Web lists-archives.com

Re: [Samba] Adding a new DC - ID Mappings

Hi Rowland - thank you for replying. I have now demoted and removed the temporary DC with the intention of repeating the exercise from scratch later this week. It was a Ubuntu Server 18.04.1 and the smb.conf was very vanilla:

workgroup = ACASTA
netbios name = UBUNTU
server role = active directory domain controller
dns forwarder -
idmap_ldb:use rfc2307 = yes

The join worked successfully.  DNS checked out. Kerberos checked out. I could see everything in my RSAT tools. Everything appeared to be working, except when I tried to "mkdir -p /admin-tools" on the new DC and tried to chown it to "Domain Admins" - invalid group. That's when I started testing wbinfo (works) and getent (no results).

I also updated /etc/nsswitch.conf to add winbind, and ran 'pam-auth-update' to get winbind authentication support. This latter step locked me out of the server - I had to go into recovery mode manually unedit the pam configs to enable the clean demote and removal.

I kinda gave up at this point! My suspicion is that some package dependency hasn't been met, but I cannot find a definitive list for Ubuntu 18.

-----Original Message-----
From: Rowland Penny <rpenny@xxxxxxxxx>
Sent: 26 November 2018 10:12
To: samba@xxxxxxxxxxxxxxx
Subject: Re: [Samba] Adding a new DC - ID Mappings

On Mon, 26 Nov 2018 09:47:06 +0000
Rob Mason via samba <samba@xxxxxxxxxxxxxxx> wrote:

> I’m looking to replace a DC within a small network by adding a new DC
> and transferring FMSO roles, then demoting the old DC
> (https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC).
> I am able to successfully deploy the new DC following directions in
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory.
> However, I am struggling with ID mappings – I’m not really
> understanding how this should work. Should I have to manually
> re-create the passwd/group entries on my new DC in order to gain the
> old uid/gid values?  I’ve copied the idmap.ldb as suggested in the
> text, and whilst wbinfo returns the domain users, getent doesn’t show
> the domain accounts, only the local passwd entries.
> Have I missed something obvious??

No, you shouldn't have to recreate anything in AD, it all should be replicated.

Lets start with what OS you are using and a copy of your smb.conf.


Acasta Ltd - A Crown Commercial Service Supplier. CyberEssentials Certified QGCE013.
Registered in England 6619191. 42 Pitt Street, Barnsley, S70 1BB. VAT Registered 934 6797 75.
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba