[Samba] Adding a new DC - ID Mappings

Rowland Penny rpenny at samba.org
Mon Nov 26 14:51:22 UTC 2018

On Mon, 26 Nov 2018 14:00:56 +0000
Rob Mason <rob at acasta.co.uk> wrote:

> Hi Rowland - thank you for replying. I have now demoted and removed
> the temporary DC with the intention of repeating the exercise from
> scratch later this week. It was a Ubuntu Server 18.04.1 and the
> smb.conf was very vanilla:
> [global]
> workgroup = ACASTA
> realm = ACASTA.INTRA
> netbios name = UBUNTU
> server role = active directory domain controller
> dns forwarder -
> idmap_ldb:use rfc2307 = yes
> The join worked successfully.  DNS checked out. Kerberos checked out.
> I could see everything in my RSAT tools. Everything appeared to be
> working, except when I tried to "mkdir -p /admin-tools" on the new DC
> and tried to chown it to "Domain Admins" - invalid group. That's when
> I started testing wbinfo (works) and getent (no results).
> I also updated /etc/nsswitch.conf to add winbind, and ran
> 'pam-auth-update' to get winbind authentication support. This latter
> step locked me out of the server - I had to go into recovery mode
> manually unedit the pam configs to enable the clean demote and
> removal.
> I kinda gave up at this point! My suspicion is that some package
> dependency hasn't been met, but I cannot find a definitive list for
> Ubuntu 18.

Did you install libpam-winbind, libnss-winbind and libpam-krb5 ?
Not installing these is the major cause of getent not working.


More information about the samba mailing list