읽으면서 man realm다음과 같은 내용을 보았습니다.
--computer-ou=OU=xxx
The distinguished name of an organizational unit to create the computer account. The exact format of the distinguished name depends on the
membership software. You can usually omit the root DSE portion of distinguished name. This is an Active Directory specific option.
나는 이것을 realm필요에 따라 Active Directory에 컴퓨터 계정을 만들 수 있는 것으로 해석합니다.
테스트했지만 실패했습니다.
[root@client ~]# realm join --user=svc-linux-join --computer-ou=OU=servers,OU=linux,DC=domain,DC=bls --os-name=CentOS --os-version=7 --automatic-id-mapping=no domain.bls < <(echo 'L3t-m3-in')
Password for svc-linux-join:
See: journalctl REALMD_OPERATION=r1695.2763
realm: Couldn't join realm: Joining the domain domain.bls failed
[root@client ~]# journalctl REALMD_OPERATION=r1695.2763
-- Logs begin at Thu 2019-09-19 22:00:08 CEST, end at Thu 2019-09-19 22:28:25 CEST. --
Sep 19 22:28:25 client realmd[2759]: * Resolving: _ldap._tcp.domain.bls
Sep 19 22:28:25 client realmd[2759]: * Performing LDAP DSE lookup on: 10.0.2.15
Sep 19 22:28:25 client realmd[2759]: * Successfully discovered: domain.bls
Sep 19 22:28:25 client realmd[2759]: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
Sep 19 22:28:25 client realmd[2759]: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.2B8L8Z -U svc-linux-join ads join domain.bls createcomputer=linux/serve
Sep 19 22:28:25 client realmd[2759]: Enter svc-linux-join's password:
Sep 19 22:28:25 client realmd[2759]: Failed to join domain: failed to precreate account in ou ou=servers,ou=linux,dc=DOMAIN,dc=BLS: No such object
Sep 19 22:28:25 client realmd[2759]: ! Joining the domain domain.bls failed
처음에는 이것이 부여된 권한에 대한 제한이라고 생각했기 svc-linux-join때문에 허용했습니다 .[이메일 보호됨]또한 이것을 시도했지만 동일한 결과가 나왔습니다.
[root@client ~]# realm join --computer-ou=OU=servers,OU=linux,DC=domain,DC=bls --os-name=CentOS --os-version=7 --automatic-id-mapping=no domain.bls
Password for Administrator:
See: journalctl REALMD_OPERATION=r1740.2772
realm: Couldn't join realm: Joining the domain domain.bls failed
[root@client ~]# journalctl REALMD_OPERATION=r1740.2772
-- Logs begin at Thu 2019-09-19 22:00:08 CEST, end at Thu 2019-09-19 22:29:14 CEST. --
Sep 19 22:29:11 client realmd[2759]: * Resolving: _ldap._tcp.domain.bls
Sep 19 22:29:11 client realmd[2759]: * Performing LDAP DSE lookup on: 10.0.2.15
Sep 19 22:29:11 client realmd[2759]: * Successfully discovered: domain.bls
Sep 19 22:29:14 client realmd[2759]: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
Sep 19 22:29:14 client realmd[2759]: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.UK8T8Z -U Administrator ads join domain.bls createcomputer=linux/server
Sep 19 22:29:14 client realmd[2759]: Enter Administrator's password:
Sep 19 22:29:14 client realmd[2759]: Failed to join domain: failed to precreate account in ou ou=servers,ou=linux,dc=DOMAIN,dc=BLS: No such object
Sep 19 22:29:14 client realmd[2759]: ! Joining the domain domain.bls failed
그런 다음 미리 컴퓨터 계정을 만들려고했습니다.
그리고 다시 추가했습니다:
[root@client ~]# realm join --user=svc-linux-join --computer-ou=OU=servers,OU=linux,DC=domain,DC=bls --os-name=CentOS --os-version=7 --automatic-id-mapping=no domain.bls < <(echo 'L3t-m3-in')
Password for svc-linux-join:
See: journalctl REALMD_OPERATION=r2567.12844
realm: Couldn't join realm: Insufficient permissions to join the domain domain.bls
[root@client ~]# journalctl REALMD_OPERATION=r2567.12844
-- Logs begin at Thu 2019-09-19 22:00:08 CEST, end at Thu 2019-09-19 22:47:21 CEST. --
Sep 19 22:42:58 client realmd[12848]: * Resolving: _ldap._tcp.domain.bls
Sep 19 22:42:58 client realmd[12848]: * Performing LDAP DSE lookup on: 10.0.2.15
Sep 19 22:42:58 client realmd[12848]: * Successfully discovered: domain.bls
Sep 19 22:42:58 client realmd[12848]: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
Sep 19 22:42:58 client realmd[12848]: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.F0897Z -U svc-linux-join ads join domain.bls createcomputer=linux/serv
Sep 19 22:42:58 client realmd[12848]: Enter svc-linux-join's password:
Sep 19 22:42:58 client realmd[12848]: Failed to join domain: Failed to set password for machine account (NT_STATUS_ACCESS_DENIED)
Sep 19 22:42:58 client realmd[12848]:
Sep 19 22:42:58 client realmd[12848]: ! Insufficient permissions to join the domain domain.bls
이제 계정이 존재하므로 또 다른 오류가 발생합니다. 관리자로 돌아가기:
[root@client ~]# realm join --computer-ou=OU=servers,OU=linux,DC=domain,DC=bls --os-name=CentOS --os-version=7 --automatic-id-mapping=no domain.bls
Password for Administrator:
그냥 작동합니다.
컴퓨터 계정에 필요한 OU를 지정하지 않고 컴퓨터 계정을 삭제하고 도메인에 다시 가입하는 경우에도 작동합니다.
[root@client ~]# realm leave --remove
Password for Administrator:
[root@client ~]# realm join domain.bls
Password for Administrator:
[root@client ~]# ldapsearch -LLL -x -h server -b dc=domain,dc=bls -D svc-linux-join -w L3t-m3-in cn=client distinguishedName | grep -v -e ^# -e ^$
dn: CN=client,CN=Computers,DC=domain,DC=bls
distinguishedName: CN=client,CN=Computers,DC=domain,DC=bls
realm joinOU에 대해 위임된 권한이 있는 계정을 사용하여 특정 OU에 컴퓨터 계정을 생성할 수 없습니까 ?
답변1
여기에 설명된 OU에 최소한의 권한 집합을 위임하는 계정을 사용해야 합니다.https://social.technet.microsoft.com/Forums/scriptcenter/en-US/1f72f4d9-7343-4a7c-a03f-3713cafdd152/delegate-athority-in-a-ou-to-a-sinle-user-to- 컴퓨터를 도메인에 가입하시겠습니까? 포럼=winserverpowershell
결과는 다음과 같습니다.
그래도...
samba-common-tools-4.9.1-6.el7.x86_64를 설치하셨나요? 4.8.3-6.el7_6.x86_64로 다운그레이드하거나 영역 조인 명령에 "--membership-software=adcli"를 추가해 보세요.이는 알려진 문제입니다.이 버전의 samba-common-tools에서.
예:
[root@client ~]# realm join --membership-software=adcli --user=svc-linux-join --computer-ou="OU=servers,OU=linux,DC=domain,DC=bls" --os-name=CentOS --os-version=7 --automatic-id-mapping=no domain.bls < <(echo 'L3t-m3-in')
Password for svc-linux-join: