[Samba] Change Netbios name during classicupgrade?

Denis Cardon dcardon at tranquil.it
Thu Oct 19 16:31:01 UTC 2017 

Hi Sami,

> Well, let's try to be more precise about my issue and give some updates:
>
> I try to make a classicupgrade and meanwhile, change the Domain name
> during the process, which includes realm and NetBIOS domain name. I
> precisely meet difficulties with changing the NetBIOS domain name.
>
> What i've tried so far:
>
> 1)
>
> Change the NetBIOS domain name "workgroup" attribute on the old Samba 3
> server before migration; Each time this operation will also change the
> domain SID and I lose all my members. I tried to put back the old domain
> sid with

I(d say it is better to change your netbios domain name before upgrading 
to Samba-AD. It is much easier since you just have to change it in 
smb.conf and a few entries in the ldap tree (see rowland post for more 
detail, it does work). But your workstation will still be looking for 
the old domain name, so you'll have to do a netdom move to switch to the 
new domain name (it should be able to re-authenticate in the new domain 
with its own machine account).

Changing the domain name after migration in Samba-AD is possible too, 
but it involves recreating the domain and pipe in all the objects, so it 
need much more work.

> #net setdomainsid [original SID]
>
> But this never worked
>
> 2)
> As all my attempts to reset the domain SID to its initial value after
> workgroup change failed on the old Samba 3 server before classicupgrade,
> i just tried to do it after.
>
> I ran classicupgrade, and let workgroup attribute to old value.
> Just after migration, here's how looks like the domain:
>
> #samba-tool domain info 192.168.1.60
> Forest           : newdomain.lan
> Domain           : newdomain.lan.
> Netbios domain   : OLDDOMAIN.LAN  ## The old name


you should really get rid your Netbios domain name if it contains a DOT 
character. When you switch to Active Directory, you'll get into big 
trouble.

Cheers,

Denis


> DC name          : srv-ad.newdomain.lan
> DC netbios name  : SRV-AD
> Server site      : Default-First-Site-Name
> Client site      : Default-First-Site-Name
>
> Everythings works fine, i got all my users, and machines find back the
> DC. And winbindd maps all users under this name:
>
> #wbinfo -u
>
> OLDDOMAIN.LAN\user
>
> my logs show no error, and here what looks like my smb.conf:
>
> [global]
>         netbios name = SRV-AD
>         realm = NEWDOMAIN.LAN
>         workgroup = OLDDOMAIN.LAN
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         tls enabled  = yes
>         tls keyfile  = tls/myKey.pem
>         tls certfile = tls/myCert.pem
>         tls cafile   =
>         dns forwarder = 192.168.200.3 #external DNS
>
> Then when i change the value "workgroup" of smb.conf in order to change
> the NetBIOS domain name and reload, this time i notice that my domain
> SID remains the same before and after the change.
>
>  This time also the command pdbedit -L catches all users like before the
> change.
>
> However, there seems to be an issue with winbindd.
>
> Any wbinfo-u fails, and wbinfo -p doesnt ping anymore:
>
> #wbinfo -p
> Ping to winbindd failed
> could not ping winbindd!
>
>
> Here's the logs:
>
> oct. 17 14:08:37 srv-ad.newdomain.lan systemd[1]: Started Samba AD Daemon.
> oct. 17 14:08:37 srv-ad.newdomain.lan samba[489]: [2017/10/17
> 14:08:37.274937,  0] ../lib/util/become_daemon.c:124(daemon_ready)
> oct. 17 14:08:37 srv-ad.newdomain.lan samba[489]:   STATUS=daemon
> 'samba' finished starting up and ready to serve connections
> oct. 17 14:08:37 srv-ad.newdomain.lan samba[509]: [2017/10/17
> 14:08:37.317594,  0] ../source4/lib/tls/tlscert.c:57(tls_cert_generate)
> oct. 17 14:08:37 srv-ad.newdomain.lan samba[509]:   TLS autogeneration
> skipped - some TLS files already exist
> oct. 17 14:08:38 srv-ad.newdomain.lan samba[519]: [2017/10/17
> 14:08:38.671074,  0]
> ../source4/smbd/service_task.c:35(task_server_terminate)
> oct. 17 14:08:38 srv-ad.newdomain.lan samba[519]: task_server_terminate:
> [Failed to obtain server credentials, perhaps a standalone server?:
> NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> oct. 17 14:08:38 srv-ad.newdomain.lan samba[519]:   ]
> oct. 17 14:08:39 srv-ad.newdomain.lan samba[519]: [2017/10/17
> 14:08:39.371865,  0] ../source4/smbd/server.c:211(samba_terminate)
> oct. 17 14:08:39 srv-ad.newdomain.lan samba[519]: samba_terminate of
> 519: Failed to obtain server credentials, perhaps a standalone server?:
> NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> oct. 17 14:08:39 srv-ad.newdomain.lan samba[519]:
> oct. 17 14:08:40 srv-ad.newdomain.lan winbindd[517]: [2017/10/17
> 14:08:40.117399,  0]
> ../source3/winbindd/winbindd_cache.c:3244(initialize_winbindd_cache)
> oct. 17 14:08:40 srv-ad.newdomain.lan winbindd[517]:
> initialize_winbindd_cache: clearing cache and re-creating with version
> number 2
> oct. 17 14:08:42 srv-ad.newdomain.lan winbindd[517]: [2017/10/17
> 14:08:42.421031,  0]
> ../source3/winbindd/winbindd_util.c:772(migrate_secrets_tdb_to_ldb)
> oct. 17 14:08:42 srv-ad.newdomain.lan winbindd[517]:   Failed to fetch
> our own, local AD domain join password for winbindd's internal use, both
> from secrets.tdb and secrets.ldb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> oct. 17 14:08:42 srv-ad.newdomain.lan winbindd[517]: [2017/10/17
> 14:08:42.423250,  0]
> ../source3/winbindd/winbindd_util.c:872(init_domain_list)
> oct. 17 14:08:42 srv-ad.newdomain.lan winbindd[517]:   Failed to migrate
> our own, local AD domain join password for winbindd's internal use into
> secrets.tdb
> oct. 17 14:08:42 srv-ad.newdomain.lan winbindd[517]: [2017/10/17
> 14:08:42.423828,  0]
> ../source3/winbindd/winbindd.c:1401(winbindd_register_handlers)
> oct. 17 14:08:42 srv-ad.newdomain.lan winbindd[517]:   unable to
> initialize domain list
> oct. 17 14:08:42 srv-ad.newdomain.lan samba[514]: [2017/10/17
> 14:08:42.473613,  0] ../source4/winbind/winbindd.c:47(winbindd_done)
> oct. 17 14:08:42 srv-ad.newdomain.lan samba[514]:   winbindd daemon died
> with exit status 1
> oct. 17 14:08:42 srv-ad.newdomain.lan samba[514]: [2017/10/17
> 14:08:42.473754,  0]
> ../source4/smbd/service_task.c:35(task_server_terminate)
> oct. 17 14:08:42 srvads.ensfea.fr samba[514]: task_server_terminate:
> [winbindd child process exited]
> oct. 17 14:08:44 srvads.ensfea.fr smbd[512]: [2017/10/17
> 14:08:44.734297,  0] ../lib/util/become_daemon.c:124(daemon_ready)
> oct. 17 14:08:44 srvads.ensfea.fr smbd[512]:   STATUS=daemon 'smbd'
> finished starting up and ready to serve connections
> oct. 17 14:08:58 srvads.ensfea.fr samba[518]: [2017/10/17
> 14:08:58.529754,  0]
> ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
> oct. 17 14:08:58 srvads.ensfea.fr samba[518]:
> ../source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error
> code 110
>
>
> I feel i'm quite close from the goal but definitely stuck at some
> obvious point...
>
> Any way i definitely don't want to give up otherwise would mean rebuild
> a domain of 300 machines and 3000 accounts...
>
> Your help is greatly appreciated... Thanks by advance
>
>
> Sam
>
>
> On 17/10/2017 10:00, Sami Chibani wrote:
>>
>>
>> Here's what looks like the smb.conf before I do anything (more
>> complete this time):
>>
>> [global]
>>
>>     netbios name = AD
>>
>>     workgroup = DOMAIN.LAN
>>
>>     server string = Samba server domain.lan
>>
>>     security = user
>>
>>     passdb backend = ldapsam:"ldap://192.168.1.20/ ldap://192.168.1.21/"
>>
>>     domain master = yes
>>     domain logons = yes
>>     admin users = "@Admin"
>>     ldap suffix = dc=domain.lan, dc=local
>>     ldap machine suffix = ou=hosts
>>     ldap user suffix = ou=users
>>     ldap group suffix = ou=groups
>>     ldap admin dn = "uid=sysadmin,ou=sysuers,dc=domain.lan,dc=local"
>>     obey pam restrictions = yes
>>     encrypt passwords = yes
>>     ldap password sync = yes
>>
>>     logon path =
>>
>>     ldapsam:trusted = yes
>>
>>     wins support = yes
>>     dns proxy = no
>>
>> Also I was pointing out that it was certainly SID related because each
>> time I change workgroup, it just renew the domain SID;
>>
>> Before I change anything:
>> # net getdomainsid
>> SID for local machine AD is: S-1-5-21-673913221-4242741474-1014044216
>> SID for domain DOMAIN.LAN is: S-1-5-21-1905493267-1041818301-753029000
>>
>> After I change the workgroup:
>> # net getdomainsid
>> SID for local machine AD is: S-1-5-21-673913221-4242741474-1014044216
>> SID for domain NEWDOMAIN is: S-1-5-21-574297740-925364648-4230334621
>>
>>
>>
>>
>>
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

More information about the samba mailing list