samba - Jan 2015 - re-using a member server?

OK - I must be close, but I'm lost...

I have a sernet member server that I built and joined to a test 
win2008R2 AD Domain Controller ("the AD-DC").
(Version 4.1.14-SerNet-Debian-9.wheezy)

I used Louis van Belle's setup script (manually executed, just 'cause 
I'm that kind of guy).
     https://secure.bazuin.nl/scripts/4-setup-sernet-samba4-MEMBER-wheezy.sh

The install, configuration and testing of the member server went very 
smoothly, (also teaching me, I thought, that you need to install the 
deprecated IdMU service to the AD-DC server first, and set up the NIS 
information (GIDs and UIDs on the AD-DC). Everything worked as expected. 
One wrinkle here -- In my ignorance, I did not accept the default 10000 
starting point for NIS UIDs and GIDs.  I followed the lead of one of the 
example smb.conf scripts, and started at 500.

After testing was complete, I did a
    net ads leave -U administrator
to remove the member server from the domain.

I am now trying to get the same member server (it is an esxi VM) 
working with a production AD-DC, and it's no longer working.  So I've 
built yet another test windows AD-DC and I can't get the member server 
working properly with that one, either.

Clearly I'm missing something obvious.  Any help to identify what it is 
would be greatly welcomed.

A collection of maybe-relevant information:
  - I made the original test windows AD-DC with the same forest/domain 
name.  The new test windows AD-DC has the same (HO.EXAMPLE.ORG)
  - The member server joins the domain with the usual statements of 
success (and creates a new krb5.keytab file).
  - The server shows up in DNS properly, and is visible in the windows 
explorer/browser but if one of the joined-up windows 7 machines attempts 
to access the server, the dialog asking for credentials comes up.
  - the wbinfo -u and -g commands work
  - id domainUser does not (no such user)
  - wbinfo -i testuser responds with information put in the NIS fields 
on the AD-DC, but is clearly assigning the user to the wrong domain
      testuser:*:50002:50003:testuser:/home/testuser:/bin/false

smb.conf on the member server:
> # /etc/samba/smb.conf
> [global]
>    workgroup = HO
>    security = ADS
>    realm = HO.EXAMPLE.ORG
>
>    netbios name = sernetmember
>    domain master = no
>    host msdfs = no
>
>    dedicated keytab file = /etc/krb5.keytab
>    kerberos method = secrets and keytab
>    client signing = if_required
>
>    ## map id's outside to domain to tdb files.
>    idmap config *:backend = tdb
>    idmap config *:range = 50001-80000
>    ## map ids from the domain
>    ## the two ranges MUST not overlap !
>    idmap config INTERNAL:backend = ad
>    idmap config INTERNAL:schema_mode = rfc2307
>    idmap config INTERNAL:range = 2000-40000
>
>    winbind nss info = rfc2307
>    winbind trusted domains only = no
>    winbind use default domain = yes
>    winbind enum users  = yes
>    winbind enum groups = yes
>    winbind refresh tickets = yes
>    winbind offline logon = yes
>
>    wins server = 192.168.21.1
>
>    template shell = /bin/bash
>    template homedir = /home/samba/HO/users/%USERNAME%
>
>    # user Administrator workaround, without it you are unable to set
privileges
>    username map = /etc/samba/samba_usermapping
>
>    # For ACL support on member file server
>    vfs objects = acl_xattr
>    map acl inherit = yes
>    store dos attributes = yes
>
>    # Share Setting Globally
>    usershare allow guests = no
>    unix extensions = no
>    wide links = no
>    reset on zero vc = yes
>    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>    hide unreadable = yes
>
>    # disable printing completely
>    load printers = no
>    printing = bsd
>    printcap name = /dev/null
>    disable spoolss = yes
>
>
> [home]
>    path = /mnt/smbshares/home
>    read only = no
>
> [profiles$]
>    path = /mnt/smbshares/profiles
>    read only = no
>    admin users = +"HO\Domain Admins"
>    profile acls = yes
>    csc policy = disable
>
> [public]
>    path = /mnt/smbshares/public
>    read only = no
>
> [install$]
>    path = /mnt/smbshares/install
>    read only = no
>

Just back from my clown college classes with David Thompson...

After a little time away from the screen, I did a review of my steps. 
The obvious thing I missed was that I re-activated not the last instance 
of the member-server VM, but a slightly earlier instance, one where I 
had not edited the /etc/nsswitch.conf file to have winbind as the 2nd 
method.

the member server works just as it did before.  I will now try it with 
the production AD-DC.

My apologies for lowering the signal to noise ratio.
d.

On 15-01-18 04:34 PM, BISI wrote:
> OK - I must be close, but I'm lost...
>
> I have a sernet member server that I built and joined to a test
> win2008R2 AD Domain Controller ("the AD-DC").
> (Version 4.1.14-SerNet-Debian-9.wheezy)
>
> I used Louis van Belle's setup script (manually executed, just
'cause
> I'm that kind of guy).
>
> https://secure.bazuin.nl/scripts/4-setup-sernet-samba4-MEMBER-wheezy.sh
>
> The install, configuration and testing of the member server went very
> smoothly, (also teaching me, I thought, that you need to install the
> deprecated IdMU service to the AD-DC server first, and set up the NIS
> information (GIDs and UIDs on the AD-DC). Everything worked as expected.
> One wrinkle here -- In my ignorance, I did not accept the default 10000
> starting point for NIS UIDs and GIDs.  I followed the lead of one of the
> example smb.conf scripts, and started at 500.
>
> After testing was complete, I did a
>     net ads leave -U administrator
> to remove the member server from the domain.
>
> I am now trying to get the same member server (it is an esxi VM) working
> with a production AD-DC, and it's no longer working.  So I've built
yet
> another test windows AD-DC and I can't get the member server working
> properly with that one, either.
>
> Clearly I'm missing something obvious.  Any help to identify what it is
> would be greatly welcomed.
>
> A collection of maybe-relevant information:
>   - I made the original test windows AD-DC with the same forest/domain
> name.  The new test windows AD-DC has the same (HO.EXAMPLE.ORG)
>   - The member server joins the domain with the usual statements of
> success (and creates a new krb5.keytab file).
>   - The server shows up in DNS properly, and is visible in the windows
> explorer/browser but if one of the joined-up windows 7 machines attempts
> to access the server, the dialog asking for credentials comes up.
>   - the wbinfo -u and -g commands work
>   - id domainUser does not (no such user)
>   - wbinfo -i testuser responds with information put in the NIS fields
> on the AD-DC, but is clearly assigning the user to the wrong domain
>       testuser:*:50002:50003:testuser:/home/testuser:/bin/false
>
> smb.conf on the member server:
>> # /etc/samba/smb.conf
>> [global]
>>    workgroup = HO
>>    security = ADS
>>    realm = HO.EXAMPLE.ORG
>>
>>    netbios name = sernetmember
>>    domain master = no
>>    host msdfs = no
>>
>>    dedicated keytab file = /etc/krb5.keytab
>>    kerberos method = secrets and keytab
>>    client signing = if_required
>>
>>    ## map id's outside to domain to tdb files.
>>    idmap config *:backend = tdb
>>    idmap config *:range = 50001-80000
>>    ## map ids from the domain
>>    ## the two ranges MUST not overlap !
>>    idmap config INTERNAL:backend = ad
>>    idmap config INTERNAL:schema_mode = rfc2307
>>    idmap config INTERNAL:range = 2000-40000
>>
>>    winbind nss info = rfc2307
>>    winbind trusted domains only = no
>>    winbind use default domain = yes
>>    winbind enum users  = yes
>>    winbind enum groups = yes
>>    winbind refresh tickets = yes
>>    winbind offline logon = yes
>>
>>    wins server = 192.168.21.1
>>
>>    template shell = /bin/bash
>>    template homedir = /home/samba/HO/users/%USERNAME%
>>
>>    # user Administrator workaround, without it you are unable to set
>> privileges
>>    username map = /etc/samba/samba_usermapping
>>
>>    # For ACL support on member file server
>>    vfs objects = acl_xattr
>>    map acl inherit = yes
>>    store dos attributes = yes
>>
>>    # Share Setting Globally
>>    usershare allow guests = no
>>    unix extensions = no
>>    wide links = no
>>    reset on zero vc = yes
>>    veto files = /.bash_logout/.bash_profile/.bash_history/.bashrc/
>>    hide unreadable = yes
>>
>>    # disable printing completely
>>    load printers = no
>>    printing = bsd
>>    printcap name = /dev/null
>>    disable spoolss = yes
>>
>>
>> [home]
>>    path = /mnt/smbshares/home
>>    read only = no
>>
>> [profiles$]
>>    path = /mnt/smbshares/profiles
>>    read only = no
>>    admin users = +"HO\Domain Admins"
>>    profile acls = yes
>>    csc policy = disable
>>
>> [public]
>>    path = /mnt/smbshares/public
>>    read only = no
>>
>> [install$]
>>    path = /mnt/smbshares/install
>>    read only = no
>>
>
>
>