[Samba] Windows client still tries to connect to old AD after replacement

Piers Kittel piers at centrefordeaf.org.uk
Fri Feb 8 00:21:47 UTC 2019

Thanks again Rowland for getting back to me.  Here's my comments below:

 >> /etc/hosts:
 >>       localhost
 >>    ad.domain.intranet ad
 >>    domain-ad.domain.intranet     domain-ad
 > Remove the line above, this is the old AD domain and shouldn't have
 > anything pointing to the new one.

Have deleted this line.  This is a hangover from when I tried to connect 
both the old and new ADs.  No device exists with the IP address, luckily.

 >> /etc/resolv.conf:
 >> domain Hitronhub.home
 >> search Hitronhub.home
 >> nameserver
 > This is a DC, it should be pointing to itself as a nameserver.


 >>          realm = DOMAIN.INTRANET
 >>          workgroup = DOMAIN
 > What did you say about workgroups ?
 > I do hope that 'DOMAIN' in the above line isn't the same as on the new
 > AD DC.

Hah.  Fair enough.  Unfortunately yes, your fear has been realised, the 
domain & workgroup for both are the same.  I've now put in a new domain 
& workgroup, hereinafter referred to as NEWDOMAIN and NEWWORKGROUP 
respectively, and the old names would be OLDDOMAIN and OLDWORKGROUP.

  I've updated the following files to reflect the new domain & workgroup 
names - let me know if I've missed something:

- /etc/hosts
- /etc/resolv.conf
- Provisioned new domain using samba-tool (note, couldn't find how to 
delete an old domain, so I'm dangerously assuming provisioning the new 
domain will overwrite the old one), although...

root at olddomain-ad:/home/kit# samba-tool domain info
Forest           : newdomain.intranet
Domain           : newdomain.intranet
Netbios domain   : NEWDOMAIN
DC name          : olddomain-ad.newdomain.intranet
DC netbios name  : olddomain
Server site      : Default-First-Site-Name
Client site      : Default-First-Site-Name
root at domain-ad:/home/kit#

I'm concerned about the DC netbios name though, that'd match the old DC 
netbios name.

root at olddomain-ad:/home/kit# klist
Ticket cache: FILE:/tmp/krb5cc_1000_LUxuAq
Default principal: Administrator at NEWDOMAIN.INTRANET
Valid starting     Expires            Service principal
07/02/19 19:20:01  08/02/19 05:20:01 
         renew until 08/02/19 19:19:50
root at olddomain-ad:/home/kit#

Only issue I can see is the last line of the below output:

root at olddomain-ad:/home/kit# smbclient -L localhost -U%
Domain=[NEWDOMAIN] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
         Sharename       Type      Comment
         ---------       ----      -------
         netlogon        Disk
         sysvol          Disk
         Profiles        Disk
         users           Disk
         IPC$            IPC       IPC Service (Samba 4.5.12-Debian)
Domain=[NEWDOMAIN] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
         Server               Comment
         ---------            -------
         Workgroup            Master
         ---------            -------
         WORKGROUP            OLDWORKGROUP

root at olddomain-ad:/home/kit#

Whew.  So I went to the test client, got it to leave the olddomain, it 
asked to restart, and when it came back up, I found it was impossible to 
log into *any* account on the computer, whether local, olddomain or 
newdomain!  After fruitless hours trying to enable the local admin 
account and reset its password, I gave up and reinstalled Windows so the 
test client is now fresh and blank.  So now I've done the following:

- Added in a local account for myself only
- Enabled local admin account and set password (in case something like 
the previous happens again!)
- Changed DNS to point to
- Joined domain newdomain
- Rebooted and logged in as NEWDOMAIN\Administrator

All worked fine, was able to go to in Explorer and see all 
the shares.  OK, can see the 4 shares listed.  So I then used RSAT to 
add in a new user (kit) and tried to assign the Profiles and user home 
folder shares to the new user and was unable to.  Looked at the shares, 
found the domain admin has no access to all the shared folders and all 
the users listed that had permissions to access had SIDs from the old 
domain profile, so followed the instructions found here


to reset the permissions etc.  I got up to the "Advanced Security 
Settings for users (\\olddomain-ad.newdomain.intranet)" bit in the 
HOWTO, made the changes suggested by the table (set access levels for 
Domain Admins, Domain Users, and CREATOR OWNER) and clicked "Apply" and 
got a permission denied error:

"An error occurred while applying security information to: 
\\\users. Failed to enumerate objects in the container.  
Access is denied".

Now, I'm not sure how to reset this, am hoping you can point me the 
right way please?  (Sorry, I'm now 7 hours past my clocking-out time!)

Many thanks!

With kind regards - Piers

More information about the samba mailing list