Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1867: Self-serve join fails with "Warning: Insufficient permission to update Security Descriptor of Computer Object"

Centrify DirectControl ,  

12 April,16 at 11:07 AM

Applies to: Centrify DirectControl earlier than 5.1
 
Problem:
After doing precreate using an adimport script, self-serve join fails as shown below:
 
cptrwdbv14#sudo adjoin --verbose --alias cptrwdbv14.company.net -n cptrwdbv14.company.com  --selfserve company.com
 
Where the --alias and -n is specified to account for the dis-jointed DNS namespace.
===
Options
-------
Precreate: no
Compatible with 2.x/3.x: no
domain: company.com
user: cptrwdbv14$
container: null
computer name: cptrwdbv14.company.com
Pre-Windows 2000 name: cptrwdbv14
DNS Host Name used for dNSHostName attr: null
zone: "The zone will be determined at a later stage"
server: null
zoneserver: null
gc: null
upn: null
noconf: no
set time: yes
force: no
trust: no
des: no
self-serve: yes
alias names:    cptrwdbv14.company.net
 
Setting time
Joining cptrwdbv14.company.com to domain cptrwdbv14.company.com@company.com as cptrwdbv14.company.com
Retrieving site information...
Warning: Couldn't retrieve site info, using empty site
Attempting bind to company.com(site:) as cptrwdbv14$@company.com on any server
Using writable domain controller: company-dc-tor03.company.com
Using domain controller: company-dc-tor03.company.com
Searching for computer account: filter = (samAccountName=cptrwdbv14$), root = DC=company,DC=com
Machine account already exists: CN=cptrwdbv14,OU=UNIX Servers,OU=Unix,DC=company,DC=com
Checking for any duplicate SPNs in the forest
Checking if zone data for computer exists in domain ...
Saving zone settings
Zone schema: CDC_RFC_2307:7
Zone GUID: 1dc496c4-2d3f-d34d-8bfd-5ad5110618d5
Zone version : $CimsZoneVersion7
Zone name : CN=dev-rar,CN=DEV,CN=UNIX,CN=Zones,OU=Unix,DC=company,DC=com
Will update pre-existing zone object for cptrwdbv14.company.com
Update Computer's Security Descriptor to allow computer object to read/write
operating system and operating system version properties as well as reset password.
Binding to domain again to include Security Descriptor LDAP Control.
Looking for ntSecurityDescriptor for object CN=cptrwdbv14,OU=UNIX Servers,OU=Unix,DC=company,DC=com ....
Checking if the required permissions exist.
Not all of the required permissions exist, will add them.
Add Allowed ACE to Read and Write operatingSystemVersion for S-1-5-21-3088935761-3292726799-943891260-384539.
Add Allowed ACE to Read and Write operatingSystem for S-1-5-21-3088935761-3292726799-943891260-384539.
Add Allowed ACE to Read and Write operatingSystemServicePack for S-1-5-21-3088935761-3292726799-943891260-384539.
Add Allowed ACE to Reset Password for S-1-5-21-3088935761-3292726799-943891260-384539.
Add Allowed ACE to Read userAccountControl for S-1-5-21-3088935761-3292726799-943891260-384539.
Add Allowed ACE to Validate write to servicePrincipalName for S-1-5-21-3088935761-3292726799-943891260-384539.
Add Allowed ACE to Validate write to dNSHostName for S-1-5-21-3088935761-3292726799-943891260-384539.
Warning: Insufficient permission to update Security Descriptor of Computer Object.
         Machine might fail to update operating system and operating system version properties after adjoin.
 
Attempting to update computer service principal names...
Update Computer servicePrincipalName failed.
User does not have update privileges on the servicePrincipalName attribute.
 
Error: Either user cptrwdbv14$ does not have sufficient permissions to update
 the   zone computer information.
 Or there was a replication problem.  Please try again or use the zone delegation wizard to grant sufficient privileges.
 
Join to domain 'company.com', zone '' failed.
[cptrwdbv14] :
====
 
Cause:
The reason is precreate using adimport failed. precreate_computer is actually a function in ade_libadimport still needs to do some more work to precreate the computer account so the self-serve join works
 
This means:
1) Centrify needs to fix the missing security descriptor
2) Add the alias SPN when DNS Domain != AD Domain automatically so that these do not have to be manually added in the adjoin syntax.
 
Workaround:
Attached to the KB is the patched ade_lib.tcl for 5.0.2-413.
 
1) Backup /usr/share/centrifydc/lib/ade_lib/ade_lib.tcl
2) cd /usr/share/centrifydc
3) tar -xvf patched.5.0.2-413.ade_lib.tar
 
The above step replaces it with the new one, after which the self-serve join should now work successfully.
 
Resolution:
This has been fixed in Centrify DirectControl 5.1

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.