Hi Rowland - thank you for replying. I have now demoted and removed the
temporary DC with the intention of repeating the exercise from scratch later
this week. It was a Ubuntu Server 18.04.1 and the smb.conf was very vanilla:
[global]
workgroup = ACASTA
realm = ACASTA.INTRA
netbios name = UBUNTU
server role = active directory domain controller
dns forwarder - 192.168.200.3
idmap_ldb:use rfc2307 = yes
The join worked successfully. DNS checked out. Kerberos checked out. I could
see everything in my RSAT tools. Everything appeared to be working, except when
I tried to "mkdir -p /admin-tools" on the new DC and tried to chown it
to "Domain Admins" - invalid group. That's when I started testing
wbinfo (works) and getent (no results).
I also updated /etc/nsswitch.conf to add winbind, and ran
'pam-auth-update' to get winbind authentication support. This latter
step locked me out of the server - I had to go into recovery mode manually
unedit the pam configs to enable the clean demote and removal.
I kinda gave up at this point! My suspicion is that some package dependency
hasn't been met, but I cannot find a definitive list for Ubuntu 18.
-----Original Message-----
From: Rowland Penny <rpenny at samba.org>
Sent: 26 November 2018 10:12
To: samba at lists.samba.org
Subject: Re: [Samba] Adding a new DC - ID Mappings
On Mon, 26 Nov 2018 09:47:06 +0000
Rob Mason via samba <samba at lists.samba.org> wrote:
> I’m looking to replace a DC within a small network by adding a new DC
> and transferring FMSO roles, then demoting the old DC
> (https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC).
>
> I am able to successfully deploy the new DC following directions in
>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory.
> However, I am struggling with ID mappings – I’m not really
> understanding how this should work. Should I have to manually
> re-create the passwd/group entries on my new DC in order to gain the
> old uid/gid values? I’ve copied the idmap.ldb as suggested in the
> text, and whilst wbinfo returns the domain users, getent doesn’t show
> the domain accounts, only the local passwd entries.
>
> Have I missed something obvious??
>
No, you shouldn't have to recreate anything in AD, it all should be
replicated.
Lets start with what OS you are using and a copy of your smb.conf.
Rowland
Acasta Ltd - A Crown Commercial Service Supplier. CyberEssentials Certified
QGCE013.
Registered in England 6619191. 42 Pitt Street, Barnsley, S70 1BB. VAT Registered
934 6797 75.