samba - Oct 2016 - Replacement pdc samba3 to samba4 nt classic

Migration was held in connection with the breakdown of the old server
after setting up a new server stopped working to add windows pc to a domain

root at pdc:/var/log/samba# cat /etc/samba/smb.conf

[global]
         # Default options
         allow nt4 crypto               = yes
         client ntlmv2 auth             = no
         disable spoolss                = yes
         dns proxy                      = no
         dont descend                   = ./lost+found
         guest account                  = nobody
         hide files                     = /.*/lost+found/
         hide unreadable                = yes
         idmap gid                      = 10000-30000
         idmap uid                      = 10000-30000
         invalid users                  = root bin daemon adm sync 
shutdown halt mail news uucp proxy www-data backup sshd
         ldap admin dn                  = "cn=admin,dc=rugion,dc=ru"
         ldap delete dn                 = no
         ldap group suffix              = ou=groups
         ldap machine suffix            = ou=computers
         ldap passwd sync               = yes
         ldap ssl                       = off
         ldap suffix                    = ou=arkhangelsk,dc=rugion,dc=ru
         ldap user suffix               = ou=users
         load printers                  = no
         locking                        = yes
         log file                       = /var/log/samba/log.%m
#    log level = 4
         logon home                              logon path                     
logon script                   = \\PDC\netlogon\logon.bat
         map to guest                   = Bad User
         max log size                   = 1000
         obey pam restrictions          = yes
         pam password change            = yes
         panic action                   = /usr/share/samba/panic-action %d
         passdb backend                 = ldapsam:ldap://127.0.0.1/
     ldapsam:trusted=yes
     ldapsam:editposix=yes
         passwd chat                    = *Enter\snew\s*\spassword:* 
%n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
         passwd program                 = /usr/bin/passwd %u
         printcap name                  = /dev/null
         printing                       = bsd
         require strong key             = no
         server role                    = classic primary domain controller
         server string                  = %h file server
         show add printer wizard        = no
         smb2 leases                    = yes
         syslog                         = 0
         template shell                 = /bin/bash
         unix charset                   = UTF8
         unix password sync             = yes
         use sendfile                   = yes
         usershare allow guests         = yes
#       wins server                    = 192.168.29.17
     wins support = yes
         workgroup                      = corp.29.ru
     netbios name = pdc
     local master = yes
     os level = 255
     domain master = yes
     domain logons = yes
     preferred master = auto
     #local master = yes
         add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
         rename user script = /usr/sbin/smbldap-usermod -r '%unew'
'%uold'
         delete user script = /usr/sbin/smbldap-userdel '%u'
         set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
         add group script = /usr/sbin/smbldap-groupadd -p '%g'
         delete group script = /usr/sbin/smbldap-groupdel '%g'
         add user to group script = /usr/sbin/smbldap-groupmod -m '%u'
'%g'
         delete user from group script = /usr/sbin/smbldap-groupmod -x 
'%u' '%g'
         add machine script = /usr/sbin/smbldap-useradd -w '%u' -t 1

#    add machine script = /usr/local/sbin/ldapaddmachine '%u'
nt_computers
#    add user script = /usr/local/sbin/ldapadduser '%u' nt_users
#    add group script = /usr/local/sbin/ldapaddgroup '%g'
#    add user to group script = /usr/local/sbin/ldapaddusertogroup '%u'
'%g'
#    delete user script = /usr/local/sbin/ldapdeleteuser '%u'
#    delete group script = /usr/local/sbin/ldapdeletegroup '%g'
#    delete user from group script = 
/usr/local/sbin/ldapdeleteuserfromgroup '%u' '%g'
#    set primary group script = /usr/local/sbin/ldapsetprimarygroup '%u'
'%g'
#    rename user script = /usr/local/sbin/ldaprenameuser '%uold'
'%unew'



[netlogon]
         comment                        = netlogon share
         create mask                    = 0660
         directory mask                 = 0770
         guest ok                       = no
         inherit acls                   = yes
         inherit owner                  = yes
         inherit permissions            = yes
         locking                        = no
         map acl inherit                = yes
         path                           = /srv/samba/netlogon
         read list                      = @nt_users
         read only                      = No
         write list                     = @nt_admin

root at pdc:/var/log/samba# cat /etc/smbldap-tools/smbldap.conf
SID="S-1-5-21-1997676671-1552059010-3109710481"
sambaDomain="CORP.29.RU"
ldapTLS="0"
masterLDAP="127.0.0.1"
masterPort="389"
suffix="ou=arkhangelsk,dc=rugion,dc=ru"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
userSmbHomeuserProfileuserHomeDriveuserScript=//pdc/netlogon/logon.bat
mailDomain="corp.29.ru"
defaultComputerGid="515"
defaultUserGid="513"



root at pdc:/var/log/samba# smbldap-populate
Populating LDAP directory for domain CORP.29.RU 
(S-1-5-21-1997676671-1552059010-3109710481)
(using builtin directory structure)

Use of uninitialized value $prefix in substitution (s///) at 
/usr/local/sbin/smbldap-populate line 175.
Use of uninitialized value $prefix in split at 
/usr/local/sbin/smbldap-populate line 178.
entry ou=arkhangelsk,dc=rugion,dc=ru already exist.
entry ou=users,ou=arkhangelsk,dc=rugion,dc=ru already exist.
entry ou=groups,ou=arkhangelsk,dc=rugion,dc=ru already exist.
entry ou=computers,ou=arkhangelsk,dc=rugion,dc=ru already exist.
entry sambaDomainName=CORP.29.RU,ou=arkhangelsk,dc=rugion,dc=ru already 
exist. Updating it...
entry uid=root,ou=users,ou=arkhangelsk,dc=rugion,dc=ru already exist.
entry uid=nobody,ou=users,ou=arkhangelsk,dc=rugion,dc=ru already exist.
entry cn=Domain Admins,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru already 
exist.
entry cn=Domain Users,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru already 
exist.
entry cn=Domain Guests,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru already 
exist.
entry cn=Domain Computers,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru 
already exist.
entry cn=Administrators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru already 
exist.
entry cn=Account Operators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru 
already exist.
entry cn=Print Operators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru 
already exist.
entry cn=Backup Operators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru 
already exist.
entry cn=Replicators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru already 
exist.

Please provide a password for the domain root:
/usr/local/sbin/smbldap-passwd: user root doesn't exist


root at pdc:/var/log/samba# smbldap-config
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
        smbldap-tools script configuration
        -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Before starting, check
  . if your samba controller is up and running.
  . if the domain SID is defined (you can get it with the 'net
getlocalsid')

  . you can leave the configuration using the Ctrl-c key combination
  . empty value can be set with the "." character
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


root at pdc:/var/log/samba# net getlocalsid
smbldap_search_domain_info: Got too many (3) domain info entries for 
domain CORP.29.RU
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the 
domain. We cannot work reliably without it.
pdb backend ldapsam:ldap://127.0.0.1/ did not correctly init (error was 
NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
WARNING: Could not open passdb

root at pdc:/var/log/samba# net rpc join -S pdc -U admin%secret
Failed to join domain: failed to lookup DC info for domain 'CORP.29.RU' 
over rpc: The connection was refused
You have new mail in /var/mail/root
root at pdc:/var/log/samba#


How do I introduce a new PDC in a domain?

-- 

Sincerely, Gavrilov Aleksey
System Administrator
Ltd. "Hearst Shkulev Digital Rugion"
tel .: 8 (351) 729-94-90, ext. 345
mob. +7 999 581 7934
gavrilov at info74.ru
Chelyabinsk, st. Lesoparkovaya , 6, office 308

On Mon, 10 Oct 2016 17:42:54 +0500
Gavrilov Aleksey via samba <samba at lists.samba.org> wrote:
> Migration was held in connection with the breakdown of the old server
> after setting up a new server stopped working to add windows pc to a
> domain
> 
> root at pdc:/var/log/samba# cat /etc/samba/smb.conf
> 
> [global]
>          # Default options
>          allow nt4 crypto               = yes
>          client ntlmv2 auth             = no
>          disable spoolss                = yes
>          dns proxy                      = no
>          dont descend                   = ./lost+found
>          guest account                  = nobody
>          hide files                     = /.*/lost+found/
>          hide unreadable                = yes
>          idmap gid                      = 10000-30000
>          idmap uid                      = 10000-30000
>          invalid users                  = root bin daemon adm sync 
> shutdown halt mail news uucp proxy www-data backup sshd
>          ldap admin dn                  =
"cn=admin,dc=rugion,dc=ru"
>          ldap delete dn                 = no
>          ldap group suffix              = ou=groups
>          ldap machine suffix            = ou=computers
>          ldap passwd sync               = yes
>          ldap ssl                       = off
>          ldap suffix                    > ou=arkhangelsk,dc=rugion,dc=ru
ldap user suffix               > ou=users load printers                  = no
>          locking                        = yes
>          log file                       = /var/log/samba/log.%m
> #    log level = 4
>          logon home                     >          logon path           
>          logon script                   = \\PDC\netlogon\logon.bat
>          map to guest                   = Bad User
>          max log size                   = 1000
>          obey pam restrictions          = yes
>          pam password change            = yes
>          panic action
> = /usr/share/samba/panic-action %d passdb backend                 >
ldapsam:ldap://127.0.0.1/ ldapsam:trusted=yes
>      ldapsam:editposix=yes
>          passwd chat                    = *Enter\snew\s*\spassword:* 
> %n\n *Retype\snew\s*\spassword:* %n\n
> *password\supdated\ssuccessfully* . passwd program
> = /usr/bin/passwd %u printcap name                  = /dev/null
>          printing                       = bsd
>          require strong key             = no
>          server role                    = classic primary domain
> controller server string                  = %h file server
>          show add printer wizard        = no
>          smb2 leases                    = yes
>          syslog                         = 0
>          template shell                 = /bin/bash
>          unix charset                   = UTF8
>          unix password sync             = yes
>          use sendfile                   = yes
>          usershare allow guests         = yes
> #       wins server                    = 192.168.29.17
>      wins support = yes
>          workgroup                      = corp.29.ru
>      netbios name = pdc
>      local master = yes
>      os level = 255
>      domain master = yes
>      domain logons = yes
>      preferred master = auto
>      #local master = yes
>          add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
>          rename user script = /usr/sbin/smbldap-usermod -r '%unew'
> '%uold' delete user script = /usr/sbin/smbldap-userdel '%u'
>          set primary group script = /usr/sbin/smbldap-usermod -g
'%g'
> '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g'
>          delete group script = /usr/sbin/smbldap-groupdel '%g'
>          add user to group script = /usr/sbin/smbldap-groupmod -m
> '%u' '%g' delete user from group script =
/usr/sbin/smbldap-groupmod
> -x '%u' '%g'
>          add machine script = /usr/sbin/smbldap-useradd -w '%u' -t
1
> 
> #    add machine script = /usr/local/sbin/ldapaddmachine '%u'
> nt_computers #    add user script = /usr/local/sbin/ldapadduser
'%u'
> nt_users #    add group script = /usr/local/sbin/ldapaddgroup '%g'
> #    add user to group script = /usr/local/sbin/ldapaddusertogroup
> '%u' '%g' #    delete user script =
/usr/local/sbin/ldapdeleteuser
> '%u' #    delete group script = /usr/local/sbin/ldapdeletegroup
'%g'
> #    delete user from group script = 
> /usr/local/sbin/ldapdeleteuserfromgroup '%u' '%g'
> #    set primary group script = /usr/local/sbin/ldapsetprimarygroup
> '%u' '%g'
> #    rename user script = /usr/local/sbin/ldaprenameuser '%uold'
> '%unew'
> 
> 
> 
> [netlogon]
>          comment                        = netlogon share
>          create mask                    = 0660
>          directory mask                 = 0770
>          guest ok                       = no
>          inherit acls                   = yes
>          inherit owner                  = yes
>          inherit permissions            = yes
>          locking                        = no
>          map acl inherit                = yes
>          path                           = /srv/samba/netlogon
>          read list                      = @nt_users
>          read only                      = No
>          write list                     = @nt_admin
> 
> root at pdc:/var/log/samba# cat /etc/smbldap-tools/smbldap.conf
> SID="S-1-5-21-1997676671-1552059010-3109710481"
> sambaDomain="CORP.29.RU"
> ldapTLS="0"
> masterLDAP="127.0.0.1"
> masterPort="389"
> suffix="ou=arkhangelsk,dc=rugion,dc=ru"
> sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
> userSmbHome> userProfile> userHomeDrive>
userScript=//pdc/netlogon/logon.bat
> mailDomain="corp.29.ru"
> defaultComputerGid="515"
> defaultUserGid="513"
> 
> 
> 
> root at pdc:/var/log/samba# smbldap-populate
> Populating LDAP directory for domain CORP.29.RU 
> (S-1-5-21-1997676671-1552059010-3109710481)
> (using builtin directory structure)
> 
> Use of uninitialized value $prefix in substitution (s///) at 
> /usr/local/sbin/smbldap-populate line 175.
> Use of uninitialized value $prefix in split at 
> /usr/local/sbin/smbldap-populate line 178.
> entry ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry ou=users,ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry ou=groups,ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry ou=computers,ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry sambaDomainName=CORP.29.RU,ou=arkhangelsk,dc=rugion,dc=ru
> already exist. Updating it...
> entry uid=root,ou=users,ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry uid=nobody,ou=users,ou=arkhangelsk,dc=rugion,dc=ru already
> exist. entry cn=Domain
> Admins,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry cn=Domain Users,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
> already exist.
> entry cn=Domain Guests,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
> already exist.
> entry cn=Domain Computers,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru 
> already exist.
> entry cn=Administrators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
> already exist.
> entry cn=Account Operators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru 
> already exist.
> entry cn=Print Operators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru 
> already exist.
> entry cn=Backup Operators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru 
> already exist.
> entry cn=Replicators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru already 
> exist.
> 
> Please provide a password for the domain root:
> /usr/local/sbin/smbldap-passwd: user root doesn't exist
> 
> 
> root at pdc:/var/log/samba# smbldap-config
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>         smbldap-tools script configuration
>         -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-> Before starting, check
>   . if your samba controller is up and running.
>   . if the domain SID is defined (you can get it with the 'net
> getlocalsid')
> 
>   . you can leave the configuration using the Ctrl-c key combination
>   . empty value can be set with the "." character
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> 
> 
> root at pdc:/var/log/samba# net getlocalsid
> smbldap_search_domain_info: Got too many (3) domain info entries for 
> domain CORP.29.RU
> pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to
> the domain. We cannot work reliably without it.
> pdb backend ldapsam:ldap://127.0.0.1/ did not correctly init (error
> was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
> WARNING: Could not open passdb
> 
> root at pdc:/var/log/samba# net rpc join -S pdc -U admin%secret
> Failed to join domain: failed to lookup DC info for domain
> 'CORP.29.RU' over rpc: The connection was refused
> You have new mail in /var/mail/root
> root at pdc:/var/log/samba#
> 
> 
> How do I introduce a new PDC in a domain?
> 
A couple of things spring to mind here, the first is, you seem to be
using a REALM name for a workgroup name i.e. you have 'corp.29.ru' and
it should be something like 'corp'. Secondly, you have these lines:

     ldapsam:trusted=yes
     ldapsam:editposix=yes

You also have lines that refer to smbldap-tools, you dont need
smbldap-tools if you use the above two lines, see 'man smb.conf' for
more info.

Rowland

On 10:43:49 wrote Gavrilov Aleksey via samba:
> Migration was held in connection with the breakdown of the old server
> after setting up a new server stopped working to add windows pc to a
> domain
> 
> root at pdc:/var/log/samba# cat /etc/samba/smb.conf
> 
> [global]
>          # Default options
>          allow nt4 crypto               = yes
>          client ntlmv2 auth             = no
>          disable spoolss                = yes
>          dns proxy                      = no
>          dont descend                   = ./lost+found
>          guest account                  = nobody
>          hide files                     = /.*/lost+found/
>          hide unreadable                = yes
>          idmap gid                      = 10000-30000
>          idmap uid                      = 10000-30000
>          invalid users                  = root bin daemon adm sync
> shutdown halt mail news uucp proxy www-data backup sshd
>          ldap admin dn                  =
"cn=admin,dc=rugion,dc=ru"
>          ldap delete dn                 = no
>          ldap group suffix              = ou=groups
>          ldap machine suffix            = ou=computers
>          ldap passwd sync               = yes
>          ldap ssl                       = off
>          ldap suffix                    > ou=arkhangelsk,dc=rugion,dc=ru
ldap user suffix               > ou=users
>          load printers                  = no
>          locking                        = yes
>          log file                       = /var/log/samba/log.%m
> #    log level = 4
>          logon home                     >          logon path           
>          logon script                   = \\PDC\netlogon\logon.bat
>          map to guest                   = Bad User
>          max log size                   = 1000
>          obey pam restrictions          = yes
>          pam password change            = yes
>          panic action                   > /usr/share/samba/panic-action
%d passdb backend                 > ldapsam:ldap://127.0.0.1/
ldapsam:trusted=yes
>      ldapsam:editposix=yes
>          passwd chat                    = *Enter\snew\s*\spassword:*
> %n\n *Retype\snew\s*\spassword:* %n\n
> *password\supdated\ssuccessfully* . passwd program                 >
/usr/bin/passwd %u printcap name                  = /dev/null
>          printing                       = bsd
>          require strong key             = no
>          server role                    = classic primary domain
> controller server string                  = %h file server
>          show add printer wizard        = no
>          smb2 leases                    = yes
>          syslog                         = 0
>          template shell                 = /bin/bash
>          unix charset                   = UTF8
>          unix password sync             = yes
>          use sendfile                   = yes
>          usershare allow guests         = yes
> #       wins server                    = 192.168.29.17
>      wins support = yes
>          workgroup                      = corp.29.ru
>      netbios name = pdc
>      local master = yes
>      os level = 255
>      domain master = yes
>      domain logons = yes
>      preferred master = auto
>      #local master = yes
>          add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
>          rename user script = /usr/sbin/smbldap-usermod -r '%unew'
> '%uold' delete user script = /usr/sbin/smbldap-userdel '%u'
set
> primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u' add
> group script = /usr/sbin/smbldap-groupadd -p '%g' delete group
> script = /usr/sbin/smbldap-groupdel '%g' add user to group script
> /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from
group
> script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
>          add machine script = /usr/sbin/smbldap-useradd -w '%u' -t
1
> 
> #    add machine script = /usr/local/sbin/ldapaddmachine '%u'
> nt_computers #    add user script = /usr/local/sbin/ldapadduser
'%u'
> nt_users #    add group script = /usr/local/sbin/ldapaddgroup '%g'
> #    add user to group script = /usr/local/sbin/ldapaddusertogroup
> '%u' '%g' #    delete user script =
/usr/local/sbin/ldapdeleteuser
> '%u' #    delete group script = /usr/local/sbin/ldapdeletegroup
'%g'
> #    delete user from group script >
/usr/local/sbin/ldapdeleteuserfromgroup '%u' '%g'
> #    set primary group script = /usr/local/sbin/ldapsetprimarygroup
> '%u' '%g'
> #    rename user script = /usr/local/sbin/ldaprenameuser '%uold'
> '%unew'
> 
> 
> 
> [netlogon]
>          comment                        = netlogon share
>          create mask                    = 0660
>          directory mask                 = 0770
>          guest ok                       = no
>          inherit acls                   = yes
>          inherit owner                  = yes
>          inherit permissions            = yes
>          locking                        = no
>          map acl inherit                = yes
>          path                           = /srv/samba/netlogon
>          read list                      = @nt_users
>          read only                      = No
>          write list                     = @nt_admin
> 
> root at pdc:/var/log/samba# cat /etc/smbldap-tools/smbldap.conf
> SID="S-1-5-21-1997676671-1552059010-3109710481"
> sambaDomain="CORP.29.RU"
> ldapTLS="0"
> masterLDAP="127.0.0.1"
> masterPort="389"
> suffix="ou=arkhangelsk,dc=rugion,dc=ru"
> sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
> userSmbHome> userProfile> userHomeDrive>
userScript=//pdc/netlogon/logon.bat
> mailDomain="corp.29.ru"
> defaultComputerGid="515"
> defaultUserGid="513"
> 
> 
> 
> root at pdc:/var/log/samba# smbldap-populate
> Populating LDAP directory for domain CORP.29.RU
> (S-1-5-21-1997676671-1552059010-3109710481)
> (using builtin directory structure)
> 
> Use of uninitialized value $prefix in substitution (s///) at
> /usr/local/sbin/smbldap-populate line 175.
> Use of uninitialized value $prefix in split at
> /usr/local/sbin/smbldap-populate line 178.
> entry ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry ou=users,ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry ou=groups,ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry ou=computers,ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry sambaDomainName=CORP.29.RU,ou=arkhangelsk,dc=rugion,dc=ru
> already exist. Updating it...
> entry uid=root,ou=users,ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry uid=nobody,ou=users,ou=arkhangelsk,dc=rugion,dc=ru already
> exist. entry cn=Domain
> Admins,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry cn=Domain Users,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
> already exist.
> entry cn=Domain Guests,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
> already exist.
> entry cn=Domain Computers,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
> already exist.
> entry cn=Administrators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
> already exist.
> entry cn=Account Operators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
> already exist.
> entry cn=Print Operators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
> already exist.
> entry cn=Backup Operators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
> already exist.
> entry cn=Replicators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru already
> exist.
> 
> Please provide a password for the domain root:
> /usr/local/sbin/smbldap-passwd: user root doesn't exist
> 
> 
> root at pdc:/var/log/samba# smbldap-config
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> =-=-=- smbldap-tools script configuration
>         -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-> Before starting, check
>   . if your samba controller is up and running.
>   . if the domain SID is defined (you can get it with the 'net
> getlocalsid')
> 
>   . you can leave the configuration using the Ctrl-c key combination
>   . empty value can be set with the "." character
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> =-=-=-
> 
> 
> root at pdc:/var/log/samba# net getlocalsid
> smbldap_search_domain_info: Got too many (3) domain info entries for
> domain CORP.29.RU
> pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to
> the domain. We cannot work reliably without it.
> pdb backend ldapsam:ldap://127.0.0.1/ did not correctly init (error
> was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
> WARNING: Could not open passdb
> 
> root at pdc:/var/log/samba# net rpc join -S pdc -U admin%secret
> Failed to join domain: failed to lookup DC info for domain
> 'CORP.29.RU' over rpc: The connection was refused
> You have new mail in /var/mail/root
> root at pdc:/var/log/samba#
Until now, you have destroyed your domain. 
Is the ldap directory on localhost in production or is this pc in a test 
lab?
 
> How do I introduce a new PDC in a domain?
Only *one* PDC per domain is allowed! But one may have dozens of BDCs 
and member servers. So, do you have a working PDC?
Or should the new machine replace an old PDC?
What ldap server are in use? Which version?


-- 

Gruss
	Harry Jede

Am Dienstag, 11. Oktober 2016 schrieben Sie:
> On 11.10.2016 13:52, Harry Jede via samba wrote:
> > On 10:43:49 wrote Gavrilov Aleksey via samba:
> > Until now, you have destroyed your domain.
> > Is the ldap directory on localhost in production or is this pc in a
> > test lab?
> 
> a copy of the old server ldap
> 
> >> How do I introduce a new PDC in a domain?
> > 
> > Only *one* PDC per domain is allowed! But one may have dozens of
> > BDCs and member servers. So, do you have a working PDC?
> 
> I do not have a working pdc now
> 
> > Or should the new machine replace an old PDC?
> 
> yes,it's replacement
> 
> > What ldap server are in use? Which version?
> 
> slapd/xenial-updates,now 2.4.42+dfsg-2ubuntu3.1 amd64 [installed]
> 
> 
> file system is damaged  on the old server
> I was able to restore some files
> have backups for the old server
> 
> I'm trying to make a change of PDC
OK, let us try to restore.

You may post the following in a private mail.
Post the out of those commands to give us some infos:

# the structure of your DIT
# ldapsearch -xLLL -H ldapi:/// -b dc=rugion,dc=ru hasSubordinates=TRUE dn

# the registered domains
# ldapsearch -xLLL -H ldapi:///
'(&(sambadomainname=*)(objectclass=sambadomain))' sambaDomainName
sambaSID

# the machines and or trust accounts
# ldapsearch -xLLL -H ldapi:///
'(&(cn=*$)(objectclass=sambasamaccount))' sambaacctflags sambaSID


# ls -l /var/lib/samba/

# cat /etc/nsswitch.conf

# cat /etc/pam_ldap.conf |egrep -v '^#|^$'

# ls -l /etc/pam_ldap.secret

# cat /etc/pam.d/common-account|egrep -v '^#|^$'

# cat /etc/pam.d/common-auth|egrep -v '^#|^$'

# cat /etc/pam.d/common-password|egrep -v '^#|^$'

# cat /etc/pam.d/common-session|egrep -v '^#|^$'
-- 

Gruss
	Harry Jede

On 11.10.2016 17:22, Harry Jede via samba wrote:
> Am Dienstag, 11. Oktober 2016 schrieben Sie:
>> On 11.10.2016 13:52, Harry Jede via samba wrote:
>>> On 10:43:49 wrote Gavrilov Aleksey via samba:
>>> Until now, you have destroyed your domain.
>>> Is the ldap directory on localhost in production or is this pc in a
>>> test lab?
>> a copy of the old server ldap
>>
>>>> How do I introduce a new PDC in a domain?
>>> Only *one* PDC per domain is allowed! But one may have dozens of
>>> BDCs and member servers. So, do you have a working PDC?
>> I do not have a working pdc now
>>
>>> Or should the new machine replace an old PDC?
>> yes,it's replacement
>>
>>> What ldap server are in use? Which version?
>> slapd/xenial-updates,now 2.4.42+dfsg-2ubuntu3.1 amd64 [installed]
>>
>>
>> file system is damaged  on the old server
>> I was able to restore some files
>> have backups for the old server
>>
>> I'm trying to make a change of PDC
> OK, let us try to restore.
>
> You may post the following in a private mail.
> Post the out of those commands to give us some infos:
>
> # the structure of your DIT
> # ldapsearch -xLLL -H ldapi:/// -b dc=rugion,dc=ru hasSubordinates=TRUE dn
root at pdc:~# ldapsearch -xLLL -H ldapi:/// -b 
ou=arkhangelsk,dc=rugion,dc=ru hasSubordinates=TRUE dn
dn: ou=arkhangelsk,dc=rugion,dc=ru

dn: ou=users,ou=arkhangelsk,dc=rugion,dc=ru

dn: ou=groups,ou=arkhangelsk,dc=rugion,dc=ru

dn: ou=computers,ou=arkhangelsk,dc=rugion,dc=ru

dn: ou=users.deleted,ou=arkhangelsk,dc=rugion,dc=ru
> # the registered domains
> # ldapsearch -xLLL -H ldapi:///
'(&(sambadomainname=*)(objectclass=sambadomain))' sambaDomainName
sambaSID
root at pdc:~# ldapsearch -xLLL -H ldapi:/// 
'(&(sambadomainname=*)(objectclass=sambadomain))' sambaDomainName
sambaSID
No such object (32)




root at pdc:~# ldapsearch -xLLL -H ldapi:/// 
'(objectclass=sambasamaccount)' -b  ou=arkhangelsk,dc=rugion,dc=ru 
sambaacctflags sambaSID
dn: uid=root,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaAcctFlags: [U          ]
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-500

dn: uid=admin,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1001
sambaAcctFlags: [U          ]

dn: uid=udina,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1110
sambaAcctFlags: [U          ]

dn: uid=bakova,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1007
sambaAcctFlags: [U          ]

dn: uid=nobody,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaAcctFlags: [NUD        ]
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-501

dn: uid=semakov,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1020
sambaAcctFlags: [U          ]

dn: uid=voronin,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1129
sambaAcctFlags: [U          ]

dn: uid=chirkova,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1062
sambaAcctFlags: [U          ]

...
>
> # the machines and or trust accounts
> # ldapsearch -xLLL -H ldapi:///
'(&(cn=*$)(objectclass=sambasamaccount))' sambaacctflags sambaSID
root at pdc:~# ldapsearch -xLLL -H ldapi:/// 
'(&(cn=*$)(objectclass=sambasamaccount))' sambaacctflags sambaSID
No such object (32)



root at pdc:~# ldapsearch -xLLL -H ldapi:/// 
'(&(cn=*$)(objectclass=sambasamaccount))' -b 
ou=arkhangelsk,dc=rugion,dc=ru sambaacctflags sambaSID
dn: uid=pdc$,ou=computers,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1015
sambaAcctFlags: [S          ]

dn: uid=wolf$,ou=computers,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1025
sambaAcctFlags: [W          ]

dn: uid=29get$,ou=computers,ou=arkhangelsk,dc=rugion,dc=ru
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1086
sambaAcctFlags: [W          ]

...
> # ls -l /var/lib/samba/
root at pdc:~# ls -l /var/lib/samba/
total 1832
-rw-------  1 root root       421888 Oct  7 16:02 account_policy.tdb
-rw-------  1 root root          696 Oct  6 11:24 group_mapping.tdb
drwxr-xr-x 10 root root         4096 Oct  6 11:24 printers
drwxr-xr-x  3 root root         4096 Oct  7 11:10 private
-rw-------  1 root root       528384 Oct  6 11:24 registry.tdb
-rw-------  1 root root       421888 Oct  6 11:24 share_info.tdb
drwxrwx--T  2 root sambashare   4096 Oct  6 11:24 usershares
-rw-------  1 root root        32768 Oct 11 11:19 winbindd_cache.tdb
-rw-r--r--  1 root root       421888 Oct 10 11:48 winbindd_idmap.tdb
drwxr-x---  2 root root         4096 Oct 11 11:19 winbindd_privileged
-rw-r--r--  1 root root         2496 Oct 12 07:45 wins.dat
-rw-------  1 root root        24576 Oct 12 07:39 wins.tdb
>
> # cat /etc/nsswitch.conf
root at pdc:~# cat /etc/nsswitch.conf

ethers: db files
group: compat ldap winbind
hosts: files dns
netgroup: nis
networks: files
passwd: compat ldap winbind
protocols: db files
rpc: db files
services: db files
shadow: compat
> # cat /etc/pam_ldap.conf |egrep -v '^#|^$'
root at pdc:~# cat /etc/pam_ldap.conf |egrep -v '^#|^$'
cat: /etc/pam_ldap.conf: No such file or directory


root at pdc:~# cat /etc/ldap.conf |egrep -v '^#|^$'
host                127.0.0.1
base                ou=arkhangelsk,dc=rugion,dc=ru
ldap_version        3
port                389
scope               one
timelimit           30
bind_policy         soft
idle_timelimit      3600
pam_password        md5
nss_base_passwd     ou=users,ou=arkhangelsk,dc=rugion,dc=ru?one
nss_base_group      ou=groups,ou=arkhangelsk,dc=rugion,dc=ru?one
nss_base_passwd     ou=computers,ou=arkhangelsk,dc=rugion,dc=ru?one
nss_base_shadow     ou=users,ou=arkhangelsk,dc=rugion,dc=ru?one
nss_connect_policy  persist
nss_paged_results   yes
pagesize            1000
>
> # ls -l /etc/pam_ldap.secret
root at pdc:~# ls -l /etc/pam_ldap.secret
ls: cannot access '/etc/pam_ldap.secret': No such file or
directory
> # cat /etc/pam.d/common-account|egrep -v '^#|^$'
root at pdc:~# cat /etc/pam.d/common-account|egrep -v '^#|^$'
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore]      pam_ldap.so
account requisite                       pam_deny.so
account required                        pam_permit.so
> # cat /etc/pam.d/common-auth|egrep -v '^#|^$'
root at pdc:~# cat /etc/pam.d/common-auth|egrep -v '^#|^$'
auth    [success=2 default=ignore]      pam_unix.so nullok_secure 
try_first_pass
auth    [success=1 default=ignore]      pam_ldap.so use_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
> # cat /etc/pam.d/common-password|egrep -v '^#|^$'
root at pdc:~# cat /etc/pam.d/common-password|egrep -v '^#|^$'
password        requisite                       pam_cracklib.so 
reject_username retry=3 minlen=18 difok=3 maxrepeat=2 minclass=4 
lcredit=0 ucredit=2 dcredit=1 ocredit=1
password        required                        pam_pwhistory.so 
use_authtok enforce_for_root remember=5
password        [success=2 default=ignore]      pam_unix.so obscure 
use_authtok try_first_pass sha512
password        [success=1 user_unknown=ignore default=die] pam_ldap.so 
use_authtok try_first_pass
password        requisite                       pam_deny.so
password        required                       
pam_permit.so
>
> # cat /etc/pam.d/common-session|egrep -v '^#|^$'
root at pdc:~# cat /etc/pam.d/common-session|egrep -v '^#|^$'
session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session optional                        pam_umask.so
session required        pam_unix.so
session optional                        pam_ldap.so
session optional        pam_systemd.so


-- 

Sincerely, Gavrilov Aleksey
System Administrator
Ltd. "Hearst Shkulev Digital Rugion"
tel .: 8 (351) 729-94-90, ext. 345
mob. +7 999 581 7934
gavrilov at info74.ru
Chelyabinsk, st. Lesoparkovaya , 6, office 308

On 10.10.2016 19:20, Rowland Penny via samba wrote:
> A couple of things spring to mind here, the first is, you seem to be
> using a REALM name for a workgroup name i.e. you have 'corp.29.ru'
and
> it should be something like 'corp'.
dn: sambaDomainName=CORP.29.RU,ou=arkhangelsk,dc=rugion,dc=ru
objectClass: sambaDomain
objectClass: sambaUnixIdPool
gidNumber: 1000
sambaDomainName: CORP.29.RU
sambaSID: S-1-5-21-1997676671-1552059010-3109710481
uidNumber: 1001
sambaAlgorithmicRidBase: 1000
sambaForceLogoff: -1
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaMinPwdLength: 5
sambaNextRid: 1000
sambaNextUserRid: 1000
sambaPwdHistoryLength: 0
sambaRefuseMachinePwdChange: 0


dn: uid=pdc$,ou=computers,ou=arkhangelsk,dc=rugion,dc=ru
objectClass: account
objectClass: posixAccount
objectClass: sambaSamAccount
cn: pdc$
gidNumber: 10005
homeDirectory: /dev/null
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1015
uid: pdc$
uidNumber: 20013
description: Machine account
displayName: pdc$
gecos: pdc$
loginShell: /bin/false
sambaAcctFlags: [S          ]
sambaNTPassword: ***
sambaPwdLastSet: 1292410092


dn: uid=admin,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
cn: admin
gidNumber: 10002
homeDirectory: /var/local/samba/profiles/admin
sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1001
sn: admin
uid: admin
uidNumber: 10001
description: User account
displayName:: 0JDQtNC80LjQvdC40YHRgtGA0LDRgtC+0YAgecos: admin
loginShell: /sbin/nologin
sambaAcctFlags: [U          ]
sambaNTPassword: ***
sambaPasswordHistory: 000000000000000000000000000000000000000000000000000000
  0000000000
sambaPwdLastSet: 1289383186
sambaPwdMustChange: 0
userPassword:: ***
>   Secondly, you have these lines:
>
>       ldapsam:trusted=yes
>       ldapsam:editposix=yes
I commented out
>
> You also have lines that refer to smbldap-tools, you dont need
> smbldap-tools if you use the above two lines, see 'man smb.conf'
for
> more info.
>
> Rowland
>
ldap script used on the old server
/usr/local/sbin/ldapaddmachine
I copied them from the old server to the new server.
but with them not working domain join


cat /var/log/samba/log.smbd
...
[2016/10/11 11:19:04.878485,  5, pid=7397, effective(0, 0), real(0, 0), 
class=passdb] ../source3/passdb/pdb_interface.c:91(smb_register_passdb)
   Successfully added passdb backend 'IPA_ldapsam'
[2016/10/11 11:19:04.878496,  5, pid=7397, effective(0, 0), real(0, 0), 
class=passdb] ../source3/passdb/pdb_interface.c:154(make_pdb_method_name)
   Attempting to find a passdb backend to match 
ldapsam:ldap://127.0.0.1/ (ldapsam)
[2016/10/11 11:19:04.878507,  5, pid=7397, effective(0, 0), real(0, 0), 
class=passdb] ../source3/passdb/pdb_interface.c:175(make_pdb_method_name)
   Found pdb backend ldapsam
[2016/10/11 11:19:04.894016,  2, pid=7397, effective(0, 0), real(0, 0)] 
../source3/passdb/pdb_ldap_util.c:280(smbldap_search_domain_info)
   smbldap_search_domain_info: Searching 
for:[(&(objectClass=sambaDomain)(sambaDomainName=CORP.29.RU))]
[2016/10/11 11:19:04.894048,  5, pid=7397, effective(0, 0), real(0, 0)] 
../source3/lib/smbldap.c:1249(smbldap_search_ext)
   smbldap_search_ext: base => [ou=arkhangelsk,dc=rugion,dc=ru], filter 
=> [(&(objectClass=sambaDomain)(sambaDomainName=CORP.29.RU))], scope
=> [2]
[2016/10/11 11:19:04.894086,  5, pid=7397, effective(0, 0), real(0, 0)] 
../source3/lib/smbldap.c:1114(smbldap_close)
   The connection to the LDAP server was closed
[2016/10/11 11:19:04.894100, 10, pid=7397, effective(0, 0), real(0, 0)] 
../source3/lib/smbldap.c:595(smb_ldap_setup_conn)
   smb_ldap_setup_connection: ldap://127.0.0.1/
[2016/10/11 11:19:04.894888,  2, pid=7397, effective(0, 0), real(0, 0)] 
../source3/lib/smbldap.c:794(smbldap_open_connection)
   smbldap_open_connection: connection opened
[2016/10/11 11:19:04.894906, 10, pid=7397, effective(0, 0), real(0, 0)] 
../source3/lib/smbldap.c:954(smbldap_connect_system)
   ldap_connect_system: Binding to ldap server ldap://127.0.0.1/ as 
"cn=admin,dc=rugion,dc=ru"
[2016/10/11 11:19:04.905959,  3, pid=7397, effective(0, 0), real(0, 0)] 
../source3/lib/smbldap.c:1013(smbldap_connect_system)
   ldap_connect_system: successful connection to the LDAP server
   ldap_connect_system: LDAP server does support paged results
[2016/10/11 11:19:04.906016,  4, pid=7397, effective(0, 0), real(0, 0)] 
../source3/lib/smbldap.c:1092(smbldap_open)
   The LDAP server is successfully connected
[2016/10/11 11:19:04.910225,  0, pid=7397, effective(0, 0), real(0, 0)] 
../source3/passdb/pdb_ldap_util.c:331(smbldap_search_domain_info)
   smbldap_search_domain_info: Got too many (3) domain info entries for 
domain CORP.29.RU
[2016/10/11 11:19:04.910260,  0, pid=7397, effective(0, 0), real(0, 0), 
class=passdb] ../source3/passdb/pdb_ldap.c:6534(pdb_ldapsam_init_common)
   pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to 
the domain. We cannot work reliably without it.
[2016/10/11 11:19:04.910274,  0, pid=7397, effective(0, 0), real(0, 0), 
class=passdb] ../source3/passdb/pdb_interface.c:179(make_pdb_method_name)
   pdb backend ldapsam:ldap://127.0.0.1/ did not correctly init (error 
was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)



-- 

Sincerely, Gavrilov Aleksey
System Administrator
Ltd. "Hearst Shkulev Digital Rugion"
tel .: 8 (351) 729-94-90, ext. 345
mob. +7 999 581 7934
gavrilov at info74.ru
Chelyabinsk, st. Lesoparkovaya , 6, office 308

On 11.10.2016 13:52, Harry Jede via samba wrote:
> On 10:43:49 wrote Gavrilov Aleksey via samba:
> Until now, you have destroyed your domain.
> Is the ldap directory on localhost in production or is this pc in a test
> lab?
a copy of the old server ldap
>
>> How do I introduce a new PDC in a domain?
> Only *one* PDC per domain is allowed! But one may have dozens of BDCs
> and member servers. So, do you have a working PDC?
I do not have a working pdc now
> Or should the new machine replace an old PDC?
yes,it's replacement
> What ldap server are in use? Which version?
slapd/xenial-updates,now 2.4.42+dfsg-2ubuntu3.1 amd64 [installed]


file system is damaged  on the old server
I was able to restore some files
have backups for the old server

I'm trying to make a change of PDC

-- 

Sincerely, Gavrilov Aleksey
System Administrator
Ltd. "Hearst Shkulev Digital Rugion"
tel .: 8 (351) 729-94-90, ext. 345
mob. +7 999 581 7934
gavrilov at info74.ru
Chelyabinsk, st. Lesoparkovaya , 6, office 308