Joining a Linux server with Realmd via a service account
Active Directory permissions required to join Linux and Windows Computers to a Domain
Posted on February 8, 2019 by Computer-Tech-Blog
I recently ran into an issue where i needed to create a service account with bare minimum permissions to add a Windows and a Linux server to a domain. Windows was fairly easy to join it only requires the 5 permissions but the Linux server was throwing all kinds of errors. Linux servers require addition permissions to join to AD through realm join or adcli.
ADDING THE DELEGATION
- Open the Active Directory Users and Computers.
- Create a new OU called Linux.
- Right-click on the Linux OU container and select Delegate control.
- Click Next.
- Click Add and select the service account ?joinad_svc@mylab.local? and click Next.
- Select Create a custom task to delegate and click Next.
- Select Only the following objects in the folder and check ?Computer objects? from the list.
- Place check-marks beside ?Select the options Create selected objects in the folder? and ?Delete selected objects in this folder?. Click Next.
- Select General and Property-specific, select the following permissions from the list.
Standard permissions required to join systems to AD (Linux and Windows)
-Reset password
-Read and write account restrictions
-Validated write to DNS host name
-Validated write to service principal name
-Read and write DNS host name attributes
Additional permissions required by Linux machines to join AD (Linux)
-Read dNSHostName
-Write dNSHostName
-Read msDS-AddtionalSamAccountName
-Write msDS-AddtionalSamAccountName
-Read msDS-SupportedEncryptionTypes
-Write msDS-SupportedEncryptionTypes
-Read Operating System
-Write Operating System
-Read Operating System Version
-Write Operating System Version
-Read OperatingSystemServicePack
-Write OperatingSystemServicePack
-Read servicePrincipalName
-Write servicePrincipalName
-Read userAccountControl
-Write userAccountControl
-Read userPrincipal Name
-Write userPrincipal Name
Ben Tuma
Over 20 years of experience in the Information Technology field. I love technology and seeing how it changes and impacts peoples lives for the better. I have healthy appetite for innovation and problem solving.
I am sharing my knowledge and challenges in hopes to help others as we constantly face ever changes problems in IT and technology.