"Failed to join domain" - when performing realm join on CentOS/RHEL 7
The Problem
The “realm join” command is failing with the following error even if user is member of “Domain Admins” group. For example:
# realm join --verbose --user=[USER_ADMIN] [YOUR-DOMAIN.COM] --computer-ou="OU=Linux Servers,OU=XXI,DC=[your-domain],DC=[com]"
The Error:
* Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
* Joining using a truncated netbios name:[NODE-NAME]
* LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.MIEUN0 -U [admin-user] ads join <your-domain> createcomputer=OCI/Linux Servers
Enter svc_ansible's password:smb_krb5_init_context_common: Krb5 context initialization failed (Included profile file could not be read)
kerberos_kinit_password_ext: kerberos init context failed (Included profile file could not be read)
kerberos_kinit_password [admin-user]@[your-domain] failed: Included profile file could not be read
smb_krb5_init_context_common: Krb5 context initialization failed (Included profile file could not be read)
ads_print_error: AD LDAP ERROR: 19 (Constraint violation): 000021C7: AtrErr: DSID-03200BD4, #1:
0: 000021C7: DSID-03200BD4, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName)
Failed to join domain: Failed to set machine spn: Constraint violation
Do you have sufficient permissions to create machine accounts?
! Insufficient permissions to join the domain [your-domain]
realm: Couldn't join realm: Insufficient permissions to join the domain [your-domain]
cp: cannot stat ‘/etc/krb5.conf’: No such file or directory
./adjoin1.sh: line 91: /etc/sssd/sssd.conf: No such file or directory
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
D couldn't load the configuration database [2]: No such file or...tory.
Jul 22 21:04:51 [node-name].[your-domain]</your-domain>
The Solution
Check if the machine account for the system is already available/present in AD. If it’s already there, delete/remove the existing account in AD or choose a different hostname for the system. Then re-attempt realm join.