[Samba] Adding a new DC - ID Mappings
rob at acasta.co.uk
Mon Nov 26 14:00:56 UTC 2018
Hi Rowland - thank you for replying. I have now demoted and removed the temporary DC with the intention of repeating the exercise from scratch later this week. It was a Ubuntu Server 18.04.1 and the smb.conf was very vanilla:
workgroup = ACASTA
realm = ACASTA.INTRA
netbios name = UBUNTU
server role = active directory domain controller
dns forwarder - 192.168.200.3
idmap_ldb:use rfc2307 = yes
The join worked successfully. DNS checked out. Kerberos checked out. I could see everything in my RSAT tools. Everything appeared to be working, except when I tried to "mkdir -p /admin-tools" on the new DC and tried to chown it to "Domain Admins" - invalid group. That's when I started testing wbinfo (works) and getent (no results).
I also updated /etc/nsswitch.conf to add winbind, and ran 'pam-auth-update' to get winbind authentication support. This latter step locked me out of the server - I had to go into recovery mode manually unedit the pam configs to enable the clean demote and removal.
I kinda gave up at this point! My suspicion is that some package dependency hasn't been met, but I cannot find a definitive list for Ubuntu 18.
From: Rowland Penny <rpenny at samba.org>
Sent: 26 November 2018 10:12
To: samba at lists.samba.org
Subject: Re: [Samba] Adding a new DC - ID Mappings
On Mon, 26 Nov 2018 09:47:06 +0000
Rob Mason via samba <samba at lists.samba.org> wrote:
> I’m looking to replace a DC within a small network by adding a new DC
> and transferring FMSO roles, then demoting the old DC
> I am able to successfully deploy the new DC following directions in
> However, I am struggling with ID mappings – I’m not really
> understanding how this should work. Should I have to manually
> re-create the passwd/group entries on my new DC in order to gain the
> old uid/gid values? I’ve copied the idmap.ldb as suggested in the
> text, and whilst wbinfo returns the domain users, getent doesn’t show
> the domain accounts, only the local passwd entries.
> Have I missed something obvious??
No, you shouldn't have to recreate anything in AD, it all should be replicated.
Lets start with what OS you are using and a copy of your smb.conf.
Acasta Ltd - A Crown Commercial Service Supplier. CyberEssentials Certified QGCE013.
Registered in England 6619191. 42 Pitt Street, Barnsley, S70 1BB. VAT Registered 934 6797 75.
More information about the samba