[Samba] Windows client still tries to connect to old AD after replacement

Rowland Penny rpenny at samba.org
Fri Feb 8 09:55:11 UTC 2019 

On Fri, 8 Feb 2019 00:21:47 +0000
Piers Kittel via samba <samba at lists.samba.org> wrote:

> Thanks again Rowland for getting back to me.  Here's my comments
> below:
> 
>  >> /etc/hosts:
>  >> 127.0.0.1       localhost
>  >> 192.168.0.17    ad.domain.intranet ad
>  >> 192.168.0.21    domain-ad.domain.intranet     domain-ad
>  >
>  > Remove the line above, this is the old AD domain and shouldn't have
>  > anything pointing to the new one.
> 
> Have deleted this line.  This is a hangover from when I tried to
> connect both the old and new ADs.  No device exists with the IP
> address 192.168.0.21, luckily.
> 
>  >> /etc/resolv.conf:
>  >> domain Hitronhub.home
>  >> search Hitronhub.home
>  >> nameserver 192.168.0.1
>  >
>  > This is a DC, it should be pointing to itself as a nameserver.
> 
> Done.
> 
>  >>          realm = DOMAIN.INTRANET
>  >>          workgroup = DOMAIN
>  >
>  > What did you say about workgroups ?
>  > I do hope that 'DOMAIN' in the above line isn't the same as on the
>  > new AD DC.
> 
> Hah.  Fair enough.  Unfortunately yes, your fear has been realised,
> the domain & workgroup for both are the same.  I've now put in a new
> domain & workgroup, hereinafter referred to as NEWDOMAIN and
> NEWWORKGROUP respectively, and the old names would be OLDDOMAIN and
> OLDWORKGROUP.
> 
>   I've updated the following files to reflect the new domain &
> workgroup names - let me know if I've missed something:
> 
> - /etc/hosts
> - /etc/resolv.conf
> - Provisioned new domain using samba-tool (note, couldn't find how to 
> delete an old domain, so I'm dangerously assuming provisioning the
> new domain will overwrite the old one), although...
> 
> root at olddomain-ad:/home/kit# samba-tool domain info 192.168.0.11
> Forest           : newdomain.intranet
> Domain           : newdomain.intranet
> Netbios domain   : NEWDOMAIN
> DC name          : olddomain-ad.newdomain.intranet
> DC netbios name  : olddomain
> Server site      : Default-First-Site-Name
> Client site      : Default-First-Site-Name
> root at domain-ad:/home/kit#
> 
> I'm concerned about the DC netbios name though, that'd match the old
> DC netbios name.
> 
> root at olddomain-ad:/home/kit# klist
> Ticket cache: FILE:/tmp/krb5cc_1000_LUxuAq
> Default principal: Administrator at NEWDOMAIN.INTRANET
> Valid starting     Expires            Service principal
> 07/02/19 19:20:01  08/02/19 05:20:01 
> krbtgt/NEWDOMAIN.INTRANET at NEWDOMAIN.INTRANET
>          renew until 08/02/19 19:19:50
> root at olddomain-ad:/home/kit#
> 
> Only issue I can see is the last line of the below output:
> 
> root at olddomain-ad:/home/kit# smbclient -L localhost -U%
> Domain=[NEWDOMAIN] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
>          Sharename       Type      Comment
>          ---------       ----      -------
>          netlogon        Disk
>          sysvol          Disk
>          Profiles        Disk
>          users           Disk
>          IPC$            IPC       IPC Service (Samba 4.5.12-Debian)
> Domain=[NEWDOMAIN] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian]
>          Server               Comment
>          ---------            -------
>          Workgroup            Master
>          ---------            -------
>          WORKGROUP            OLDWORKGROUP
> 
> root at olddomain-ad:/home/kit#
> 
> Whew.  So I went to the test client, got it to leave the olddomain,
> it asked to restart, and when it came back up, I found it was
> impossible to log into *any* account on the computer, whether local,
> olddomain or newdomain!  After fruitless hours trying to enable the
> local admin account and reset its password, I gave up and reinstalled
> Windows so the test client is now fresh and blank.  So now I've done
> the following:
> 
> - Added in a local account for myself only
> - Enabled local admin account and set password (in case something
> like the previous happens again!)
> - Changed DNS to point to 192.168.0.11
> - Joined domain newdomain
> - Rebooted and logged in as NEWDOMAIN\Administrator
> 
> All worked fine, was able to go to 192.168.0.11 in Explorer and see
> all the shares.  OK, can see the 4 shares listed.  So I then used
> RSAT to add in a new user (kit) and tried to assign the Profiles and
> user home folder shares to the new user and was unable to.  Looked at
> the shares, found the domain admin has no access to all the shared
> folders and all the users listed that had permissions to access had
> SIDs from the old domain profile, so followed the instructions found
> here
> 
> https://wiki.samba.org/index.php/User_Home_Folders
> 
> to reset the permissions etc.  I got up to the "Advanced Security 
> Settings for users (\\olddomain-ad.newdomain.intranet)" bit in the 
> HOWTO, made the changes suggested by the table (set access levels for 
> Domain Admins, Domain Users, and CREATOR OWNER) and clicked "Apply"
> and got a permission denied error:
> 
> "An error occurred while applying security information to: 
> \\192.168.0.11\users. Failed to enumerate objects in the container.  
> Access is denied".

Did you click on the hyperlink that would have taken you here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

> 
> Now, I'm not sure how to reset this, am hoping you can point me the 
> right way please?  (Sorry, I'm now 7 hours past my clocking-out time!)

Been there, done that.

Rowland

More information about the samba mailing list