[Samba] Few questions about members
Rowland Penny
rowlandpenny at googlemail.com
Thu Jun 5 09:47:53 MDT 2014
On 05/06/14 16:18, Steve Campbell wrote:
>
> On 6/5/2014 10:58 AM, Rowland Penny wrote:
>> On 05/06/14 15:35, Steve Campbell wrote:
>>>
>>> On 6/4/2014 4:05 PM, steve wrote:
>>>> On Wed, 2014-06-04 at 15:57 -0400, Steve Campbell wrote:
>>>>> On 6/4/2014 3:37 PM, Steve Campbell wrote:
>>>>>> On 6/4/2014 3:13 PM, steve wrote:
>>>>>>> On Wed, 2014-06-04 at 12:22 -0400, Steve Campbell wrote:
>>>>>>>> Top posting now because the original was useless.
>>>>>>>>
>>>>>>>> When we try to join a member to the domain, the following results
>>>>>>>> are given:
>>>>>>>>
>>>>>>>> # /usr/local/samba/bin/net ads join -U administrator
>>>>>>>> Enter administrator's password:
>>>>>>>> Using short domain name -- TS
>>>>>>>> Joined 'MEMBER1' to dns domain 'ts.mystuff.com'
>>>>>>>> DNS Update for member1.ts.mystuff.com failed:
>>>>>>>> ERROR_DNS_UPDATE_FAILED
>>>>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>>>>>>>
>>>>>>>> DNS seems to work as expected, though. The previous tests showed
>>>>>>>> working
>>>>>>>> DNS.
>>>>>>> That's the worrying part. Samba still issues tickets even with
>>>>>>> the wrong
>>>>>>> (or no) dns registered in AD.
>>>>>>>> We have even added the A record for the server manually.
>>>>>>>>
>>>>>>>> # host -t A member1.ts.mystuff.com
>>>>>>>> member1.ts.mystuff.com has address 192.9.200.84
>>>>>>> Hi
>>>>>>> It doesn't matter if you add the record or not. It is the
>>>>>>> machine you
>>>>>>> are joining which HAS to send it's own ID. The best (only way we've
>>>>>>> found at least) way to do this is in /etc/hosts
>>>>>>> 127.0.0.1 member1.ts.mystuff.com member1 localhost
>>>>>>>
>>>>>>> If you're dhcp, you'll also need some way to update the dns on
>>>>>>> the DC
>>>>>>> although worryingly, as we just said, you can still get tickets
>>>>>>> with the
>>>>>>> wrong or no IP in AD.
>>>>>>> HTH
>>>>>>> Steve
>>>>>>>
>>>>>>>
>>>>>> Does it have to be localhost? I didn't install this machine, and
>>>>>> just
>>>>>> discovered the person who put Centos on only used "Storage" as the
>>>>>> hostname (not fully qualified). I don't think it matters in this
>>>>>> venue
>>>>>> what the real hostname is as long as the Netbios name matches
>>>>>> what you
>>>>>> put in the host file.
>>>>>>
>>>>>> So, now that I know things must be in hosts (I presume it needs
>>>>>> to be
>>>>>> that way on the AD as well?), do I need to do anything like Un"join"
>>>>>> and then re"join" the member?
>>>>>>
>>>>>> Any thing that clues us in helps, so I'm sure you've helped a bit.
>>>>>>
>>>>>> steve
>>>>> My hosts file now has this line in it:
>>>>>
>>>>> 127.0.0.1 localhost localhost.localdomain localhost4
>>>>> localhost4.localdomain4 member1.ts.mystuff.com member1
>>>>>
>>>>> I seemed to recall that each line in hosts could only have 4
>>>>> names, but
>>>>> left the default installed names on the localhost line.
>>>>>
>>>>> I stopped and restarted smbd, nmbd, and winbindd to no avail. I then
>>>>> tried rejoining as a member with no benefits.
>>>> Please help us to help you. We have already given you the correct line
>>>> for /etc/hosts. Why not use that?
>>>>
>>>>
>>> So frustrating...for me and most likely all of you to have to keep
>>> seeing my name pop up on the list... but
>>>
>>> I'm now following this page:
>>>
>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares
>>>
>>> When I get to the section SeDiskOperatorPrivilege, I'm getting the
>>> following error:
>>>
>>> ]# /usr/local/samba/bin/net rpc rights grant 'TS/Domain Admins'
>>> SeDiskOperatorPrivilege -Uadministrator
>>> Enter administrator's password:
>>> Could not connect to server 127.0.0.1
>>> Connection failed: NT_STATUS_IO_TIMEOUT
>>
>> ER, you are running this on the AD server, aren't you ??
>>
>> and the correct command would be:
>>
>> /usr/local/samba/bin/net rpc rights grant TS\\"Domain Admins"
>> SeDiskOperatorPrivilege -UAdministrator
>>
>> Rowland
>
> No, I'm running this on the member server. The wiki page is a little
> unclear there, just stating to run the command on "your server".
Yes, this is a bit misleading, it really should say, 'your samba 4 AD
server', what you could try is:
/usr/local/samba/bin/net rpc rights grant -I <ipaddress of your samba
server> TS\\"Domain Admins" SeDiskOperatorPrivilege -UAdministrator
Rowland
>
> We've run that command successfully on the AD previously.
>
> When continuing on with the wiki page, and using the Windows admin
> tools, we can see the server but when we try to "manage" the
> permissions, we get a messagebox that indicates we don't have
> permissions to change anything.
>
> Thanks
>>
>>>
>>> I thought maybe I had the "Domain Admins" wrong, but after trying a
>>> few other commands, I get basically the same thing. Googling only
>>> tells me this is a common error for about 487 different things, and
>>> none ever seem to provide solutions.
>>>
>>> System restarts and restarting smbd, nmbd, and winbindd doesn't
>>> change the error.
>>>
>>> Does this sound familiar to anyone else?
>>>
>>> steve campbell
>>
>
More information about the samba
mailing list