[Samba] Cannot access PDC shares via alias name

Fri Jul 7 09:39:53 UTC 2023

Hello, and sorry Rowland and everybody for the confusion. My fault: I 
wrote PDC but I was meaning AD DC.

It was the only DC for the AD, and what I was trying to achieve is to 
replace it with a new one as the only DC for the domain, and to connect to 
the new one with both the new and the old server name.

Thanks for the suggestion. I've used the CNAME method, but I can't connect 
to the old server name from Windows clients, with the errors shown in my 
previous message - essentially: "Failed to find 
DC2$@SAMDOM.EXAMPLE.COM(kvno 1) in keytab FILE..." (DC2 is the new name, 
while DC1 is ne old one).

I think that the issue could be due to a wrong/missing addition of the 
servicePrincipalName, since the cname is working correctly, but the next 
time I'll try with the method you suggested.

Antonio

On Thu, 6 Jul 2023, Rowland Penny via samba wrote:

>
>
> On 06/07/2023 16:16, Antonio Trogu via samba wrote:
>> Hello,
>> 
>> I needed to replace an old Samba AD PDC with a new one, so I've installed 
>> the new one (Ubuntu 20.04 + Samba 4.15.13 from Ubuntu repository), joined 
>> it to the AD domain, demoted the primary, then removed it.
>
> I got totally confused the first time that I read the above, I had to read it 
> a few times before I fully understood it. The reason being, on first scan I 
> thought that Antonio was trying to join an NT4-style PDC to an AD domain, 
> which isn't the case. What he is trying to do is replace an AD DC that 
> currently holds the PDC_Emulator FSMO role.
> There are no such terms as 'PDC' and 'primary' associated with AD, all DC's 
> are equal (apart from the FSMO roles and they can be on any DC)
>
> Sorry if that sounds like preaching, but it is just the way (along with a lot 
> of others) that I see it.
>
>> All steps have been done following the Samba official howtos:
>> 
>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>> 
>> and
>> 
>> https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC
>> 
>> and every one after having tested the previous one's success.
>> 
>> Afterwards, to avoid needing to change all DNS and printers settings on the 
>> clients, I've added the old PDC's IP and name to the new PDC. Samba's DNS 
>> is now correctly answering on both IPs, while share access from Windows 
>> clients always fails for wrong credentials. From a linux client with 
>> smbclient instead the shares are accessible.
>
> I hope that you are running more than one DC, if you are, I would have 
> transferred all the FSMO roles to another DC, demoted the original DC, 
> cleaned up its meta data in AD and then used the same name and ipaddress for 
> the new DC, joined it to the domain and then transferred the FSMO roles back 
> again.
>
> If you don't want to do that, you should use a CNAME.
>
> Rowland
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

The information contained in this email message and/or attachments is strictly confidential. Its use is exclusive to the intended recipient of the message for the purpose reported in the message itself. The following constitutes a breach to the principles provided for by the General Data Protection Regulation 2016/679: keeping the message beyond the necessary time, disclosing its contents, either totally or partially, to third parties, copying or using it for any purpose other than those stated in the message itself. We further inform you that, at any time, you can ask for the suspension of the use of your data, except for any communication provided for by law. Should you receive this message in error, we kindly ask you to notify us immediately via e-mail and delete it from your system.