[Samba] Adding a new DC - ID Mappings

Rob Mason rob at acasta.co.uk
Mon Nov 26 14:00:56 UTC 2018

Hi Rowland - thank you for replying. I have now demoted and removed the temporary DC with the intention of repeating the exercise from scratch later this week. It was a Ubuntu Server 18.04.1 and the smb.conf was very vanilla:

workgroup = ACASTA
netbios name = UBUNTU
server role = active directory domain controller
dns forwarder -
idmap_ldb:use rfc2307 = yes

The join worked successfully.  DNS checked out. Kerberos checked out. I could see everything in my RSAT tools. Everything appeared to be working, except when I tried to "mkdir -p /admin-tools" on the new DC and tried to chown it to "Domain Admins" - invalid group. That's when I started testing wbinfo (works) and getent (no results).

I also updated /etc/nsswitch.conf to add winbind, and ran 'pam-auth-update' to get winbind authentication support. This latter step locked me out of the server - I had to go into recovery mode manually unedit the pam configs to enable the clean demote and removal.

I kinda gave up at this point! My suspicion is that some package dependency hasn't been met, but I cannot find a definitive list for Ubuntu 18.

-----Original Message-----
From: Rowland Penny <rpenny at samba.org>
Sent: 26 November 2018 10:12
To: samba at lists.samba.org
Subject: Re: [Samba] Adding a new DC - ID Mappings

On Mon, 26 Nov 2018 09:47:06 +0000
Rob Mason via samba <samba at lists.samba.org> wrote:

> I’m looking to replace a DC within a small network by adding a new DC
> and transferring FMSO roles, then demoting the old DC
> (https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC).
> I am able to successfully deploy the new DC following directions in
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory.
> However, I am struggling with ID mappings – I’m not really
> understanding how this should work. Should I have to manually
> re-create the passwd/group entries on my new DC in order to gain the
> old uid/gid values?  I’ve copied the idmap.ldb as suggested in the
> text, and whilst wbinfo returns the domain users, getent doesn’t show
> the domain accounts, only the local passwd entries.
> Have I missed something obvious??

No, you shouldn't have to recreate anything in AD, it all should be replicated.

Lets start with what OS you are using and a copy of your smb.conf.


Acasta Ltd - A Crown Commercial Service Supplier. CyberEssentials Certified QGCE013.
Registered in England 6619191. 42 Pitt Street, Barnsley, S70 1BB. VAT Registered 934 6797 75.

More information about the samba mailing list