OEL8 Realm Join error: Insufficient permissions to join domain

Question

I am a Windows admin helping one of our Linux admins with a domain join of her OEL 8 box. She's getting the error during Realm join operation of ! Insufficient permissions to join the domain. Full error is:

! Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) adcli: couldn't connect to [redacted] domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database) ... ! Insufficient permissions to join the domain realm: Couldn't join realm: Insufficient permissions to join the domain ...

She is using her domain admin account. In our environment, only domain admins and delegated Service Desk group can join/leave the domain. We tried several items including hosts file pointing to a specific domain controller we knew it could see. We have verified all necessary ports are open. We have validated DNS for the domain is proper. She was able to run a command to login to the domain with her domain admin account. We have validated her account in the domain other ways (including domain controller login with the same credentials). She has also joined many many servers to our domain over the years and no permissions have changed.

Anyone have any ideas? We're losing our minds lol.

Added rdns=false to krb5.conf as suggested by other stack question result

Hosts file pointing to a specific domain controller we knew it could see

Verified all necessary ports are open in local firewall

Validated DNS

Successful command to login to the domain with the same domain admin account from the OEL 8 server

Validated account in the domain other ways including domain controller login with the same credentials

Other servers joined to our domain over the years using same account

Answer 1

So we were able to figure it out. It turns out one of the two Domain Controllers in that target environment were not healthy so the used account, which is a domain admin, could not be authenticated properly. We had the specific DCs in the config but in a specific order. Because the DC could still be reached, regardless of its health, the trouble server did not failover to the next one in the list. Once the first DC was taken out of the list, it went to the second one and the realm join worked flawlessly.

So, moral of the story here, even if you can contact the target DC from the server, validate the DC's health if you get this error. Now I get to go figure out why my DC is not healthy! Good times!