[Samba] Adding a new DC - ID Mappings
Rowland Penny
rpenny at samba.org
Mon Nov 26 14:51:22 UTC 2018
On Mon, 26 Nov 2018 14:00:56 +0000
Rob Mason <rob at acasta.co.uk> wrote:
> Hi Rowland - thank you for replying. I have now demoted and removed
> the temporary DC with the intention of repeating the exercise from
> scratch later this week. It was a Ubuntu Server 18.04.1 and the
> smb.conf was very vanilla:
>
> [global]
> workgroup = ACASTA
> realm = ACASTA.INTRA
> netbios name = UBUNTU
> server role = active directory domain controller
> dns forwarder - 192.168.200.3
> idmap_ldb:use rfc2307 = yes
>
> The join worked successfully. DNS checked out. Kerberos checked out.
> I could see everything in my RSAT tools. Everything appeared to be
> working, except when I tried to "mkdir -p /admin-tools" on the new DC
> and tried to chown it to "Domain Admins" - invalid group. That's when
> I started testing wbinfo (works) and getent (no results).
>
> I also updated /etc/nsswitch.conf to add winbind, and ran
> 'pam-auth-update' to get winbind authentication support. This latter
> step locked me out of the server - I had to go into recovery mode
> manually unedit the pam configs to enable the clean demote and
> removal.
>
> I kinda gave up at this point! My suspicion is that some package
> dependency hasn't been met, but I cannot find a definitive list for
> Ubuntu 18.
>
Did you install libpam-winbind, libnss-winbind and libpam-krb5 ?
Not installing these is the major cause of getent not working.
Rowland
More information about the samba
mailing list