Web lists-archives.com

Re: [Samba] Adding a new DC - ID Mappings




Hi Rowland - thank you for replying. I have now demoted and removed the temporary DC with the intention of repeating the exercise from scratch later this week. It was a Ubuntu Server 18.04.1 and the smb.conf was very vanilla:

[global]
workgroup = ACASTA
realm = ACASTA.INTRA
netbios name = UBUNTU
server role = active directory domain controller
dns forwarder - 192.168.200.3
idmap_ldb:use rfc2307 = yes

The join worked successfully.  DNS checked out. Kerberos checked out. I could see everything in my RSAT tools. Everything appeared to be working, except when I tried to "mkdir -p /admin-tools" on the new DC and tried to chown it to "Domain Admins" - invalid group. That's when I started testing wbinfo (works) and getent (no results).

I also updated /etc/nsswitch.conf to add winbind, and ran 'pam-auth-update' to get winbind authentication support. This latter step locked me out of the server - I had to go into recovery mode manually unedit the pam configs to enable the clean demote and removal.

I kinda gave up at this point! My suspicion is that some package dependency hasn't been met, but I cannot find a definitive list for Ubuntu 18.


-----Original Message-----
From: Rowland Penny <rpenny@xxxxxxxxx>
Sent: 26 November 2018 10:12
To: samba@xxxxxxxxxxxxxxx
Subject: Re: [Samba] Adding a new DC - ID Mappings

On Mon, 26 Nov 2018 09:47:06 +0000
Rob Mason via samba <samba@xxxxxxxxxxxxxxx> wrote:

> I’m looking to replace a DC within a small network by adding a new DC
> and transferring FMSO roles, then demoting the old DC
> (https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC).
>
> I am able to successfully deploy the new DC following directions in
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory.
> However, I am struggling with ID mappings – I’m not really
> understanding how this should work. Should I have to manually
> re-create the passwd/group entries on my new DC in order to gain the
> old uid/gid values?  I’ve copied the idmap.ldb as suggested in the
> text, and whilst wbinfo returns the domain users, getent doesn’t show
> the domain accounts, only the local passwd entries.
>
> Have I missed something obvious??
>

No, you shouldn't have to recreate anything in AD, it all should be replicated.

Lets start with what OS you are using and a copy of your smb.conf.

Rowland


Acasta Ltd - A Crown Commercial Service Supplier. CyberEssentials Certified QGCE013.
Registered in England 6619191. 42 Pitt Street, Barnsley, S70 1BB. VAT Registered 934 6797 75.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba