[Samba] Winbind help - with domain migration.

Mon Jun 22 20:00:14 UTC 2020

Hello guys
I need some lights to migrate a Winbind/Samba share to a new AD.
My scenario is:
I have an old AD running on a Debian 9 and Samba 4.5.16 with many
replication issues.
Then I decided to create a new one from the scratch using Debian 10 and
Samba 4.12.2 (and everything is working perfectly). I have migrated all the
accounts/machines/etc from old to new domain without any problem.
Both the ADs has the same domain name and realm.

The problem is:
I have another machine running Debian 9 and Samba 4.5.16 (I can't update
this server). Here I use nslcd and use AD as a LDAP server to get users and
groups. And I have a samba share on it.
I already updated the /etc/resolv.conf and point it to the new AD/DNS,
restarted samba and winbind services, but the winbind still working on old
AD. If I stop the Samba service on old AD, the samba share stops working.

I don't know If I missed something...

Find below my smb.conf, nsswitch.conf and nslcd.conf.

Thanks

####################################

SMB.CONF
security = ads
  workgroup = EXAMPLE
  realm = EXAMPLE.COM
  netbios name = hn01

  #ntlm auth = no

  idmap config * : backend = tdb
  idmap config * : range = 10000-99999

  idmap config UNISIM : default = yes
  idmap config UNISIM : backend = ad
  idmap config UNISIM : schema_mode = rfc2307
  idmap config UNISIM : range = 0-9999
  idmap config UNISIM : unix_nss_info = yes

  template homedir = /home/%U
  template shell = /bin/bash

  winbind use default domain = true
  winbind offline logon = false
  winbind nss info = rfc2307
  winbind enum users = yes
  winbind enum groups = yes

  vfs objects = acl_xattr
  map acl inherit = Yes
  store dos attributes = Yes

  log level = 4
  log file = /var/log/samba/log.%m
  syslog = 0
  syslog only = No

[area_comum]
  comment = Area comum
  browseable = yes
  writeable = yes
  path = /area_comum
  create mode = 0755
  public = yes
  read only = no
  oplocks = no
  level2 oplocks = no
#   veto oplock files
=/*.LSImex/*.LSResolve/*.LSGem/*.LDImex/*.LDResolve/*.LDGem/

####################################

NSSWITCH.CONF
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
gshadow:        files

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

####################################

NSLCD.CONF
filter passwd (&(objectClass=user)(!(objectClass=computer)))
map passwd gecos            displayName
map passwd homeDirectory    "/home/$sAMAccountName"
map passwd loginShell       "/bin/bash"
map passwd uid              sAMAccountName

filter shadow (&(objectClass=user)(!(objectClass=computer)))
map shadow uid              sAMAccountName
map shadow shadowLastChange pwdLastSet

filter group (&(objectClass=group)(!(objectClass=computer)))