[Samba] Few questions about members

Rowland Penny rowlandpenny at googlemail.com
Thu Jun 5 09:47:53 MDT 2014

On 05/06/14 16:18, Steve Campbell wrote:
> On 6/5/2014 10:58 AM, Rowland Penny wrote:
>> On 05/06/14 15:35, Steve Campbell wrote:
>>> On 6/4/2014 4:05 PM, steve wrote:
>>>> On Wed, 2014-06-04 at 15:57 -0400, Steve Campbell wrote:
>>>>> On 6/4/2014 3:37 PM, Steve Campbell wrote:
>>>>>> On 6/4/2014 3:13 PM, steve wrote:
>>>>>>> On Wed, 2014-06-04 at 12:22 -0400, Steve Campbell wrote:
>>>>>>>> Top posting now because the original was useless.
>>>>>>>> When we try to join a member to the domain, the following results
>>>>>>>> are given:
>>>>>>>> # /usr/local/samba/bin/net ads join -U administrator
>>>>>>>> Enter administrator's password:
>>>>>>>> Using short domain name -- TS
>>>>>>>> Joined 'MEMBER1' to dns domain 'ts.mystuff.com'
>>>>>>>> DNS Update for member1.ts.mystuff.com failed: 
>>>>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>>>>>>> DNS seems to work as expected, though. The previous tests showed
>>>>>>>> working
>>>>>>>> DNS.
>>>>>>> That's the worrying part. Samba still issues tickets even with 
>>>>>>> the wrong
>>>>>>> (or no) dns registered in AD.
>>>>>>>> We have even added the A record for the server manually.
>>>>>>>> # host -t A member1.ts.mystuff.com
>>>>>>>> member1.ts.mystuff.com has address
>>>>>>> Hi
>>>>>>> It doesn't matter if you add the record or not. It is the 
>>>>>>> machine you
>>>>>>> are joining which HAS to send it's own ID. The best (only way we've
>>>>>>> found at least) way to do this is in /etc/hosts
>>>>>>> member1.ts.mystuff.com member1 localhost
>>>>>>> If you're dhcp, you'll also need some way to update the dns on 
>>>>>>> the DC
>>>>>>> although worryingly, as we just said, you can still get tickets 
>>>>>>> with the
>>>>>>> wrong or no IP in AD.
>>>>>>> HTH
>>>>>>> Steve
>>>>>> Does it have to be localhost? I didn't install this machine, and 
>>>>>> just
>>>>>> discovered the person who put Centos on only used "Storage" as the
>>>>>> hostname (not fully qualified). I don't think it matters in this 
>>>>>> venue
>>>>>> what the real hostname is as long as the Netbios name matches 
>>>>>> what you
>>>>>> put in the host file.
>>>>>> So, now that I know things must be in hosts (I presume it needs 
>>>>>> to be
>>>>>> that way on the AD as well?), do I need to do anything like Un"join"
>>>>>> and then re"join" the member?
>>>>>> Any thing that clues us in helps, so I'm sure you've helped a bit.
>>>>>> steve
>>>>> My hosts file now has this line in it:
>>>>>   localhost localhost.localdomain localhost4
>>>>> localhost4.localdomain4 member1.ts.mystuff.com member1
>>>>> I seemed to recall that each line in hosts could only have 4 
>>>>> names, but
>>>>> left the default installed names on the localhost line.
>>>>> I stopped and restarted smbd, nmbd, and winbindd to no avail. I then
>>>>> tried rejoining as a member with no benefits.
>>>> Please help us to help you. We have already given you the correct line
>>>> for /etc/hosts. Why not use that?
>>> So frustrating...for me and most likely all of you to have to keep 
>>> seeing my name pop up on the list... but
>>> I'm now following this page:
>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares
>>> When I get to the section SeDiskOperatorPrivilege, I'm getting the 
>>> following error:
>>> ]# /usr/local/samba/bin/net rpc rights grant 'TS/Domain Admins' 
>>> SeDiskOperatorPrivilege -Uadministrator
>>> Enter administrator's password:
>>> Could not connect to server
>>> Connection failed: NT_STATUS_IO_TIMEOUT
>> ER, you are running this on the AD server, aren't you ??
>> and the correct command would be:
>> /usr/local/samba/bin/net rpc rights grant TS\\"Domain Admins" 
>> SeDiskOperatorPrivilege -UAdministrator
>> Rowland
> No, I'm running this on the member server. The wiki page is a little 
> unclear there, just stating to run the command on "your server".

Yes, this is a bit misleading, it really should say, 'your samba 4 AD 
server', what you could try is:

/usr/local/samba/bin/net rpc rights grant -I <ipaddress of your samba 
server> TS\\"Domain Admins" SeDiskOperatorPrivilege -UAdministrator


> We've run that command successfully on the AD previously.
> When continuing on with the wiki page, and using the Windows admin 
> tools, we can see the server but when we try to "manage" the 
> permissions, we get a messagebox that indicates we don't have 
> permissions to change anything.
> Thanks
>>> I thought maybe I had the "Domain Admins" wrong, but after trying a 
>>> few other commands, I get basically the same thing. Googling only 
>>> tells me this is a common error for about 487 different things, and 
>>> none ever seem to provide solutions.
>>> System restarts and restarting smbd, nmbd, and winbindd doesn't 
>>> change the error.
>>> Does this sound familiar to anyone else?
>>> steve campbell

More information about the samba mailing list