[Samba] Windows client still tries to connect to old AD after replacement
Piers Kittel
piers at centrefordeaf.org.uk
Fri Feb 8 00:21:47 UTC 2019
Thanks again Rowland for getting back to me. Here's my comments below:
>> /etc/hosts:
>> 127.0.0.1 localhost
>> 192.168.0.17 ad.domain.intranet ad
>> 192.168.0.21 domain-ad.domain.intranet domain-ad
>
> Remove the line above, this is the old AD domain and shouldn't have
> anything pointing to the new one.
Have deleted this line. This is a hangover from when I tried to connect
both the old and new ADs. No device exists with the IP address
192.168.0.21, luckily.
>> /etc/resolv.conf:
>> domain Hitronhub.home
>> search Hitronhub.home
>> nameserver 192.168.0.1
>
> This is a DC, it should be pointing to itself as a nameserver.
Done.
>> realm = DOMAIN.INTRANET
>> workgroup = DOMAIN
>
> What did you say about workgroups ?
> I do hope that 'DOMAIN' in the above line isn't the same as on the new
> AD DC.
Hah. Fair enough. Unfortunately yes, your fear has been realised, the
domain & workgroup for both are the same. I've now put in a new domain
& workgroup, hereinafter referred to as NEWDOMAIN and NEWWORKGROUP
respectively, and the old names would be OLDDOMAIN and OLDWORKGROUP.
I've updated the following files to reflect the new domain & workgroup
names - let me know if I've missed something:
- /etc/hosts
- /etc/resolv.conf
- Provisioned new domain using samba-tool (note, couldn't find how to
delete an old domain, so I'm dangerously assuming provisioning the new
domain will overwrite the old one), although...
root at olddomain-ad:/home/kit# samba-tool domain info 192.168.0.11
Forest : newdomain.intranet
Domain : newdomain.intranet
Netbios domain : NEWDOMAIN
DC name : olddomain-ad.newdomain.intranet
DC netbios name : olddomain
Server site : Default-First-Site-Name
Client site : Default-First-Site-Name
root at domain-ad:/home/kit#
I'm concerned about the DC netbios name though, that'd match the old DC
netbios name.
root at olddomain-ad:/home/kit# klist
Ticket cache: FILE:/tmp/krb5cc_1000_LUxuAq
Default principal: Administrator at NEWDOMAIN.INTRANET
Valid starting Expires Service principal
07/02/19 19:20:01 08/02/19 05:20:01
krbtgt/NEWDOMAIN.INTRANET at NEWDOMAIN.INTRANET
renew until 08/02/19 19:19:50
root at olddomain-ad:/home/kit#
Only issue I can see is the last line of the below output:
root at olddomain-ad:/home/kit# smbclient -L localhost -U%
Domain=[NEWDOMAIN] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
Profiles Disk
users Disk
IPC$ IPC IPC Service (Samba 4.5.12-Debian)
Domain=[NEWDOMAIN] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP OLDWORKGROUP
root at olddomain-ad:/home/kit#
Whew. So I went to the test client, got it to leave the olddomain, it
asked to restart, and when it came back up, I found it was impossible to
log into *any* account on the computer, whether local, olddomain or
newdomain! After fruitless hours trying to enable the local admin
account and reset its password, I gave up and reinstalled Windows so the
test client is now fresh and blank. So now I've done the following:
- Added in a local account for myself only
- Enabled local admin account and set password (in case something like
the previous happens again!)
- Changed DNS to point to 192.168.0.11
- Joined domain newdomain
- Rebooted and logged in as NEWDOMAIN\Administrator
All worked fine, was able to go to 192.168.0.11 in Explorer and see all
the shares. OK, can see the 4 shares listed. So I then used RSAT to
add in a new user (kit) and tried to assign the Profiles and user home
folder shares to the new user and was unable to. Looked at the shares,
found the domain admin has no access to all the shared folders and all
the users listed that had permissions to access had SIDs from the old
domain profile, so followed the instructions found here
https://wiki.samba.org/index.php/User_Home_Folders
to reset the permissions etc. I got up to the "Advanced Security
Settings for users (\\olddomain-ad.newdomain.intranet)" bit in the
HOWTO, made the changes suggested by the table (set access levels for
Domain Admins, Domain Users, and CREATOR OWNER) and clicked "Apply" and
got a permission denied error:
"An error occurred while applying security information to:
\\192.168.0.11\users. Failed to enumerate objects in the container.
Access is denied".
Now, I'm not sure how to reset this, am hoping you can point me the
right way please? (Sorry, I'm now 7 hours past my clocking-out time!)
Many thanks!
With kind regards - Piers
More information about the samba
mailing list