[Samba] Windows client still tries to connect to old AD after replacement
Rowland Penny
rpenny at samba.org
Fri Feb 8 09:55:11 UTC 2019
On Fri, 8 Feb 2019 00:21:47 +0000
Piers Kittel via samba <samba at lists.samba.org> wrote:
> Thanks again Rowland for getting back to me. Here's my comments
> below:
>
> >> /etc/hosts:
> >> 127.0.0.1 localhost
> >> 192.168.0.17 ad.domain.intranet ad
> >> 192.168.0.21 domain-ad.domain.intranet domain-ad
> >
> > Remove the line above, this is the old AD domain and shouldn't have
> > anything pointing to the new one.
>
> Have deleted this line. This is a hangover from when I tried to
> connect both the old and new ADs. No device exists with the IP
> address 192.168.0.21, luckily.
>
> >> /etc/resolv.conf:
> >> domain Hitronhub.home
> >> search Hitronhub.home
> >> nameserver 192.168.0.1
> >
> > This is a DC, it should be pointing to itself as a nameserver.
>
> Done.
>
> >> realm = DOMAIN.INTRANET
> >> workgroup = DOMAIN
> >
> > What did you say about workgroups ?
> > I do hope that 'DOMAIN' in the above line isn't the same as on the
> > new AD DC.
>
> Hah. Fair enough. Unfortunately yes, your fear has been realised,
> the domain & workgroup for both are the same. I've now put in a new
> domain & workgroup, hereinafter referred to as NEWDOMAIN and
> NEWWORKGROUP respectively, and the old names would be OLDDOMAIN and
> OLDWORKGROUP.
>
> I've updated the following files to reflect the new domain &
> workgroup names - let me know if I've missed something:
>
> - /etc/hosts
> - /etc/resolv.conf
> - Provisioned new domain using samba-tool (note, couldn't find how to
> delete an old domain, so I'm dangerously assuming provisioning the
> new domain will overwrite the old one), although...
>
> root at olddomain-ad:/home/kit# samba-tool domain info 192.168.0.11
> Forest : newdomain.intranet
> Domain : newdomain.intranet
> Netbios domain : NEWDOMAIN
> DC name : olddomain-ad.newdomain.intranet
> DC netbios name : olddomain
> Server site : Default-First-Site-Name
> Client site : Default-First-Site-Name
> root at domain-ad:/home/kit#
>
> I'm concerned about the DC netbios name though, that'd match the old
> DC netbios name.
>
> root at olddomain-ad:/home/kit# klist
> Ticket cache: FILE:/tmp/krb5cc_1000_LUxuAq
> Default principal: Administrator at NEWDOMAIN.INTRANET
> Valid starting Expires Service principal
> 07/02/19 19:20:01 08/02/19 05:20:01
> krbtgt/NEWDOMAIN.INTRANET at NEWDOMAIN.INTRANET
> renew until 08/02/19 19:19:50
> root at olddomain-ad:/home/kit#
>
> Only issue I can see is the last line of the below output:
>
> root at olddomain-ad:/home/kit# smbclient -L localhost -U%
> Domain=[NEWDOMAIN] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
> Sharename Type Comment
> --------- ---- -------
> netlogon Disk
> sysvol Disk
> Profiles Disk
> users Disk
> IPC$ IPC IPC Service (Samba 4.5.12-Debian)
> Domain=[NEWDOMAIN] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
> Server Comment
> --------- -------
> Workgroup Master
> --------- -------
> WORKGROUP OLDWORKGROUP
>
> root at olddomain-ad:/home/kit#
>
> Whew. So I went to the test client, got it to leave the olddomain,
> it asked to restart, and when it came back up, I found it was
> impossible to log into *any* account on the computer, whether local,
> olddomain or newdomain! After fruitless hours trying to enable the
> local admin account and reset its password, I gave up and reinstalled
> Windows so the test client is now fresh and blank. So now I've done
> the following:
>
> - Added in a local account for myself only
> - Enabled local admin account and set password (in case something
> like the previous happens again!)
> - Changed DNS to point to 192.168.0.11
> - Joined domain newdomain
> - Rebooted and logged in as NEWDOMAIN\Administrator
>
> All worked fine, was able to go to 192.168.0.11 in Explorer and see
> all the shares. OK, can see the 4 shares listed. So I then used
> RSAT to add in a new user (kit) and tried to assign the Profiles and
> user home folder shares to the new user and was unable to. Looked at
> the shares, found the domain admin has no access to all the shared
> folders and all the users listed that had permissions to access had
> SIDs from the old domain profile, so followed the instructions found
> here
>
> https://wiki.samba.org/index.php/User_Home_Folders
>
> to reset the permissions etc. I got up to the "Advanced Security
> Settings for users (\\olddomain-ad.newdomain.intranet)" bit in the
> HOWTO, made the changes suggested by the table (set access levels for
> Domain Admins, Domain Users, and CREATOR OWNER) and clicked "Apply"
> and got a permission denied error:
>
> "An error occurred while applying security information to:
> \\192.168.0.11\users. Failed to enumerate objects in the container.
> Access is denied".
Did you click on the hyperlink that would have taken you here:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
>
> Now, I'm not sure how to reset this, am hoping you can point me the
> right way please? (Sorry, I'm now 7 hours past my clocking-out time!)
Been there, done that.
Rowland
More information about the samba
mailing list