Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-2546: Adjoin failed with "RPC Error(rc=0xc0000022): Access Denied"

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:13 AM 

Applies to:

Centrify DirectControl version 4.4.4 on all platforms

Problem:

On DirectControl 4.4.4, using adjoin -c specifying a specific container fails with:

RPC Error(rc=0xc0000022): Access Denied

This works on all other releases.

Example:
adjoin -V -u ian -c iltest.net/Servers/Unix -z linux iltest.net
.
.
.
Using RPC to create the computer account
Unexpected RPC Error(rc=0xc0000022): Access Denied
due to unexpected configuration or network error.
Please try the --verbose option or run 'adinfo --diag' to diagnose the problem.
Join to domain 'iltest.net', zone 'linux' failed. 

Cause:

Except for version 4.4.4, using adjoin with a specified container, will switch to ldap to create the computer object (instead of SMB). 
But in the 4.4.4 release, this was refactored to disregard this consideration. 
Instead, it creates the computer object in the default container and then move it to target destination. 
However, if the user does not have permission to create objects in the default container - adjoin will fail with "Access Denied".

Resolution:

Use adjoin -l to force creating computer objects through ldap

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-1879: Adjoin fails due to "unexpected RPC Error" articleKB-1904: Why does adjoin fail with a message "invalid container specified in argument"? articleKB-2065: adjoin fails with "(kerberos) Authentication error" articleKB-1579: adjoin failed with "(kerberos) Authentication error" after authoritative restore on windows server 2008 articleKB-3308: adjoin fails with "KRB5 error code 68 for user xyz@US.yourdomain.local (enctype: ArcFour with HMAC/md5)" articleKB-1767: How to adjoin when there are conflicting / duplicate SPNs in the forest articleKB-4694: adjoin fails in auto zone with "Computers" CN for a normal AD user articleKB-2346: adjoin self-serve fails for precreated computer with hostname > 15 chars, in disjointed DNS with error:Constraint violation : 0000200B:.., Att 9026b (dNSHostName) articleKB-1215: Error: One or more of the following SPNs already associated with other account in the forest