Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1904: Why does adjoin fail with a message "invalid container specified in argument"?

Authentication Service ,   Mac & PC Management Service ,  

12 April,16 at 11:46 AM

Applies to: DirectControl 4.4.0 and above on all platforms

Question:
Why does adjoin fail with an error "invalid container" error message even though correct container name was provided for (-c) flag ?

Example:

admins-mac-mini:~ admin$ sudo adjoin -z dztest -c services ajax.org -u jdoe
jdoe's Active Directory password: 
Using writable domain controller: dc01.ajax.org
Error:invalid container specified in argument
Join to domain 'ajax.org', zone 'dztest' failed.

Answer:
Starting from DirectControl 4.4.0 onwards, adclient accepts full/relative Distinguished Name and full canonical name only.


<snip from man pages for adjoin >
 -c, --container container DN
The container DN specifies the distinguished  name  (DN) of  the container or Organizational Unit in which to place this computer account.
You can specify the containerDN by:

          - Canonical name (ajax.org/unix/services). 

Note: You cannot specify a partial name for the canonical name.
          - Fully distinguished name (cn=services, cn=unix,dc= ajax,dc=org)
         - Relative distinguished name without the domain suffix(cn=services,cn=unix)

In the above example, you need to specify the adjoin command as follows:

Relative DN:
admins-mac-mini:~ admin$ sudo adjoin -z dztest -c "cn=services,cn=unix" ajax.org -u jdoe

Or Full DN:
admins-mac-mini:~ admin$ sudo adjoin -z dztest -c "cn=services,cn=unix,dc=ajax,dc=org" ajax.org -u jdoe

Or Full Canonical Name:
admins-mac-mini:~ admin$ sudo adjoin -z dztest -c "ajax.org/unix/services" ajax.org  -u jdoe

Related Articles

 articleKB-2921: adjoining with the self-serve flag fails with "Preauth" error messages in logs articleKB-2065: adjoin fails with "(kerberos) Authentication error" articleKB-3308: adjoin fails with "KRB5 error code 68 for user xyz@US.yourdomain.local (enctype: ArcFour with HMAC/md5)" articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-9542: Unable to join domain with Error: (Kerberos) : Message stream modified articleKB-1767: How to adjoin when there are conflicting / duplicate SPNs in the forest articleKB-1516: adjoin -k fails to join a domain whose domain and forest functional levels are Windows Server 2008 articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD?