I am trying to join an existing samba server but I get an error message that the DNS update failed. I have read that this doesn?t matter and the join is still successful. But the problem comes when I try to grant privileges to the unix admins. root at dna:/home/pi# net ads join -U administrator Enter administrator's password: Using short domain name -- DOMAIN Joined 'DNA' to dns domain ?domain.local' No DNS domain configured for dna. Unable to perform DNS Update. DNS update failed: NT_STATUS_INVALID_PARAMETER root at dna:/home/pi# net rpc rights grant ?domain\Unix Admins" SeDiskOperatorPrivilege -U ?domain\administrator" Enter domain\administrator's password: Could not connect to server 127.0.0.1 Connection failed: NT_STATUS_CONNECTION_REFUSED CONFIG FILE DOMAIN MEMBER: [global] netbios name = DNA workgroup = DOMAIN security = ADS realm = DOMAIN.LOCAL winbind refresh tickets = Yes vfs objects = acl_xattr map acl inherit = Yes store dos attributes = Yes dedicated keytab file = /etc/krb5.keytab kerberos method = secrets and keytab winbind use default domain = yes winbind enum users = yes winbind enum groups = yes username map = /etc/samba/user.map [nas] path = /nas read only = no CONFIG FILE DC: [global] dns forwarder = 8.8.8.8 netbios name = GAIA realm = DOMAIN.LOCAL server role = active directory domain controller workgroup = DOMAIN idmap_ldb:use rfc2307 = yes wins support = yes [netlogon] path = /var/lib/samba/sysvol/rompen.local/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No /etc/hosts DOMAIN MEMBER: 192.168.88.3 dna dna.domain.local 192.168.88.2 gaia gaia.domain.local 127.0.0.1 gaia.rompen.nl gaia 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters /etc/hosts DC: 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 127.0.1.1 gaia /etc/resolv.conf DOMAIN MEMBER: # Generated by resolvconf domain domain.local nameserver 192.168.88.2 /etc/resolv.conf DC: # Generated by resolvconf domain domain.local nameserver 192.168.88.2 IP DOMAIN MEMBER: 192.168.88.3 IP AD: 192.168.88.2 I think it is a network problem. But I can?t find out what I am doing wrong.
On 31/08/2020 16:07, Philip Offermans via samba wrote:> I am trying to join an existing samba server but I get an error message that the DNS update failed. I have read that this doesn?t matter and the join is still successful. But the problem comes when I try to grant privileges to the unix admins.It doesn't really matter if the join fails in this way. If the Unix domain member gets its IP via dhcp, then it should get added later and if it has afixed IP, you can add the data with 'samba-tool dns add'> root at dna:/home/pi# net ads join -U administratorDefinitely works on an Rpi.> Enter administrator's password: > Using short domain name -- DOMAIN > Joined 'DNA' to dns domain ?domain.local' > No DNS domain configured for dna. Unable to perform DNS Update. > DNS update failed: NT_STATUS_INVALID_PARAMETER > root at dna:/home/pi# net rpc rights grant ?domain\Unix Admins" SeDiskOperatorPrivilege -U ?domain\administrator" > Enter domain\administrator's password: > Could not connect to server 127.0.0.1 > Connection failed: NT_STATUS_CONNECTION_REFUSEDThis should work.> > CONFIG FILE DOMAIN MEMBER: > [global] > > netbios name = DNA > workgroup = DOMAIN > security = ADS > realm = DOMAIN.LOCAL > > winbind refresh tickets = Yes > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > winbind use default domain = yes > > winbind enum users = yes > winbind enum groups = yes > > username map = /etc/samba/user.map > > [nas] > path = /nas > read only = noAha, you have totally missed adding the 'idmap config' block of your choice, or you are using sssd, either is a no-no.> > > CONFIG FILE DC: > [global] > dns forwarder = 8.8.8.8 > netbios name = GAIA > realm = DOMAIN.LOCAL > server role = active directory domain controller > workgroup = DOMAIN > idmap_ldb:use rfc2307 = yes > wins support = yes > > [netlogon] > path = /var/lib/samba/sysvol/rompen.local/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = NoI do hope that '.local' is a placeholder.> /etc/hosts DOMAIN MEMBER: > 192.168.88.3 dna dna.domain.local > 192.168.88.2 gaia gaia.domain.local > 127.0.0.1 gaia.rompen.nl gaia > 127.0.0.1 localhostThat is messed up, it shouldn't have the line for the DC, it shouldn't have '127.0.0.1' pointing to 'gaia' (which also points to a different dns domain) and if your computer gets its ip info via dhcp, you don't need the 'dna' line (which incidentally is the wrong way around, it is 'IP FQDN short hostname')> ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > /etc/hosts DC: > 127.0.0.1 localhost > ::1 localhost ip6-localhost ip6-loopback > ff02::1 ip6-allnodes > ff02::2 ip6-allrouters > > 127.0.1.1 gaiaI would prefer the '127.0.1.1' line to be 'DC_IP FQDN short hostname'> > /etc/resolv.conf DOMAIN MEMBER: > # Generated by resolvconf > domain domain.local > nameserver 192.168.88.2 > > /etc/resolv.conf DC: > # Generated by resolvconf > domain domain.local > nameserver 192.168.88.2The 'domain' should be 'search'> > IP DOMAIN MEMBER: 192.168.88.3 > IP AD: 192.168.88.2 > > I think it is a network problem. But I can?t find out what I am doing wrong.Rowland
I fixt everything. It work. But I have got a new error. I think it is because rasbian doesn?t have this group root at dna:/home/pi# net rpc rights grant ?DOMAIN\Unix Admins" SeDiskOperatorPrivilege -U ?DOMAIN\administrator" Enter DOMAIN\administrator's password: Failed to grant privileges for DOMAIN\Unix Admins (NT_STATUS_NO_SUCH_USER) What is the problem with .local?? DOMAIN is placeholder to hide the company name> On 31 Aug 2020, at 17:07, Philip Offermans via samba <samba at lists.samba.org> wrote: > > winbind refresh tickets = Yes > vfs objects = acl_xattr > map acl inherit = Yes > store dos attributes = Yes > > dedicated keytab file = /etc/krb5.keytab > kerberos method = secrets and keytab > > winbind use default domain = yes > > winbind enum users = yes > winbind enum groups = yes > > username map = /etc/samba/user.map
On 31/08/2020 17:53, Philip Offermans via samba wrote:> I fixt everything. It work. But I have got a new error. I think it is because rasbian doesn?t have this group > > root at dna:/home/pi# net rpc rights grant ?DOMAIN\Unix Admins" SeDiskOperatorPrivilege -U ?DOMAIN\administrator" > Enter DOMAIN\administrator's password: > Failed to grant privileges for DOMAIN\Unix Admins (NT_STATUS_NO_SUCH_USER)If you look on the wikipage where you found that command, there is a blue box above the command, in that box it tells you that you will need to create the group 'Unix Admins and why.> > What is the problem with .local?? DOMAIN is placeholder to hide the company name > >the '.local' TLD is reserved for Avahi/Bonjour, so if your dns domain TLD is '.local', then I suggest you turn off Avahi. Rowland
I got it. Thanks. The share is working. Only problem, I need some files to be only readable for the end user (templates) the problem is windows doesn't for some reason allow me to change the rights. I am using dutch windows so the error is dutch but translated it say. Can't connect/find active directory to verify or open claimtypes. Philip "Rowland penny via samba" <samba at lists.samba.org> schreef op 31 augustus 2020 19:12:> On 31/08/2020 17:53, Philip Offermans via samba wrote: > >> I fixt everything. It work. But I have got a new error. I think it is because rasbian doesn?t have >> this group >> >> root at dna:/home/pi# net rpc rights grant ?DOMAIN\Unix Admins" SeDiskOperatorPrivilege -U >> ?DOMAIN\administrator" >> Enter DOMAIN\administrator's password: >> Failed to grant privileges for DOMAIN\Unix Admins (NT_STATUS_NO_SUCH_USER) > > If you look on the wikipage where you found that command, there is a blue box above the command, in > that box it tells you that you will need to create the group 'Unix Admins and why. >> What is the problem with .local?? DOMAIN is placeholder to hide the company name > > the '.local' TLD is reserved for Avahi/Bonjour, so if your dns domain TLD is '.local', then I > suggest you turn off Avahi. > > Rowland > > -- To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba