[Samba] Issues post AD migration

Praveen Ghimire PGhimire at sundata.com.au
Thu Apr 12 06:47:45 UTC 2018

Hi ,

We ran the classic upgrade and migrated the domain . We were then able to add a Windows Server 2008R2 and dcpromo it.

Here are some of the issues we are seeing post migration

-          Pre the migration, the password backend was LDAP. We had some groups that we had migrated into LDAP from TBD. These groups doesn't seem to have come up in AD.

-          Any groups that were created in LDAP did show up in AD.

-          We have a member server which we joined to the AD using the following

net ads join -U administrator
Enter administrator's password:
Using short domain name -- TESTDOM
Joined 'fs01' to dns domain 'testdom.group'
net_update_dns_internal: Failed to connect to our DC!
DNS update failed!

Ran the samba_dnsupdate -verbose -all-names in the Samba 4  AD DC box and got the following
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Failed update of 27 entries

-          Using a Windows 7 machine , we tried to access the shares in member server and it fails with the following in the logs

user 'TESTDOM\pghimire' (from session setup) not permitted to access this share (downloads)

The user is a member of a group who has permissions for the folder (in smb.conf). This was one of the groups that didn't migrate to AD,  so we setup the group in AD and added the user as a member.

Using smblient the user account is able to enumerate all the shares in the Samba 4 DC and the member server

-          Getent passwd does find the user

getent passwd "testdom\pghimire"


-          Even if we add the permissions for the user in smb.conf the above still fails.

The following is the nsswitch.conf
#passwd:         compat
#group:          compat
shadow:          compat
passwd:         files winbind
group:          files winbind

The following is the member server's smb.conf

     netbios name = FS01
       security = ADS
       workgroup = TESTDOM
       realm = TESTDOM.GROUP
       idmap config * : backend = tdb
       idmap config * : range = 3000-7999
#       wins server =
        log level = 2 auth:5
        syslog = 0
        log file = /var/log/samba-ad-dc/log.%m
   winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes


Praveen Ghimire

More information about the samba mailing list