tune_sssd.sh: fix net ads join/leave options

- Remove --use-kerberos=required from leave (doesn't work with broken machine account) - Replace --use-kerberos=required with -U $ADMIN for join (more reliable) - Add comment explaining why --use-kerberos=required doesn't work Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

tune_sssd.sh: fix net ads join/leave options
8afd6846 · Vitaly Lipatov · 691c51d9 · 8afd6846
Commit 8afd6846 authored Jan 16, 2026 by Vitaly Lipatov
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 3 deletions

tune_sssd.sh dc-client/tune_sssd.sh +4 -3

No files found.
--- a/dc-client/tune_sssd.sh
+++ b/dc-client/tune_sssd.sh
@@ -200,14 +200,15 @@ if net ads testjoin 2>/dev/null; then
    fi
 else
    echo "Machine account is broken or not joined, (re)joining..."
-    # Leave domain first if there's a stale join
+    # Leave domain first if there's a stale join (use admin ticket from kinit)
-    net ads leave --use-kerberos=required 2>/dev/null || true
+    net ads leave 2>/dev/null || true
    [ -f /etc/krb5.keytab ] && echo "Removing old keytab /etc/krb5.keytab ..." && rm -fv /etc/krb5.keytab
    echo "Join to domain... "
    # Use dnshostname= to register full FQDN (e.g. host.office.etersoft.ru instead of host.etersoft.ru)
    # This requires msDS-AllowedDNSSuffixes to include the DNS subdomain on the DC
-    net ads join dnshostname=$(hostname -f) --use-kerberos=required --no-dns-updates || fatal "Failed to join to the domain '$REALM'"
+    # Note: --use-kerberos=required doesn't work here, need explicit -U for credentials
+    net ads join dnshostname=$(hostname -f) -U $ADMIN --no-dns-updates || fatal "Failed to join to the domain '$REALM'"
 fi
 kdestroy