[Samba] Upgrade AD DS from 4.9.5 -> 4.13.13, cannot resolve usernames on member server

[Harald Hannelius]

On Mon, 31 Oct 2022, Rowland Penny via samba wrote:
> On 31/10/2022 13:08, Harald Hannelius wrote:
>> On Fri, 28 Oct 2022, Rowland Penny via samba wrote:
>> 
>>> Normally I create a new computer running the latest Debian version and 
>>> then install the latest version of Samba possible. I would then join this 
>>> as a DC and then, once everything is definitely running okay, demote one 
>>> of my old DC's, repeat for every other DC.
>> 
>> So I installed a Debian 11 computer, and Samba 4.16.6 from 
>> bullseye-backports. I joined this to the AD and it looks like everything 
>> went OK. 'samba-tool ldapcmp' looks good, as does 'samba-tool drs 
>> showrepl'.
>> 
>> Is there a way for me to actually test this "SAD3" new AD DC by for 
>> instance forcing one of my test fileservers to use only this computer as 
>> the DS?
>
> It is not easy, AD likes to find the best DC to use, but you could try adding 
> 'password server = XXXX' where 'XXXX' the name or IP of the DC you want to 
> use.

Yes, I tried that. tcpdump didn't reveal traffic to the third DC until I 
rebooted the test fileserver. But Yes, everything looks OK now so I think I 
can (dare) proceed with the others.

>> If testing of SAD3 looks good, the the next logical step would be to demote 
>> SAD2 (as long as it's not primary)
>
> It shouldn't matter (and please stop calling it 'primary'), all DC's are

You're right, I stand corrected. It was the roles I was referring to but was 
intrained in the vocabulary.

>>> Then that needs to be a 'trusted' domain with its own 'idmap config' 
>>> block.
>> 
>> I will get back to this, I promise. Sounds interesting, and I really need 
>> to learn more. If there only was more hours per day :/
>
> I have been working on time machine for a long time now, it still doesn't 
> work :-D

:)

Thank You

-- 

Harald Hannelius | harald.hannelius/a\arcada.fi | +358 50 594 1020