realm: Couldn't join realm: Insufficient permissions to join the domain example.local

Question

I was able to join all other centos linux instance but not this one even though I have AD admin access, still I am getting this error

• Resolving: _ldap._tcp.example.local
• Performing LDAP DSE lookup on: XXX.XX.XXX.X
• Performing LDAP DSE lookup on: XXX.XX.XXX.X
• Successfully discovered: example.local Password for [email protected]:
• Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
• LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.7J0AR1 -U [email protected] ads join example.local Enter [email protected]'s password:ads_print_error: AD LDAP ERROR: 50 (Insufficient access): 00000005: SecErr: DSID-031A11B9, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

Failed to join domain: Failed to set account flags for machine account (NT_STATUS_ACCESS_DENIED)

! Insufficient permissions to join the domain example.local realm: Couldn't join realm: Insufficient permissions to join the domain example.local

---

sudo kinit -V [email protected] ||| Successfully Authenticated to krb5

---

sudo realm join -U [email protected] example.LOCAL | Refer to the error mentioned above on the post

Answer 1

Adding rdns=false under the [libdefaults] section in the /etc/krb5.conf file fixed the issue for me.

Example:

[libdefaults]
default_realm = DOMAIN.COM
rdns = false

Answer 2

is this in AWS? if so here is the real solution.

The isuse is amazon is doing rdns for you .. you need to disable that.

disable Autodefined rules for reverse DNS resolution in route53. That removes the compute.internal from being retuned. Its that rdns thats coming back thats causing the issue you are having.

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-automatic-forwarding-rules-reverse-dns.html