[Samba] Few questions about members
Steve Campbell
campbell at cnpapers.com
Thu Jun 5 10:15:41 MDT 2014
On 6/5/2014 11:47 AM, Rowland Penny wrote:
> On 05/06/14 16:18, Steve Campbell wrote:
>>
>> On 6/5/2014 10:58 AM, Rowland Penny wrote:
>>> On 05/06/14 15:35, Steve Campbell wrote:
>>>>
>>>> On 6/4/2014 4:05 PM, steve wrote:
>>>>> On Wed, 2014-06-04 at 15:57 -0400, Steve Campbell wrote:
>>>>>> On 6/4/2014 3:37 PM, Steve Campbell wrote:
>>>>>>> On 6/4/2014 3:13 PM, steve wrote:
>>>>>>>> On Wed, 2014-06-04 at 12:22 -0400, Steve Campbell wrote:
>>>>>>>>> Top posting now because the original was useless.
>>>>>>>>>
>>>>>>>>> When we try to join a member to the domain, the following results
>>>>>>>>> are given:
>>>>>>>>>
>>>>>>>>> # /usr/local/samba/bin/net ads join -U administrator
>>>>>>>>> Enter administrator's password:
>>>>>>>>> Using short domain name -- TS
>>>>>>>>> Joined 'MEMBER1' to dns domain 'ts.mystuff.com'
>>>>>>>>> DNS Update for member1.ts.mystuff.com failed:
>>>>>>>>> ERROR_DNS_UPDATE_FAILED
>>>>>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>>>>>>>>
>>>>>>>>> DNS seems to work as expected, though. The previous tests showed
>>>>>>>>> working
>>>>>>>>> DNS.
>>>>>>>> That's the worrying part. Samba still issues tickets even with
>>>>>>>> the wrong
>>>>>>>> (or no) dns registered in AD.
>>>>>>>>> We have even added the A record for the server manually.
>>>>>>>>>
>>>>>>>>> # host -t A member1.ts.mystuff.com
>>>>>>>>> member1.ts.mystuff.com has address 192.9.200.84
>>>>>>>> Hi
>>>>>>>> It doesn't matter if you add the record or not. It is the
>>>>>>>> machine you
>>>>>>>> are joining which HAS to send it's own ID. The best (only way
>>>>>>>> we've
>>>>>>>> found at least) way to do this is in /etc/hosts
>>>>>>>> 127.0.0.1 member1.ts.mystuff.com member1 localhost
>>>>>>>>
>>>>>>>> If you're dhcp, you'll also need some way to update the dns on
>>>>>>>> the DC
>>>>>>>> although worryingly, as we just said, you can still get tickets
>>>>>>>> with the
>>>>>>>> wrong or no IP in AD.
>>>>>>>> HTH
>>>>>>>> Steve
>>>>>>>>
>>>>>>>>
>>>>>>> Does it have to be localhost? I didn't install this machine, and
>>>>>>> just
>>>>>>> discovered the person who put Centos on only used "Storage" as the
>>>>>>> hostname (not fully qualified). I don't think it matters in this
>>>>>>> venue
>>>>>>> what the real hostname is as long as the Netbios name matches
>>>>>>> what you
>>>>>>> put in the host file.
>>>>>>>
>>>>>>> So, now that I know things must be in hosts (I presume it needs
>>>>>>> to be
>>>>>>> that way on the AD as well?), do I need to do anything like
>>>>>>> Un"join"
>>>>>>> and then re"join" the member?
>>>>>>>
>>>>>>> Any thing that clues us in helps, so I'm sure you've helped a bit.
>>>>>>>
>>>>>>> steve
>>>>>> My hosts file now has this line in it:
>>>>>>
>>>>>> 127.0.0.1 localhost localhost.localdomain localhost4
>>>>>> localhost4.localdomain4 member1.ts.mystuff.com member1
>>>>>>
>>>>>> I seemed to recall that each line in hosts could only have 4
>>>>>> names, but
>>>>>> left the default installed names on the localhost line.
>>>>>>
>>>>>> I stopped and restarted smbd, nmbd, and winbindd to no avail. I then
>>>>>> tried rejoining as a member with no benefits.
>>>>> Please help us to help you. We have already given you the correct
>>>>> line
>>>>> for /etc/hosts. Why not use that?
>>>>>
>>>>>
>>>> So frustrating...for me and most likely all of you to have to keep
>>>> seeing my name pop up on the list... but
>>>>
>>>> I'm now following this page:
>>>>
>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares
>>>>
>>>> When I get to the section SeDiskOperatorPrivilege, I'm getting the
>>>> following error:
>>>>
>>>> ]# /usr/local/samba/bin/net rpc rights grant 'TS/Domain Admins'
>>>> SeDiskOperatorPrivilege -Uadministrator
>>>> Enter administrator's password:
>>>> Could not connect to server 127.0.0.1
>>>> Connection failed: NT_STATUS_IO_TIMEOUT
>>>
>>> ER, you are running this on the AD server, aren't you ??
>>>
>>> and the correct command would be:
>>>
>>> /usr/local/samba/bin/net rpc rights grant TS\\"Domain Admins"
>>> SeDiskOperatorPrivilege -UAdministrator
>>>
>>> Rowland
>>
>> No, I'm running this on the member server. The wiki page is a little
>> unclear there, just stating to run the command on "your server".
>
> Yes, this is a bit misleading, it really should say, 'your samba 4 AD
> server', what you could try is:
>
> /usr/local/samba/bin/net rpc rights grant -I <ipaddress of your samba
> server> TS\\"Domain Admins" SeDiskOperatorPrivilege -UAdministrator
>
> Rowland
And this worked.
Thanks
steve
>
>>
>> We've run that command successfully on the AD previously.
>>
>> When continuing on with the wiki page, and using the Windows admin
>> tools, we can see the server but when we try to "manage" the
>> permissions, we get a messagebox that indicates we don't have
>> permissions to change anything.
>>
>> Thanks
>>>
>>>>
>>>> I thought maybe I had the "Domain Admins" wrong, but after trying a
>>>> few other commands, I get basically the same thing. Googling only
>>>> tells me this is a common error for about 487 different things, and
>>>> none ever seem to provide solutions.
>>>>
>>>> System restarts and restarting smbd, nmbd, and winbindd doesn't
>>>> change the error.
>>>>
>>>> Does this sound familiar to anyone else?
>>>>
>>>> steve campbell
>>>
>>
>
More information about the samba
mailing list