Web lists-archives.com

Re: [Samba] Change Netbios name during classicupgrade?




On Tue, 17 Oct 2017 14:56:27 +0200
Sami Chibani via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Well, let's try to be more precise about my issue and give some
> updates:
> 
> I try to make a classicupgrade and meanwhile, change the Domain name 
> during the process, which includes realm and NetBIOS domain name. I 
> precisely meet difficulties with changing the NetBIOS domain name.
> 
> What i've tried so far:
> 
> 1)
> 
> Change the NetBIOS domain name "workgroup" attribute on the old Samba
> 3 server before migration; Each time this operation will also change
> the domain SID and I lose all my members. I tried to put back the old
> domain sid with
> 
> #net setdomainsid [original SID]
> 
> But this never worked
> 
> 2)
> As all my attempts to reset the domain SID to its initial value after 
> workgroup change failed on the old Samba 3 server before
> classicupgrade, i just tried to do it after.
> 
> I ran classicupgrade, and let workgroup attribute to old value.
> Just after migration, here's how looks like the domain:
> 
> #samba-tool domain info 192.168.1.60
> Forest           : newdomain.lan
> Domain           : newdomain.lan.
> Netbios domain   : OLDDOMAIN.LAN  ## The old name
> DC name          : srv-ad.newdomain.lan
> DC netbios name  : SRV-AD
> Server site      : Default-First-Site-Name
> Client site      : Default-First-Site-Name
> 
> Everythings works fine, i got all my users, and machines find back
> the DC. And winbindd maps all users under this name:
> 
> #wbinfo -u
> 
> OLDDOMAIN.LAN\user
> 
> my logs show no error, and here what looks like my smb.conf:
> 
> [global]
>          netbios name = SRV-AD
>          realm = NEWDOMAIN.LAN
>          workgroup = OLDDOMAIN.LAN
>          server role = active directory domain controller
>          idmap_ldb:use rfc2307 = yes
>          tls enabled  = yes
>          tls keyfile  = tls/myKey.pem
>          tls certfile = tls/myCert.pem
>          tls cafile   =
>          dns forwarder = 192.168.200.3 #external DNS
> 
> Then when i change the value "workgroup" of smb.conf in order to
> change the NetBIOS domain name and reload, this time i notice that my
> domain SID remains the same before and after the change.
> 
>   This time also the command pdbedit -L catches all users like before 
> the change.
> 
> However, there seems to be an issue with winbindd.
> 
> Any wbinfo-u fails, and wbinfo -p doesnt ping anymore:
> 
> #wbinfo -p
> Ping to winbindd failed
> could not ping winbindd!
> 
> 
> Here's the logs:
> 
> oct. 17 14:08:37 srv-ad.newdomain.lan systemd[1]: Started Samba AD
> Daemon. oct. 17 14:08:37 srv-ad.newdomain.lan samba[489]: [2017/10/17 
> 14:08:37.274937,  0] ../lib/util/become_daemon.c:124(daemon_ready)
> oct. 17 14:08:37 srv-ad.newdomain.lan samba[489]:   STATUS=daemon 
> 'samba' finished starting up and ready to serve connections
> oct. 17 14:08:37 srv-ad.newdomain.lan samba[509]: [2017/10/17 
> 14:08:37.317594,
> 0] ../source4/lib/tls/tlscert.c:57(tls_cert_generate) oct. 17
> 14:08:37 srv-ad.newdomain.lan samba[509]:   TLS autogeneration
> skipped - some TLS files already exist oct. 17 14:08:38
> srv-ad.newdomain.lan samba[519]: [2017/10/17 14:08:38.671074,  0] 
> ../source4/smbd/service_task.c:35(task_server_terminate)
> oct. 17 14:08:38 srv-ad.newdomain.lan samba[519]:
> task_server_terminate: [Failed to obtain server credentials, perhaps
> a standalone server?: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> oct. 17 14:08:38 srv-ad.newdomain.lan samba[519]:   ]
> oct. 17 14:08:39 srv-ad.newdomain.lan samba[519]: [2017/10/17 
> 14:08:39.371865,  0] ../source4/smbd/server.c:211(samba_terminate)
> oct. 17 14:08:39 srv-ad.newdomain.lan samba[519]: samba_terminate of 
> 519: Failed to obtain server credentials, perhaps a standalone
> server?: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> oct. 17 14:08:39 srv-ad.newdomain.lan samba[519]:
> oct. 17 14:08:40 srv-ad.newdomain.lan winbindd[517]: [2017/10/17 
> 14:08:40.117399,  0] 
> ../source3/winbindd/winbindd_cache.c:3244(initialize_winbindd_cache)
> oct. 17 14:08:40 srv-ad.newdomain.lan winbindd[517]: 
> initialize_winbindd_cache: clearing cache and re-creating with
> version number 2
> oct. 17 14:08:42 srv-ad.newdomain.lan winbindd[517]: [2017/10/17 
> 14:08:42.421031,  0] 
> ../source3/winbindd/winbindd_util.c:772(migrate_secrets_tdb_to_ldb)
> oct. 17 14:08:42 srv-ad.newdomain.lan winbindd[517]:   Failed to
> fetch our own, local AD domain join password for winbindd's internal
> use, both from secrets.tdb and secrets.ldb:
> NT_STATUS_CANT_ACCESS_DOMAIN_INFO oct. 17 14:08:42
> srv-ad.newdomain.lan winbindd[517]: [2017/10/17 14:08:42.423250,  0] 
> ../source3/winbindd/winbindd_util.c:872(init_domain_list)
> oct. 17 14:08:42 srv-ad.newdomain.lan winbindd[517]:   Failed to
> migrate our own, local AD domain join password for winbindd's
> internal use into secrets.tdb
> oct. 17 14:08:42 srv-ad.newdomain.lan winbindd[517]: [2017/10/17 
> 14:08:42.423828,  0] 
> ../source3/winbindd/winbindd.c:1401(winbindd_register_handlers)
> oct. 17 14:08:42 srv-ad.newdomain.lan winbindd[517]:   unable to 
> initialize domain list
> oct. 17 14:08:42 srv-ad.newdomain.lan samba[514]: [2017/10/17 
> 14:08:42.473613,  0] ../source4/winbind/winbindd.c:47(winbindd_done)
> oct. 17 14:08:42 srv-ad.newdomain.lan samba[514]:   winbindd daemon
> died with exit status 1
> oct. 17 14:08:42 srv-ad.newdomain.lan samba[514]: [2017/10/17 
> 14:08:42.473754,  0] 
> ../source4/smbd/service_task.c:35(task_server_terminate)
> oct. 17 14:08:42 srvads.ensfea.fr samba[514]: task_server_terminate: 
> [winbindd child process exited]
> oct. 17 14:08:44 srvads.ensfea.fr smbd[512]: [2017/10/17 
> 14:08:44.734297,  0] ../lib/util/become_daemon.c:124(daemon_ready)
> oct. 17 14:08:44 srvads.ensfea.fr smbd[512]:   STATUS=daemon 'smbd' 
> finished starting up and ready to serve connections
> oct. 17 14:08:58 srvads.ensfea.fr samba[518]: [2017/10/17 
> 14:08:58.529754,  0] 
> ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
> oct. 17 14:08:58 srvads.ensfea.fr samba[518]: 
> ../source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error 
> code 110
> 
> 
> I feel i'm quite close from the goal but definitely stuck at some 
> obvious point...
> 
> Any way i definitely don't want to give up otherwise would mean
> rebuild a domain of 300 machines and 3000 accounts...
> 
> Your help is greatly appreciated... Thanks by advance
> 
> 

OK, I can confirm that you can change the workgroup name, but you need
to do it before the classicupgrade.

Stop smbd, nmbd and winbind, change the workgroup in smb.conf, restart
smbd, nmbd and winbind.
You should now find that the SIDs haven't changed, but if you search in
ldap for 'sambaDomainName', you will probably find two, one for the old
workgroup and one for the new one. You will also probably find that the
object for the new domain doesn't have a 'sambaNextRid' attribute, so
you will need to add it with the value obtain from the old workgroup
object. Now delete the old workgroup object.
At this point, I stopped smbd, nmbd and winbind, left the ldap server
and copied the required files to the what would become the new DC.
After trying to carry out the classicupgrade, I found that if you have
'passdb backend = ldapsam' in the old smb.conf the upgrade uses, you
need to change this to: passdb backend = ldapsam:"ldap://192.168.0.235";

Where '192.168.0.235' is the ipaddress of the old PDC

After doing all this, running 'samba-tool domain classicupgrade
--dbdir=/var/lib/samba/dbdir/
--realm=test.tld /var/lib/samba/dbdir/smb.PDC.conf'

Lead to an AD DC, with the REALM 'TEST.TLD' and the workgroup 'EXAMPLE'.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba