The permission needed to run adjoin if hostname is more than 15 characters is no different from what is needed to join the computer normally, i.e., what is delegated as zone admin.
Applies to: All versions of Centrify DirectControl
Question: The adjoin man page says the following about --name:
If you specify more than 15 characters, adclient uses LDAP methods to fetch the user's group membership and create the computer account. Because LDAP methods are subject to the permissions on the Active Directory container for the computer account, you may need administrative permissions to execute this command when specifying a computer name longer than 15 characters.
What administrative permission is needed to run adjoin if hostname is more than 15 characters?
Answer: The permission is no different from what is needed to join the computer normally, i.e., what is delegated as zone admin. User needs to be added permission to create computer in target container, and basically, full control of the computer object itself (so to modify attribute), create SCP in zone container, and basically, full control of the SCP object itself.
What is more important is the need to set in /etc/centrifydc/centrifydc.conf adjoin.samaccountname.length: 19 BEFORE doing adjoin.
Note that 19 is the ABSOLUTE limit and this cannot be made bigger as this is limitation of AD. Hostname length >15 means that NTLM authentication will NOT work (as machine will not be able to establish Secure Channel with DC. this is AD limitation.) and only Kerberos authentication is possible.