface (ADSI) script to increase or decrease the value of the Active Directory ms-DS-MachineAccountQuota attribute. To do this: |
| 44 | - | winbind refresh tickets = true |
| 44 | + | Install the Windows 2000 Support tools if they have not already been installed. To install these tools, run Setup.exe from the Support\Tools folder on the Windows 2000 Server or the Windows 2000 Professional CD-ROM. |
| 45 | - | template homedir = /home/%D/%U |
| 45 | + | Run Adsiedit.msc as an administrator of the domain. |
| 46 | - | template shell = /bin/bash |
| 46 | + | Expand the Domain NC node. This node contains an object that begins with "DC=" and reflects the correct domain name. Right-click this object, and then click Properties. |
| 47 | - | winbind use default domain = yes |
| 47 | + | In the Select which properties to view box, click Both. |
| 48 | - | restrict anonymous = 2 |
| 48 | + | In the Select a property to view box, click ms-DS-MachineAccountQuota. |
| 49 | In the Edit Attribute box, type a number. This number represents the number of workstations that you want users to be able to maintain concurrently. | |
| 50 | Click Set, and then click OK. | |
| 51 | - | passwd: compat winbind |
| 51 | + | |
| 52 | - | group: compat winbind |
| 52 | + | \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ |
| 53 | ||
| 54 | ||
| 55 | ||
| 56 | ||
| 57 | to join host to a domain: | |
| 58 | ------------------------- | |
| 59 | ` | |
| 60 | net ads join -U Administrator | |
| 61 | ` | |
| 62 | ||
| 63 | Failed to join domain: failed to join domain 'MY.EXAMPLE.CORP' over rpc: Insufficient quota exists to complete the operation. | |
| 64 | ||
| 65 | Tickect cache: FILE:/tmp/krb5cc_0 | |
| 66 | Default principal: Administrator@MY.EXAMPLE.CORP | |
| 67 | ||
| 68 | Valid starting Expires Service principal | |
| 69 | 24/11/16 10:18:49 24/11/16 20:18:49 krbgt/MY.EXAMPLE.CORP@MY.EXAMPLE.CORP | |
| 70 | renew until 25/11/16 10:18:25 | |
| 71 | ||
| 72 | [libdefaults] | |
| 73 | default_realm = MY.DOMAIN.CORP | |
| 74 | ||
| 75 | .... | |
| 76 | ||
| 77 | [realms] | |
| 78 | DOMAIN = {
| |
| 79 | kdc = SERVER01.MY.DOMAIN.CORP | |
| 80 | kdc = SERVER02.MY.DOMAIN.CORP | |
| 81 | admin_server = SERVER01.MY.DOMAIN.CORP SERVER.MY.DOMAIN.CORP | |
| 82 | default_domain = MY.DOMAIN.CORP | |
| 83 | } | |
| 84 | ||
| 85 | .... | |
| 86 | ||
| 87 | ||
| 88 | [domain_realm] | |
| 89 | SERVER01.MY.DOMAIN.CORP = MY.DOMAIN.CORP | |
| 90 | SERVER02.MY.DOMAIN.CORP = MY.DOMAIN.CORP | |
| 91 | .MY.DOMAIN.CORP = MY.DOMAIN.CORP | |
| 92 | MY.DOMAIN.CORP = MY.DOMAIN.CORP | |
| 93 | ||
| 94 | [global] | |
| 95 | workgroup = MYWORKGROUP | |
| 96 | realm = MY.DOMAIN.CORP | |
| 97 | security = ADS | |
| 98 | encrypt passwords = yes | |
| 99 | password server = SERVER01.MY.DOMAIN.CORP SERVER02.MYDOMAIN.CORP | |
| 100 | idmap uid = 10000-20000 | |
| 101 | idmap gid = 10000-20000 | |
| 102 | winbind enum users = yes | |
| 103 | winbind enum groups = yes | |
| 104 | winbind refresh tickets = true | |
| 105 | template homedir = /home/%D/%U | |
| 106 | template shell = /bin/bash | |
| 107 | winbind use default domain = yes | |
| 108 | restrict anonymous = 2 | |
| 109 | winbind offline logon = yes | |
| 110 | ||
| 111 | passwd: compat winbind | |
| 112 | group: compat winbind | |
| 113 | shadow: compat |
