царство `! Невозможно установить пароль компьютера: доступ запрещен`

Я пытаюсь подключить свой debian-компьютер к серверу Windows, но не могу заставить его работать.

Как root, kinit -V myUserName@MYDOMAIN.COM возвращает

Using default cache: /tmp/krb5cc_0
Using principal: myUserName@MYDOMAIN.COM
Password for myUserName@MYDOMAIN.COM: 
Authenticated to Kerberos v5

обнаружение области MYDOMAIN.COM дает

mydomain.com
  type: kerberos
  realm-name: MYDOMAIN.COM
  domain-name: mydomain.com
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin

Я считаю, что у меня установлены все необходимые пакеты, поскольку dpkg-query -l 'sssd-tools' 'sssd' 'adcli' ' samba-common-bin '' libnss-sss '' libpam-sss ' возвращает

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                Version                Architecture           Description
+++-===================================-======================-======================-===========================================================================
ii  adcli                               0.8.2-1+b1             amd64                  Tool for performing actions on an Active Directory domain
ii  libnss-sss:amd64                    1.15.0-3               amd64                  Nss library for the System Security Services Daemon
ii  libpam-sss:amd64                    1.15.0-3               amd64                  Pam module for the System Security Services Daemon
ii  samba-common-bin                    2:4.5.8+dfsg-2+deb9u1+ amd64                  Samba common files used by both the server and the client
ii  sssd                                1.15.0-3               amd64                  System Security Services Daemon -- metapackage
ii  sssd-tools                          1.15.0-3               amd64                  System Security Services Daemon -- tools

Так что вроде все нормально, но я не могу подключиться к сети. присоединение к области --membership-software = adcli MYDOMAIN.COM -U myUserName@MYDOMAIN.COM--verbose дает

 * Resolving: _ldap._tcp.mydomain.com
 * Performing LDAP DSE lookup on: XXX.XX.XXX.XXX
 * Performing LDAP DSE lookup on: XXX.XX.XXX.XXX
 * Performing LDAP DSE lookup on: XXX.XX.XXX.XXX
 * Successfully discovered: mydomain.com
Password for myUserName@MYDOMAIN.COM: 
 * Unconditionally checking packages
 * Resolving required packages
 * LANG=C /usr/sbin/adcli join --verbose --domain mydomain.com --domain-realm MYDOMAIN.COM --domain-controller XXX.XX.XXX.XXX --login-type user --login-user myUserName@MYDOMAIN.COM --stdin-password
 * Using domain name: mydomain.com
 * Calculated computer account name from fqdn: myLocalhost
 * Using domain realm: mydomain.com
 * Sending netlogon pings to domain controller: ldap://XXX.XX.XXX.XXX
 * Received NetLogon info from: HI-ROOT03.mydomain.com
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-X6zN48/krb5.d/adcli-krb5-conf-6SRoUP
 * Authenticated as user: myUserName@MYDOMAIN.COM
 * Looked up short domain name: MYSHORTDOMAIN
 * Using fully qualified name: myLocalhost.mydomain.com
 * Using domain name: mydomain.com
 * Using computer account name: myLocalhost
 * Using domain realm: mydomain.com
 * Calculated computer account name from fqdn: myLocalhost
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Found computer account for myLocalhost$ at: CN=myLocalhost,OU=Employee Computers,OU=Place1,OU=UserDevices,OU=Workstations,OU=ENTERPRISE,DC=mydomain,DC=com
 ! Cannot set computer password: Access denied
adcli: joining domain mydomain.com failed: Cannot set computer password: Access denied
 ! Insufficient permissions to join the domain
realm: Couldn't join realm: Insufficient permissions to join the domain