領域加入無法創建電腦帳戶

閱讀man realm我看到以下內容：

--computer-ou=OU=xxx
   The distinguished name of an organizational unit to create the computer account. The exact format of the distinguished name depends on the 
   membership software. You can usually omit the root DSE portion of distinguished name. This is an Active Directory specific option.

我將其解釋為realm能夠根據需要在活動目錄中創建電腦帳戶。

對其進行測試，但它失敗了：

[root@client ~]# realm join --user=svc-linux-join --computer-ou=OU=servers,OU=linux,DC=domain,DC=bls --os-name=CentOS --os-version=7 --automatic-id-mapping=no domain.bls < <(echo 'L3t-m3-in')
Password for svc-linux-join:
See: journalctl REALMD_OPERATION=r1695.2763
realm: Couldn't join realm: Joining the domain domain.bls failed
[root@client ~]# journalctl REALMD_OPERATION=r1695.2763
-- Logs begin at Thu 2019-09-19 22:00:08 CEST, end at Thu 2019-09-19 22:28:25 CEST. --
Sep 19 22:28:25 client realmd[2759]:  * Resolving: _ldap._tcp.domain.bls
Sep 19 22:28:25 client realmd[2759]:  * Performing LDAP DSE lookup on: 10.0.2.15
Sep 19 22:28:25 client realmd[2759]:  * Successfully discovered: domain.bls
Sep 19 22:28:25 client realmd[2759]:  * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
Sep 19 22:28:25 client realmd[2759]:  * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.2B8L8Z -U svc-linux-join ads join domain.bls createcomputer=linux/serve
Sep 19 22:28:25 client realmd[2759]: Enter svc-linux-join's password:
Sep 19 22:28:25 client realmd[2759]: Failed to join domain: failed to precreate account in ou ou=servers,ou=linux,dc=DOMAIN,dc=BLS: No such object
Sep 19 22:28:25 client realmd[2759]:  ! Joining the domain domain.bls failed

我首先認為這是對委派權限的限制，svc-linux-join所以我也讓 administrator@domain.bls 試一試，結果相同：

[root@client ~]# realm join --computer-ou=OU=servers,OU=linux,DC=domain,DC=bls --os-name=CentOS --os-version=7 --automatic-id-mapping=no domain.bls
Password for Administrator:
See: journalctl REALMD_OPERATION=r1740.2772
realm: Couldn't join realm: Joining the domain domain.bls failed
[root@client ~]# journalctl REALMD_OPERATION=r1740.2772
-- Logs begin at Thu 2019-09-19 22:00:08 CEST, end at Thu 2019-09-19 22:29:14 CEST. --
Sep 19 22:29:11 client realmd[2759]:  * Resolving: _ldap._tcp.domain.bls
Sep 19 22:29:11 client realmd[2759]:  * Performing LDAP DSE lookup on: 10.0.2.15
Sep 19 22:29:11 client realmd[2759]:  * Successfully discovered: domain.bls
Sep 19 22:29:14 client realmd[2759]:  * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
Sep 19 22:29:14 client realmd[2759]:  * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.UK8T8Z -U Administrator ads join domain.bls createcomputer=linux/server
Sep 19 22:29:14 client realmd[2759]: Enter Administrator's password:
Sep 19 22:29:14 client realmd[2759]: Failed to join domain: failed to precreate account in ou ou=servers,ou=linux,dc=DOMAIN,dc=BLS: No such object
Sep 19 22:29:14 client realmd[2759]:  ! Joining the domain domain.bls failed

然後我嘗試預先創建電腦帳戶：

並再次加入：

[root@client ~]# realm join --user=svc-linux-join --computer-ou=OU=servers,OU=linux,DC=domain,DC=bls --os-name=CentOS --os-version=7 --automatic-id-mapping=no domain.bls < <(echo 'L3t-m3-in')
Password for svc-linux-join:
See: journalctl REALMD_OPERATION=r2567.12844
realm: Couldn't join realm: Insufficient permissions to join the domain domain.bls
[root@client ~]# journalctl REALMD_OPERATION=r2567.12844
-- Logs begin at Thu 2019-09-19 22:00:08 CEST, end at Thu 2019-09-19 22:47:21 CEST. --
Sep 19 22:42:58 client realmd[12848]:  * Resolving: _ldap._tcp.domain.bls
Sep 19 22:42:58 client realmd[12848]:  * Performing LDAP DSE lookup on: 10.0.2.15
Sep 19 22:42:58 client realmd[12848]:  * Successfully discovered: domain.bls
Sep 19 22:42:58 client realmd[12848]:  * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
Sep 19 22:42:58 client realmd[12848]:  * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.F0897Z -U svc-linux-join ads join domain.bls createcomputer=linux/serv
Sep 19 22:42:58 client realmd[12848]: Enter svc-linux-join's password: 
Sep 19 22:42:58 client realmd[12848]: Failed to join domain: Failed to set password for machine account (NT_STATUS_ACCESS_DENIED)
Sep 19 22:42:58 client realmd[12848]: 
Sep 19 22:42:58 client realmd[12848]:  ! Insufficient permissions to join the domain domain.bls

現在該帳戶存在，我收到另一個錯誤。以管理員身份返回：

[root@client ~]# realm join --computer-ou=OU=servers,OU=linux,DC=domain,DC=bls --os-name=CentOS --os-version=7 --automatic-id-mapping=no domain.bls
Password for Administrator:

它只是工作。

如果我刪除電腦帳戶並重新加入域而不為電腦帳戶指定所需的 OU，它也可以工作：

[root@client ~]# realm leave --remove
Password for Administrator: 
[root@client ~]# realm join domain.bls
Password for Administrator: 
[root@client ~]# ldapsearch -LLL -x -h server -b dc=domain,dc=bls -D svc-linux-join -w L3t-m3-in cn=client distinguishedName | grep -v -e ^# -e ^$
dn: CN=client,CN=Computers,DC=domain,DC=bls
distinguishedName: CN=client,CN=Computers,DC=domain,DC=bls

我應該不能讓realm join使用授予 OU 的權限的帳戶在指定的 OU 中創建電腦帳戶嗎？

應該使用將一組最小權限委派給此處概述的 OU 的帳戶：https ://social.technet.microsoft.com/Forums/scriptcenter/en-US/1f72f4d9-7343-4a7c-a03f-3713cafdd152/delegate-athority- in-a-out-to-a-sinle-user-to-join-computers-to-domain?forum=winserverpowershell

最終應該是這樣的：

話說回來…

您是否安裝了 samba-common-tools-4.9.1-6.el7.x86_64？嘗試降級到 4.8.3-6.el7_6.x86_64 或將“–membership-software=adcli”添加到您的領域加入命令。這是此版本的 samba-common-tools 中的一個已知問題。

例子：

[root@client ~]# realm join --membership-software=adcli --user=svc-linux-join --computer-ou="OU=servers,OU=linux,DC=domain,DC=bls" --os-name=CentOS --os-version=7 --automatic-id-mapping=no domain.bls < <(echo 'L3t-m3-in')
Password for svc-linux-join: 

引用自：https://unix.stackexchange.com/questions/542709