Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2346: adjoin self-serve fails for precreated computer with hostname > 15 chars, in disjointed DNS with error:Constraint violation : 0000200B:.., Att 9026b (dNSHostName)

Authentication Service ,  

12 April,16 at 11:31 AM

Applies to: Centrify DirectControl console version 5.0.5

Problem:
The UNIX host is member of DNS 'ajax.org', but it was being joined to Active Directory domain 'us.ajax.org'.

Prior to join, in the /etc/centrifydc/centrifydc.conf file, the parameter is set as:
adjoin.samaccountname.length: 19

This parameter is set to 19 as the hostname is > 15 characters

From the Centrify DirectControl console, the computer account was pre-created with hostname > 15 characters.
adjoin with self-serve option was run as follows.
#adjoin -V -S -n <computername> <domainname>

The  adjoin self-serve failed with error in the log as:
adjoin[3498]:DIAG  base.bind.ldap update attribute dNSHostName
adjoin[3498]: DIAG  base.bind.ldap update attribute servicePrincipalName
adjoin[3498]: DEBUG base.osutil Module=LDAP : ldap_result2error ldap_modify_ext CN=us12345678901234,OU=UNIX Servers,OU=US,OU=GLOBAL,OU=Unix,DC=US,DC=AJAX,DC=ORG : Constraint violation : 0000200B: AtrErr: DSID-03153EC6, #1:  0: 0000200B: DSID-03153EC6, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9026b (dNSHostName)  (reference base/ldapbind.cpp:572 rc: 19)
adjoin[3498]: DEBUG base.join The computer failed to join the domain "us.ajax.org".  Please do one of the following:  -- If the computer's hostname exceeds 19 characters, shorten it and try again, or use --name option to specify a name that is no more than 19 characters long.  -- Configure the computer's primary DNS suffix to match the Active Directory domain DNS name or any other allowed primary DNS suffix.  For the list of the allowed DNS suffixes contact your system administrator.  -- Contact your domain adminis
adjoin[3498]: DEBUG util.except (cims::BadData) : adjoin update failed (reference base/join.cpp:2278 rc: -1)
 
Cause:
The adjoin did case sensitive comparison for dnsHostname.  The update of dnsHostname will fail on Win2k3 domain when computer samaccountname > 15 characters

Workaround:
1. Verify if the parameter in /etc/centrifydc/centrifydc.conf is set to:
adjoin.samaccountname.length: 19

Note: run the command 'adreload' when making changes to the config file

2. Clean-up the computer account:
i) From the Centrify DirectControl console, right-click on the computer object and select 'Delete'.
ii) From the Active Directory Users and Computers, right-click on the computer account and select 'Delete'.
 
3. Pre-create the computer account with DNS name suffix in lower case. In the Prepare Computer -> Specify Computer Information wizard, for the DNS name field, specify the dns suffix in lower case. 

  DNS name: <computername>.<dns suffix> 
  Example: us12345678901234.us.ajax.org
  
4. Run the adjoin to do self-serve join

#adjoin -V -S -n<computername> <domainname>
 
Resolution:  
This is resolved in Suite 2013.3 (5.1.2)

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-2962: adjoin self-serve fails for pre-created computer with hostname > 15 chars with error:get creds: Client not found in Kerberos database articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-8306: Centrify-enabled samba not accessible due to error "NT_STATUS_CANT_ACCESS_DOMAIN_INFO" articleKB-3925: How to add Centrify parameter to a group policy articleKB-1867: Self-serve join fails with "Warning: Insufficient permission to update Security Descriptor of Computer Object"