Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-7399: What administrative permission is needed to run adjoin if hostname is more than 15 characters?

Authentication Service ,  

24 August,16 at 08:27 AM

Applies to: All versions of Centrify DirectControl

Question:
The adjoin man page says the following about --name:

If you specify more than 15 characters, adclient uses LDAP methods to fetch the user's group membership and create the computer account. Because LDAP methods are subject to the permissions on the Active Directory container for the computer account, you may need administrative permissions to execute this command when specifying a computer name longer than 15 characters.

What administrative permission is needed to run adjoin if hostname is more than 15 characters?

Answer:
The permission is no different from what is needed to join the computer normally, i.e., what is delegated as zone admin.
User needs to be added permission to create computer in target container, and basically, full control of the computer object itself (so to modify attribute), create SCP in zone container, and basically, full control of the SCP object itself.

What is more important is the need to set in /etc/centrifydc/centrifydc.conf 
adjoin.samaccountname.length: 19
BEFORE doing adjoin.

Note that 19 is the ABSOLUTE limit and this cannot be made bigger as this is limitation of AD.
Hostname length >15 means that NTLM authentication will NOT work (as machine will not be able to establish Secure Channel with DC. this is AD limitation.) and only Kerberos authentication is possible.

Related Articles

 articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6044: How to configure users for automatic Kerberos Credentials for infinite renewal even after users have logged out? articleKB-6050: How to configure a group for automatic Kerberos Credentials for infinite renewal? articleKB-3925: How to add Centrify parameter to a group policy