[Samba] Few questions about members

Steve Campbell campbell at cnpapers.com
Thu Jun 5 12:45:39 MDT 2014

On 6/5/2014 12:15 PM, Steve Campbell wrote:
> On 6/5/2014 11:47 AM, Rowland Penny wrote:
>> On 05/06/14 16:18, Steve Campbell wrote:
>>> On 6/5/2014 10:58 AM, Rowland Penny wrote:
>>>> On 05/06/14 15:35, Steve Campbell wrote:
>>>>> On 6/4/2014 4:05 PM, steve wrote:
>>>>>> On Wed, 2014-06-04 at 15:57 -0400, Steve Campbell wrote:
>>>>>>> On 6/4/2014 3:37 PM, Steve Campbell wrote:
>>>>>>>> On 6/4/2014 3:13 PM, steve wrote:
>>>>>>>>> On Wed, 2014-06-04 at 12:22 -0400, Steve Campbell wrote:
>>>>>>>>>> Top posting now because the original was useless.
>>>>>>>>>> When we try to join a member to the domain, the following 
>>>>>>>>>> results
>>>>>>>>>> are given:
>>>>>>>>>> # /usr/local/samba/bin/net ads join -U administrator
>>>>>>>>>> Enter administrator's password:
>>>>>>>>>> Using short domain name -- TS
>>>>>>>>>> Joined 'MEMBER1' to dns domain 'ts.mystuff.com'
>>>>>>>>>> DNS Update for member1.ts.mystuff.com failed: 
>>>>>>>>>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>>>>>>>>> DNS seems to work as expected, though. The previous tests showed
>>>>>>>>>> working
>>>>>>>>>> DNS.
>>>>>>>>> That's the worrying part. Samba still issues tickets even with 
>>>>>>>>> the wrong
>>>>>>>>> (or no) dns registered in AD.
>>>>>>>>>> We have even added the A record for the server manually.
>>>>>>>>>> # host -t A member1.ts.mystuff.com
>>>>>>>>>> member1.ts.mystuff.com has address
>>>>>>>>> Hi
>>>>>>>>> It doesn't matter if you add the record or not. It is the 
>>>>>>>>> machine you
>>>>>>>>> are joining which HAS to send it's own ID. The best (only way 
>>>>>>>>> we've
>>>>>>>>> found at least) way to do this is in /etc/hosts
>>>>>>>>> member1.ts.mystuff.com member1 localhost
>>>>>>>>> If you're dhcp, you'll also need some way to update the dns on 
>>>>>>>>> the DC
>>>>>>>>> although worryingly, as we just said, you can still get 
>>>>>>>>> tickets with the
>>>>>>>>> wrong or no IP in AD.
>>>>>>>>> HTH
>>>>>>>>> Steve
>>>>>>>> Does it have to be localhost? I didn't install this machine, 
>>>>>>>> and just
>>>>>>>> discovered the person who put Centos on only used "Storage" as the
>>>>>>>> hostname (not fully qualified). I don't think it matters in 
>>>>>>>> this venue
>>>>>>>> what the real hostname is as long as the Netbios name matches 
>>>>>>>> what you
>>>>>>>> put in the host file.
>>>>>>>> So, now that I know things must be in hosts (I presume it needs 
>>>>>>>> to be
>>>>>>>> that way on the AD as well?), do I need to do anything like 
>>>>>>>> Un"join"
>>>>>>>> and then re"join" the member?
>>>>>>>> Any thing that clues us in helps, so I'm sure you've helped a bit.
>>>>>>>> steve
>>>>>>> My hosts file now has this line in it:
>>>>>>>   localhost localhost.localdomain localhost4
>>>>>>> localhost4.localdomain4 member1.ts.mystuff.com member1
>>>>>>> I seemed to recall that each line in hosts could only have 4 
>>>>>>> names, but
>>>>>>> left the default installed names on the localhost line.
>>>>>>> I stopped and restarted smbd, nmbd, and winbindd to no avail. I 
>>>>>>> then
>>>>>>> tried rejoining as a member with no benefits.
>>>>>> Please help us to help you. We have already given you the correct 
>>>>>> line
>>>>>> for /etc/hosts. Why not use that?
>>>>> So frustrating...for me and most likely all of you to have to keep 
>>>>> seeing my name pop up on the list... but
>>>>> I'm now following this page:
>>>>> https://wiki.samba.org/index.php/Setup_and_configure_file_shares
>>>>> When I get to the section SeDiskOperatorPrivilege, I'm getting the 
>>>>> following error:
>>>>> ]# /usr/local/samba/bin/net rpc rights grant 'TS/Domain Admins' 
>>>>> SeDiskOperatorPrivilege -Uadministrator
>>>>> Enter administrator's password:
>>>>> Could not connect to server
>>>>> Connection failed: NT_STATUS_IO_TIMEOUT
>>>> ER, you are running this on the AD server, aren't you ??
>>>> and the correct command would be:
>>>> /usr/local/samba/bin/net rpc rights grant TS\\"Domain Admins" 
>>>> SeDiskOperatorPrivilege -UAdministrator
>>>> Rowland
>>> No, I'm running this on the member server. The wiki page is a little 
>>> unclear there, just stating to run the command on "your server".
>> Yes, this is a bit misleading, it really should say, 'your samba 4 AD 
>> server', what you could try is:
>> /usr/local/samba/bin/net rpc rights grant -I <ipaddress of your samba 
>> server> TS\\"Domain Admins" SeDiskOperatorPrivilege -UAdministrator
>> Rowland
> And this worked.
> Thanks
> steve
>>> We've run that command successfully on the AD previously.
>>> When continuing on with the wiki page, and using the Windows admin 
>>> tools, we can see the server but when we try to "manage" the 
>>> permissions, we get a messagebox that indicates we don't have 
>>> permissions to change anything.
>>> Thanks
>>>>> I thought maybe I had the "Domain Admins" wrong, but after trying 
>>>>> a few other commands, I get basically the same thing. Googling 
>>>>> only tells me this is a common error for about 487 different 
>>>>> things, and none ever seem to provide solutions.
>>>>> System restarts and restarting smbd, nmbd, and winbindd doesn't 
>>>>> change the error.
>>>>> Does this sound familiar to anyone else?
>>>>> steve campbell
Unfortunately, we still have no access to the shares on the member 
server, either from a network neighborhood or the administrative tools 
on a windows machine. We get "permission denied" from any method we try 
to use or update the share.

For now, I've got 777 permissions on the folder.

I'm just so hopelessly lost on this.


More information about the samba mailing list