[Samba] Change Netbios name during classicupgrade?

Sami Chibani sami.chibani at educagri.fr
Tue Oct 17 12:56:27 UTC 2017 

Well, let's try to be more precise about my issue and give some updates:

I try to make a classicupgrade and meanwhile, change the Domain name 
during the process, which includes realm and NetBIOS domain name. I 
precisely meet difficulties with changing the NetBIOS domain name.

What i've tried so far:

1)

Change the NetBIOS domain name "workgroup" attribute on the old Samba 3 
server before migration; Each time this operation will also change the 
domain SID and I lose all my members. I tried to put back the old domain 
sid with

#net setdomainsid [original SID]

But this never worked

2)
As all my attempts to reset the domain SID to its initial value after 
workgroup change failed on the old Samba 3 server before classicupgrade, 
i just tried to do it after.

I ran classicupgrade, and let workgroup attribute to old value.
Just after migration, here's how looks like the domain:

#samba-tool domain info 192.168.1.60
Forest           : newdomain.lan
Domain           : newdomain.lan.
Netbios domain   : OLDDOMAIN.LAN  ## The old name
DC name          : srv-ad.newdomain.lan
DC netbios name  : SRV-AD
Server site      : Default-First-Site-Name
Client site      : Default-First-Site-Name

Everythings works fine, i got all my users, and machines find back the 
DC. And winbindd maps all users under this name:

#wbinfo -u

OLDDOMAIN.LAN\user

my logs show no error, and here what looks like my smb.conf:

[global]
         netbios name = SRV-AD
         realm = NEWDOMAIN.LAN
         workgroup = OLDDOMAIN.LAN
         server role = active directory domain controller
         idmap_ldb:use rfc2307 = yes
         tls enabled  = yes
         tls keyfile  = tls/myKey.pem
         tls certfile = tls/myCert.pem
         tls cafile   =
         dns forwarder = 192.168.200.3 #external DNS

Then when i change the value "workgroup" of smb.conf in order to change 
the NetBIOS domain name and reload, this time i notice that my domain 
SID remains the same before and after the change.

  This time also the command pdbedit -L catches all users like before 
the change.

However, there seems to be an issue with winbindd.

Any wbinfo-u fails, and wbinfo -p doesnt ping anymore:

#wbinfo -p
Ping to winbindd failed
could not ping winbindd!


Here's the logs:

oct. 17 14:08:37 srv-ad.newdomain.lan systemd[1]: Started Samba AD Daemon.
oct. 17 14:08:37 srv-ad.newdomain.lan samba[489]: [2017/10/17 
14:08:37.274937,  0] ../lib/util/become_daemon.c:124(daemon_ready)
oct. 17 14:08:37 srv-ad.newdomain.lan samba[489]:   STATUS=daemon 
'samba' finished starting up and ready to serve connections
oct. 17 14:08:37 srv-ad.newdomain.lan samba[509]: [2017/10/17 
14:08:37.317594,  0] ../source4/lib/tls/tlscert.c:57(tls_cert_generate)
oct. 17 14:08:37 srv-ad.newdomain.lan samba[509]:   TLS autogeneration 
skipped - some TLS files already exist
oct. 17 14:08:38 srv-ad.newdomain.lan samba[519]: [2017/10/17 
14:08:38.671074,  0] 
../source4/smbd/service_task.c:35(task_server_terminate)
oct. 17 14:08:38 srv-ad.newdomain.lan samba[519]: task_server_terminate: 
[Failed to obtain server credentials, perhaps a standalone server?: 
NT_STATUS_CANT_ACCESS_DOMAIN_INFO
oct. 17 14:08:38 srv-ad.newdomain.lan samba[519]:   ]
oct. 17 14:08:39 srv-ad.newdomain.lan samba[519]: [2017/10/17 
14:08:39.371865,  0] ../source4/smbd/server.c:211(samba_terminate)
oct. 17 14:08:39 srv-ad.newdomain.lan samba[519]: samba_terminate of 
519: Failed to obtain server credentials, perhaps a standalone server?: 
NT_STATUS_CANT_ACCESS_DOMAIN_INFO
oct. 17 14:08:39 srv-ad.newdomain.lan samba[519]:
oct. 17 14:08:40 srv-ad.newdomain.lan winbindd[517]: [2017/10/17 
14:08:40.117399,  0] 
../source3/winbindd/winbindd_cache.c:3244(initialize_winbindd_cache)
oct. 17 14:08:40 srv-ad.newdomain.lan winbindd[517]: 
initialize_winbindd_cache: clearing cache and re-creating with version 
number 2
oct. 17 14:08:42 srv-ad.newdomain.lan winbindd[517]: [2017/10/17 
14:08:42.421031,  0] 
../source3/winbindd/winbindd_util.c:772(migrate_secrets_tdb_to_ldb)
oct. 17 14:08:42 srv-ad.newdomain.lan winbindd[517]:   Failed to fetch 
our own, local AD domain join password for winbindd's internal use, both 
from secrets.tdb and secrets.ldb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
oct. 17 14:08:42 srv-ad.newdomain.lan winbindd[517]: [2017/10/17 
14:08:42.423250,  0] 
../source3/winbindd/winbindd_util.c:872(init_domain_list)
oct. 17 14:08:42 srv-ad.newdomain.lan winbindd[517]:   Failed to migrate 
our own, local AD domain join password for winbindd's internal use into 
secrets.tdb
oct. 17 14:08:42 srv-ad.newdomain.lan winbindd[517]: [2017/10/17 
14:08:42.423828,  0] 
../source3/winbindd/winbindd.c:1401(winbindd_register_handlers)
oct. 17 14:08:42 srv-ad.newdomain.lan winbindd[517]:   unable to 
initialize domain list
oct. 17 14:08:42 srv-ad.newdomain.lan samba[514]: [2017/10/17 
14:08:42.473613,  0] ../source4/winbind/winbindd.c:47(winbindd_done)
oct. 17 14:08:42 srv-ad.newdomain.lan samba[514]:   winbindd daemon died 
with exit status 1
oct. 17 14:08:42 srv-ad.newdomain.lan samba[514]: [2017/10/17 
14:08:42.473754,  0] 
../source4/smbd/service_task.c:35(task_server_terminate)
oct. 17 14:08:42 srvads.ensfea.fr samba[514]: task_server_terminate: 
[winbindd child process exited]
oct. 17 14:08:44 srvads.ensfea.fr smbd[512]: [2017/10/17 
14:08:44.734297,  0] ../lib/util/become_daemon.c:124(daemon_ready)
oct. 17 14:08:44 srvads.ensfea.fr smbd[512]:   STATUS=daemon 'smbd' 
finished starting up and ready to serve connections
oct. 17 14:08:58 srvads.ensfea.fr samba[518]: [2017/10/17 
14:08:58.529754,  0] 
../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
oct. 17 14:08:58 srvads.ensfea.fr samba[518]: 
../source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error 
code 110


I feel i'm quite close from the goal but definitely stuck at some 
obvious point...

Any way i definitely don't want to give up otherwise would mean rebuild 
a domain of 300 machines and 3000 accounts...

Your help is greatly appreciated... Thanks by advance


Sam


On 17/10/2017 10:00, Sami Chibani wrote:
>
>
> Here's what looks like the smb.conf before I do anything (more 
> complete this time):
>
> [global]
>
>     netbios name = AD
>
>     workgroup = DOMAIN.LAN
>
>     server string = Samba server domain.lan
>
>     security = user
>
>     passdb backend = ldapsam:"ldap://192.168.1.20/ ldap://192.168.1.21/"
>
>     domain master = yes
>     domain logons = yes
>     admin users = "@Admin"
>     ldap suffix = dc=domain.lan, dc=local
>     ldap machine suffix = ou=hosts
>     ldap user suffix = ou=users
>     ldap group suffix = ou=groups
>     ldap admin dn = "uid=sysadmin,ou=sysuers,dc=domain.lan,dc=local"
>     obey pam restrictions = yes
>     encrypt passwords = yes
>     ldap password sync = yes
>
>     logon path =
>
>     ldapsam:trusted = yes
>
>     wins support = yes
>     dns proxy = no
>
> Also I was pointing out that it was certainly SID related because each 
> time I change workgroup, it just renew the domain SID;
>
> Before I change anything:
> # net getdomainsid
> SID for local machine AD is: S-1-5-21-673913221-4242741474-1014044216
> SID for domain DOMAIN.LAN is: S-1-5-21-1905493267-1041818301-753029000
>
> After I change the workgroup:
> # net getdomainsid
> SID for local machine AD is: S-1-5-21-673913221-4242741474-1014044216
> SID for domain NEWDOMAIN is: S-1-5-21-574297740-925364648-4230334621
>
>
>
>
>

More information about the samba mailing list