[Samba] Change Netbios name during classicupgrade?

Sami Chibani sami.chibani at educagri.fr
Fri Oct 20 11:11:07 UTC 2017 

Hi Rowland, Denis

Thank you very much for your answers, It helped really a lot.

And sorry for the delay of answer, was busy on other stuff.

You advices don't lead me straight to the solution, but i get 
improvements, thanks to it.


For now, whatever i can do to change the workgroup, It changes the 
Domain SID.

Actually it's more subtle;

Before change workgroup:

#net getdomainsid

SID for local machine AD is: S-1-5-21-673913221-4242741474-1014044216

SID for domain OLDDOMAIN.LAN is: S-1-5-21-1905493267-1041818301-753029000


After change workgroup:

#net getdomainsid
SID for local machine AD is: S-1-5-21-673913221-4242741474-1014044216
SID for domain NEWDOMAIN is: S-1-5-21-673913221-4242741474-1014044216
It sets domainsid to the same than localsid (And again it doesnt 
retrieve domain accounts)


I tried also to change first localsid (net setlocalsid) to the same than 
the domain then change the domain sid, but it switches me again on 
another [new] SID...

And net setdomainid never worked to reset to the original SID.
I tried to manually edit secrets.tdb with tdbtools (to make it reflect 
the changes) and even erase it, but without success.

I even tried kind of general change (new OpenLDAP with totally modified 
ldif with new values, modified secrets.tdb). no success.

Actually i found the workaround of changing all SID user accounts with a 
pdbedit script (which got the advantage to write automatically the 
changes in the ldap),  to make them corresponding the new domain SID.
ex account:
Before:
S-1-5-21-1905493267-1041818301-753029000-17036
After:
S-1-5-21-673913221-4242741474-1014044216-17036

This way, the PDC finds back all accounts in the domain. Then i run the 
classicupgrade.

For now it seems a kind of mitigation compared to the "hard" solution of 
starting back from scratch and rebuild the domain.

I will certainly have to rejoin all machines to the domain (hadn't time 
yet to test it), but if I can at least find back all users profile, i'll 
would be up to this path...

I'll give you more details monday after further tests and troubleshoots.

Still open to any advices! (about NetBIOS domain name, or about tips for 
rejoining machines to the domain)

Thanks again, your help is unvaluable

Cheers

Sam




On 18/10/2017 18:57, Rowland Penny wrote:
> On Tue, 17 Oct 2017 14:56:27 +0200
> Sami Chibani via samba <samba at lists.samba.org 
> <mailto:samba at lists.samba.org>> wrote:
>
> > Well, let's try to be more precise about my issue and give some
> > updates:
> > 
> > I try to make a classicupgrade and meanwhile, change the Domain name
> > during the process, which includes realm and NetBIOS domain name. I
> > precisely meet difficulties with changing the NetBIOS domain name.
> > 
> > What i've tried so far:
> > 
> > 1)
> > 
> > Change the NetBIOS domain name "workgroup" attribute on the old Samba
> > 3 server before migration; Each time this operation will also change
> > the domain SID and I lose all my members. I tried to put back the old
> > domain sid with
> > 
> > #net setdomainsid [original SID]
> > 
> > But this never worked
> > 
> > 2)
> > As all my attempts to reset the domain SID to its initial value after
> > workgroup change failed on the old Samba 3 server before
> > classicupgrade, i just tried to do it after.
> > 
> > I ran classicupgrade, and let workgroup attribute to old value.
> > Just after migration, here's how looks like the domain:
> > 
> > #samba-tool domain info 192.168.1.60
> > Forest           : newdomain.lan
> > Domain           : newdomain.lan.
> > Netbios domain   : OLDDOMAIN.LAN  ## The old name
> > DC name          : srv-ad.newdomain.lan
> > DC netbios name  : SRV-AD
> > Server site      : Default-First-Site-Name
> > Client site      : Default-First-Site-Name
> > 
> > Everythings works fine, i got all my users, and machines find back
> > the DC. And winbindd maps all users under this name:
> > 
> > #wbinfo -u
> > 
> > OLDDOMAIN.LAN\user
> > 
> > my logs show no error, and here what looks like my smb.conf:
> > 
> > [global]
> >         netbios name = SRV-AD
> >          realm = NEWDOMAIN.LAN
> >         workgroup = OLDDOMAIN.LAN
> >          server role = active directory domain controller
> >         idmap_ldb:use rfc2307 = yes
> >          tls enabled  = yes
> >          tls keyfile  = tls/myKey.pem
> >          tls certfile = tls/myCert.pem
> >          tls cafile   =
> >          dns forwarder = 192.168.200.3 #external DNS
> > 
> > Then when i change the value "workgroup" of smb.conf in order to
> > change the NetBIOS domain name and reload, this time i notice that my
> > domain SID remains the same before and after the change.
> > 
> >   This time also the command pdbedit -L catches all users like before
> > the change.
> > 
> > However, there seems to be an issue with winbindd.
> > 
> > Any wbinfo-u fails, and wbinfo -p doesnt ping anymore:
> > 
> > #wbinfo -p
> > Ping to winbindd failed
> > could not ping winbindd!
> > 
> > 
> > Here's the logs:
> > 
> > oct. 17 14:08:37 srv-ad.newdomain.lan systemd[1]: Started Samba AD
> > Daemon. oct. 17 14:08:37 srv-ad.newdomain.lan samba[489]: [2017/10/17
> > 14:08:37.274937,  0] ../lib/util/become_daemon.c:124(daemon_ready)
> > oct. 17 14:08:37 srv-ad.newdomain.lan samba[489]:   STATUS=daemon
> > 'samba' finished starting up and ready to serve connections
> > oct. 17 14:08:37 srv-ad.newdomain.lan samba[509]: [2017/10/17
>
> OK, I can confirm that you can change the workgroup name, but you need
> to do it before the classicupgrade.
>
> Stop smbd, nmbd and winbind, change the workgroup in smb.conf, restart
> smbd, nmbd and winbind.
> You should now find that the SIDs haven't changed, but if you search in
> ldap for 'sambaDomainName', you will probably find two, one for the old
> workgroup and one for the new one. You will also probably find that the
> object for the new domain doesn't have a 'sambaNextRid' attribute, so
> you will need to add it with the value obtain from the old workgroup
> object. Now delete the old workgroup object.
> At this point, I stopped smbd, nmbd and winbind, left the ldap server
> and copied the required files to the what would become the new DC.
> After trying to carry out the classicupgrade, I found that if you have
> 'passdb backend = ldapsam' in the old smb.conf the upgrade uses, you
> need to change this to: passdb backend = ldapsam:"ldap://192.168.0.235"
>
> Where '192.168.0.235' is the ipaddress of the old PDC
>
> After doing all this, running 'samba-tool domain classicupgrade
> --dbdir=/var/lib/samba/dbdir/
> --realm=test.tld /var/lib/samba/dbdir/smb.PDC.conf'
>
> Lead to an AD DC, with the REALM 'TEST.TLD' and the workgroup 'EXAMPLE'.
>
> Rowland
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list