Web lists-archives.com

Re: [Samba] Change Netbios name during classicupgrade?




Well, let's try to be more precise about my issue and give some updates:

I try to make a classicupgrade and meanwhile, change the Domain name during the process, which includes realm and NetBIOS domain name. I precisely meet difficulties with changing the NetBIOS domain name.

What i've tried so far:

1)

Change the NetBIOS domain name "workgroup" attribute on the old Samba 3 server before migration; Each time this operation will also change the domain SID and I lose all my members. I tried to put back the old domain sid with

#net setdomainsid [original SID]

But this never worked

2)
As all my attempts to reset the domain SID to its initial value after workgroup change failed on the old Samba 3 server before classicupgrade, i just tried to do it after.

I ran classicupgrade, and let workgroup attribute to old value.
Just after migration, here's how looks like the domain:

#samba-tool domain info 192.168.1.60
Forest           : newdomain.lan
Domain           : newdomain.lan.
Netbios domain   : OLDDOMAIN.LAN  ## The old name
DC name          : srv-ad.newdomain.lan
DC netbios name  : SRV-AD
Server site      : Default-First-Site-Name
Client site      : Default-First-Site-Name

Everythings works fine, i got all my users, and machines find back the DC. And winbindd maps all users under this name:

#wbinfo -u

OLDDOMAIN.LAN\user

my logs show no error, and here what looks like my smb.conf:

[global]
        netbios name = SRV-AD
        realm = NEWDOMAIN.LAN
        workgroup = OLDDOMAIN.LAN
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        tls enabled  = yes
        tls keyfile  = tls/myKey.pem
        tls certfile = tls/myCert.pem
        tls cafile   =
        dns forwarder = 192.168.200.3 #external DNS

Then when i change the value "workgroup" of smb.conf in order to change the NetBIOS domain name and reload, this time i notice that my domain SID remains the same before and after the change.

 This time also the command pdbedit -L catches all users like before the change.

However, there seems to be an issue with winbindd.

Any wbinfo-u fails, and wbinfo -p doesnt ping anymore:

#wbinfo -p
Ping to winbindd failed
could not ping winbindd!


Here's the logs:

oct. 17 14:08:37 srv-ad.newdomain.lan systemd[1]: Started Samba AD Daemon.
oct. 17 14:08:37 srv-ad.newdomain.lan samba[489]: [2017/10/17 14:08:37.274937,  0] ../lib/util/become_daemon.c:124(daemon_ready) oct. 17 14:08:37 srv-ad.newdomain.lan samba[489]:   STATUS=daemon 'samba' finished starting up and ready to serve connections oct. 17 14:08:37 srv-ad.newdomain.lan samba[509]: [2017/10/17 14:08:37.317594,  0] ../source4/lib/tls/tlscert.c:57(tls_cert_generate) oct. 17 14:08:37 srv-ad.newdomain.lan samba[509]:   TLS autogeneration skipped - some TLS files already exist oct. 17 14:08:38 srv-ad.newdomain.lan samba[519]: [2017/10/17 14:08:38.671074,  0] ../source4/smbd/service_task.c:35(task_server_terminate) oct. 17 14:08:38 srv-ad.newdomain.lan samba[519]: task_server_terminate: [Failed to obtain server credentials, perhaps a standalone server?: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
oct. 17 14:08:38 srv-ad.newdomain.lan samba[519]:   ]
oct. 17 14:08:39 srv-ad.newdomain.lan samba[519]: [2017/10/17 14:08:39.371865,  0] ../source4/smbd/server.c:211(samba_terminate) oct. 17 14:08:39 srv-ad.newdomain.lan samba[519]: samba_terminate of 519: Failed to obtain server credentials, perhaps a standalone server?: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
oct. 17 14:08:39 srv-ad.newdomain.lan samba[519]:
oct. 17 14:08:40 srv-ad.newdomain.lan winbindd[517]: [2017/10/17 14:08:40.117399,  0] ../source3/winbindd/winbindd_cache.c:3244(initialize_winbindd_cache) oct. 17 14:08:40 srv-ad.newdomain.lan winbindd[517]: initialize_winbindd_cache: clearing cache and re-creating with version number 2 oct. 17 14:08:42 srv-ad.newdomain.lan winbindd[517]: [2017/10/17 14:08:42.421031,  0] ../source3/winbindd/winbindd_util.c:772(migrate_secrets_tdb_to_ldb) oct. 17 14:08:42 srv-ad.newdomain.lan winbindd[517]:   Failed to fetch our own, local AD domain join password for winbindd's internal use, both from secrets.tdb and secrets.ldb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO oct. 17 14:08:42 srv-ad.newdomain.lan winbindd[517]: [2017/10/17 14:08:42.423250,  0] ../source3/winbindd/winbindd_util.c:872(init_domain_list) oct. 17 14:08:42 srv-ad.newdomain.lan winbindd[517]:   Failed to migrate our own, local AD domain join password for winbindd's internal use into secrets.tdb oct. 17 14:08:42 srv-ad.newdomain.lan winbindd[517]: [2017/10/17 14:08:42.423828,  0] ../source3/winbindd/winbindd.c:1401(winbindd_register_handlers) oct. 17 14:08:42 srv-ad.newdomain.lan winbindd[517]:   unable to initialize domain list oct. 17 14:08:42 srv-ad.newdomain.lan samba[514]: [2017/10/17 14:08:42.473613,  0] ../source4/winbind/winbindd.c:47(winbindd_done) oct. 17 14:08:42 srv-ad.newdomain.lan samba[514]:   winbindd daemon died with exit status 1 oct. 17 14:08:42 srv-ad.newdomain.lan samba[514]: [2017/10/17 14:08:42.473754,  0] ../source4/smbd/service_task.c:35(task_server_terminate) oct. 17 14:08:42 srvads.ensfea.fr samba[514]: task_server_terminate: [winbindd child process exited] oct. 17 14:08:44 srvads.ensfea.fr smbd[512]: [2017/10/17 14:08:44.734297,  0] ../lib/util/become_daemon.c:124(daemon_ready) oct. 17 14:08:44 srvads.ensfea.fr smbd[512]:   STATUS=daemon 'smbd' finished starting up and ready to serve connections oct. 17 14:08:58 srvads.ensfea.fr samba[518]: [2017/10/17 14:08:58.529754,  0] ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done) oct. 17 14:08:58 srvads.ensfea.fr samba[518]: ../source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error code 110


I feel i'm quite close from the goal but definitely stuck at some obvious point...

Any way i definitely don't want to give up otherwise would mean rebuild a domain of 300 machines and 3000 accounts...

Your help is greatly appreciated... Thanks by advance


Sam


On 17/10/2017 10:00, Sami Chibani wrote:


Here's what looks like the smb.conf before I do anything (more complete this time):

[global]

    netbios name = AD

    workgroup = DOMAIN.LAN

    server string = Samba server domain.lan

    security = user

    passdb backend = ldapsam:"ldap://192.168.1.20/ ldap://192.168.1.21/";

    domain master = yes
    domain logons = yes
    admin users = "@Admin"
    ldap suffix = dc=domain.lan, dc=local
    ldap machine suffix = ou=hosts
    ldap user suffix = ou=users
    ldap group suffix = ou=groups
    ldap admin dn = "uid=sysadmin,ou=sysuers,dc=domain.lan,dc=local"
    obey pam restrictions = yes
    encrypt passwords = yes
    ldap password sync = yes

    logon path =

    ldapsam:trusted = yes

    wins support = yes
    dns proxy = no

Also I was pointing out that it was certainly SID related because each time I change workgroup, it just renew the domain SID;

Before I change anything:
# net getdomainsid
SID for local machine AD is: S-1-5-21-673913221-4242741474-1014044216
SID for domain DOMAIN.LAN is: S-1-5-21-1905493267-1041818301-753029000

After I change the workgroup:
# net getdomainsid
SID for local machine AD is: S-1-5-21-673913221-4242741474-1014044216
SID for domain NEWDOMAIN is: S-1-5-21-574297740-925364648-4230334621






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba