Web lists-archives.com

[Samba] Windows client still tries to connect to old AD after replacement




Thanks again Rowland for getting back to me.  Here's my comments below:

>> /etc/hosts:
>> 127.0.0.1       localhost
>> 192.168.0.17    ad.domain.intranet ad
>> 192.168.0.21    domain-ad.domain.intranet     domain-ad
>
> Remove the line above, this is the old AD domain and shouldn't have
> anything pointing to the new one.

Have deleted this line.  This is a hangover from when I tried to connect both the old and new ADs.  No device exists with the IP address 192.168.0.21, luckily.

>> /etc/resolv.conf:
>> domain Hitronhub.home
>> search Hitronhub.home
>> nameserver 192.168.0.1
>
> This is a DC, it should be pointing to itself as a nameserver.

Done.

>>          realm = DOMAIN.INTRANET
>>          workgroup = DOMAIN
>
> What did you say about workgroups ?
> I do hope that 'DOMAIN' in the above line isn't the same as on the new
> AD DC.

Hah.  Fair enough.  Unfortunately yes, your fear has been realised, the domain & workgroup for both are the same.  I've now put in a new domain & workgroup, hereinafter referred to as NEWDOMAIN and NEWWORKGROUP respectively, and the old names would be OLDDOMAIN and OLDWORKGROUP.

 I've updated the following files to reflect the new domain & workgroup names - let me know if I've missed something:

- /etc/hosts
- /etc/resolv.conf
- Provisioned new domain using samba-tool (note, couldn't find how to delete an old domain, so I'm dangerously assuming provisioning the new domain will overwrite the old one), although...

root@olddomain-ad:/home/kit# samba-tool domain info 192.168.0.11
Forest           : newdomain.intranet
Domain           : newdomain.intranet
Netbios domain   : NEWDOMAIN
DC name          : olddomain-ad.newdomain.intranet
DC netbios name  : olddomain
Server site      : Default-First-Site-Name
Client site      : Default-First-Site-Name
root@domain-ad:/home/kit#

I'm concerned about the DC netbios name though, that'd match the old DC netbios name.

root@olddomain-ad:/home/kit# klist
Ticket cache: FILE:/tmp/krb5cc_1000_LUxuAq
Default principal: Administrator@NEWDOMAIN.INTRANET
Valid starting     Expires            Service principal
07/02/19 19:20:01  08/02/19 05:20:01 krbtgt/NEWDOMAIN.INTRANET@NEWDOMAIN.INTRANET
        renew until 08/02/19 19:19:50
root@olddomain-ad:/home/kit#

Only issue I can see is the last line of the below output:

root@olddomain-ad:/home/kit# smbclient -L localhost -U%
Domain=[NEWDOMAIN] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        Profiles        Disk
        users           Disk
        IPC$            IPC       IPC Service (Samba 4.5.12-Debian)
Domain=[NEWDOMAIN] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
        Server               Comment
        ---------            -------
        Workgroup            Master
        ---------            -------
        WORKGROUP            OLDWORKGROUP

root@olddomain-ad:/home/kit#

Whew.  So I went to the test client, got it to leave the olddomain, it asked to restart, and when it came back up, I found it was impossible to log into *any* account on the computer, whether local, olddomain or newdomain!  After fruitless hours trying to enable the local admin account and reset its password, I gave up and reinstalled Windows so the test client is now fresh and blank.  So now I've done the following:

- Added in a local account for myself only
- Enabled local admin account and set password (in case something like the previous happens again!)
- Changed DNS to point to 192.168.0.11
- Joined domain newdomain
- Rebooted and logged in as NEWDOMAIN\Administrator

All worked fine, was able to go to 192.168.0.11 in Explorer and see all the shares.  OK, can see the 4 shares listed.  So I then used RSAT to add in a new user (kit) and tried to assign the Profiles and user home folder shares to the new user and was unable to.  Looked at the shares, found the domain admin has no access to all the shared folders and all the users listed that had permissions to access had SIDs from the old domain profile, so followed the instructions found here

https://wiki.samba.org/index.php/User_Home_Folders

to reset the permissions etc.  I got up to the "Advanced Security Settings for users (\\olddomain-ad.newdomain.intranet)" bit in the HOWTO, made the changes suggested by the table (set access levels for Domain Admins, Domain Users, and CREATOR OWNER) and clicked "Apply" and got a permission denied error:

"An error occurred while applying security information to: \\192.168.0.11\users. Failed to enumerate objects in the container.  Access is denied".

Now, I'm not sure how to reset this, am hoping you can point me the right way please?  (Sorry, I'm now 7 hours past my clocking-out time!)

Many thanks!

With kind regards - Piers

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba