-
Title
Error during join: "ERROR: Failed, errno = 1, Operation not permitted on join" -
Description
Error ERROR: Failed, errno = 1, Operation not permitted when trying to vastool join command on a client.
e.g.
Attempting to join Active Directory
Checking whether computer is already joined to a domain ... no
Configuring forest root ... yourdomain.com... OK
Configuring site ... firstsite ... OK
Joining computer to the domain as host/host.yourdomain.com ... OK
Joined using computer object "CN=hosts,OU=Linux Servers,OU=DC Servers,DC=yourdomain,DC=com" ... OK
Writing vas.conf ... OK
Populating misc cache ... OK
Detecting Schema Configuration ... OK
Preparing to apply Group Policy ... OK
Applying VAS Related Group Policy Settings ... ERROR: Failed, errno = 1, Operation not permitted.Other possible symptoms
When running a vastool info id you may receive the folowing error:-
# vastool -u host/ info id
ERROR: VAS_ERR_NOT_FOUND: could not resolve Host: HOST$YOURDOMAIN.COM to DNWhen running a vastool host attribute lookup you may the following error:-
# vastol -u host/ attrs host
ERROR: VAS_ERR_NOT_FOUND: Not Found
Caused by:
VAS_ERR_LDAP: GSS SASL bind failed. LDAP Host:host.yourdomain.com, Client: HOST@YOURDOMAIN.COM, Service: ldap/host.yourdomain.com@YOURDOMAIN.COM
8009030c: LdapErr: DSID-0C090419, comment: AcceptSecurityContext error, data 569, vece. -
Cause
Firewall between Domain Controllers and QAS client, or security restrictions in Active Directory.
-
Resolution
RESOLUTION 1:
Ensure that your client can communicate with your Domain Controllers using all the ports required by VAS.Refer to the following KB for port and preflight information.
Refer to the following KB for port and preflight information: KB13608
RESOLUTION 2:
Check the permissions for the QAS computer object within Active Directory Users and Computer by doing the following:
1. Load Active Directory Users & Computer.
2. Click on the View menu, and select "Advanced Features" if not ticked.
3. Locate the QAS computer object within AD
4. Right click on the object and select Properties | Security Tab | Click Advanced | Effective Permissions Tab | Click Select | Click Object Types | Tick Computers | Click OK | Enter the name of the QAS computer object.
The effective permissions should be
List Contents
Read all Properties
Read Permissions
Change Password
Read Account Restrictions
Every other Read access below thisRESOLUTION 3:
Check the security GPOs on the DC
1. From the Start menu run RSOP.MSC
2. Go into Windows Settings | Security Settings | Local Policies | User Rights Assignment.
3. Ensure that "Access this computer from the network" includes the Authenticated Users Group
4. Ensure that the QAS computer object is not included in the "Deny access to this computer from the network".