Hi Rowland - thank you for replying. I have now demoted and removed the temporary DC with the intention of repeating the exercise from scratch later this week. It was a Ubuntu Server 18.04.1 and the smb.conf was very vanilla: [global] workgroup = ACASTA realm = ACASTA.INTRA netbios name = UBUNTU server role = active directory domain controller dns forwarder - 192.168.200.3 idmap_ldb:use rfc2307 = yes The join worked successfully. DNS checked out. Kerberos checked out. I could see everything in my RSAT tools. Everything appeared to be working, except when I tried to "mkdir -p /admin-tools" on the new DC and tried to chown it to "Domain Admins" - invalid group. That's when I started testing wbinfo (works) and getent (no results). I also updated /etc/nsswitch.conf to add winbind, and ran 'pam-auth-update' to get winbind authentication support. This latter step locked me out of the server - I had to go into recovery mode manually unedit the pam configs to enable the clean demote and removal. I kinda gave up at this point! My suspicion is that some package dependency hasn't been met, but I cannot find a definitive list for Ubuntu 18. -----Original Message----- From: Rowland Penny <rpenny at samba.org> Sent: 26 November 2018 10:12 To: samba at lists.samba.org Subject: Re: [Samba] Adding a new DC - ID Mappings On Mon, 26 Nov 2018 09:47:06 +0000 Rob Mason via samba <samba at lists.samba.org> wrote:> I’m looking to replace a DC within a small network by adding a new DC > and transferring FMSO roles, then demoting the old DC > (https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC). > > I am able to successfully deploy the new DC following directions in > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory. > However, I am struggling with ID mappings – I’m not really > understanding how this should work. Should I have to manually > re-create the passwd/group entries on my new DC in order to gain the > old uid/gid values? I’ve copied the idmap.ldb as suggested in the > text, and whilst wbinfo returns the domain users, getent doesn’t show > the domain accounts, only the local passwd entries. > > Have I missed something obvious?? >No, you shouldn't have to recreate anything in AD, it all should be replicated. Lets start with what OS you are using and a copy of your smb.conf. Rowland Acasta Ltd - A Crown Commercial Service Supplier. CyberEssentials Certified QGCE013. Registered in England 6619191. 42 Pitt Street, Barnsley, S70 1BB. VAT Registered 934 6797 75.
On Mon, 26 Nov 2018 14:00:56 +0000 Rob Mason <rob at acasta.co.uk> wrote:> Hi Rowland - thank you for replying. I have now demoted and removed > the temporary DC with the intention of repeating the exercise from > scratch later this week. It was a Ubuntu Server 18.04.1 and the > smb.conf was very vanilla: > > [global] > workgroup = ACASTA > realm = ACASTA.INTRA > netbios name = UBUNTU > server role = active directory domain controller > dns forwarder - 192.168.200.3 > idmap_ldb:use rfc2307 = yes > > The join worked successfully. DNS checked out. Kerberos checked out. > I could see everything in my RSAT tools. Everything appeared to be > working, except when I tried to "mkdir -p /admin-tools" on the new DC > and tried to chown it to "Domain Admins" - invalid group. That's when > I started testing wbinfo (works) and getent (no results). > > I also updated /etc/nsswitch.conf to add winbind, and ran > 'pam-auth-update' to get winbind authentication support. This latter > step locked me out of the server - I had to go into recovery mode > manually unedit the pam configs to enable the clean demote and > removal. > > I kinda gave up at this point! My suspicion is that some package > dependency hasn't been met, but I cannot find a definitive list for > Ubuntu 18. >Did you install libpam-winbind, libnss-winbind and libpam-krb5 ? Not installing these is the major cause of getent not working. Rowland
Hi Rowland - just wanted to follow up and say thanks. It was a dependency issue with pam. All sorted now. May I quickly double check that the current Samba wiki is correct - there is no automatic sysvol replication? Therefore, I must replicate my old DC sysvol to the new DC before transferring FMSO roles and demoting the old DC?? -----Original Message----- From: Rob Mason Sent: 26 November 2018 14:01 To: Rowland Penny <rpenny at samba.org>; samba at lists.samba.org Subject: RE: [Samba] Adding a new DC - ID Mappings Hi Rowland - thank you for replying. I have now demoted and removed the temporary DC with the intention of repeating the exercise from scratch later this week. It was a Ubuntu Server 18.04.1 and the smb.conf was very vanilla: [global] workgroup = ACASTA realm = ACASTA.INTRA netbios name = UBUNTU server role = active directory domain controller dns forwarder - 192.168.200.3 idmap_ldb:use rfc2307 = yes The join worked successfully. DNS checked out. Kerberos checked out. I could see everything in my RSAT tools. Everything appeared to be working, except when I tried to "mkdir -p /admin-tools" on the new DC and tried to chown it to "Domain Admins" - invalid group. That's when I started testing wbinfo (works) and getent (no results). I also updated /etc/nsswitch.conf to add winbind, and ran 'pam-auth-update' to get winbind authentication support. This latter step locked me out of the server - I had to go into recovery mode manually unedit the pam configs to enable the clean demote and removal. I kinda gave up at this point! My suspicion is that some package dependency hasn't been met, but I cannot find a definitive list for Ubuntu 18. -----Original Message----- From: Rowland Penny <rpenny at samba.org> Sent: 26 November 2018 10:12 To: samba at lists.samba.org Subject: Re: [Samba] Adding a new DC - ID Mappings On Mon, 26 Nov 2018 09:47:06 +0000 Rob Mason via samba <samba at lists.samba.org> wrote:> I’m looking to replace a DC within a small network by adding a new DC > and transferring FMSO roles, then demoting the old DC > (https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC). > > I am able to successfully deploy the new DC following directions in > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory. > However, I am struggling with ID mappings – I’m not really > understanding how this should work. Should I have to manually > re-create the passwd/group entries on my new DC in order to gain the > old uid/gid values? I’ve copied the idmap.ldb as suggested in the > text, and whilst wbinfo returns the domain users, getent doesn’t show > the domain accounts, only the local passwd entries. > > Have I missed something obvious?? >No, you shouldn't have to recreate anything in AD, it all should be replicated. Lets start with what OS you are using and a copy of your smb.conf. Rowland Acasta Ltd - A Crown Commercial Service Supplier. CyberEssentials Certified QGCE013. Registered in England 6619191. 42 Pitt Street, Barnsley, S70 1BB. VAT Registered 934 6797 75.
On Fri, 30 Nov 2018 10:02:56 +0000 Rob Mason via samba <samba at lists.samba.org> wrote:> Hi Rowland - just wanted to follow up and say thanks. It was a > dependency issue with pam. All sorted now.What was missing ? The wiki may need updating.> > May I quickly double check that the current Samba wiki is correct - > there is no automatic sysvol replication? Therefore, I must replicate > my old DC sysvol to the new DC before transferring FMSO roles and > demoting the old DC??You still need to manually sync Sysvol between DCs and you should also sync idmap.ldb from the DC holding the 'PdcEmulation' FSMO role to all other DCs Rowland
Hi Rowland - It was krb5-user, libpam-winbind and libnss-winbind. But this was partly due to not having the Universe repo installed from the Ubuntu 18 Live image (this has to manually added when using the live image). I've copied across idmap.ldb from the old (only) DC. Assuming no changes, I can just replicate Sysvol prior to migration? thanks -- Rob Mason -----Original Message----- On Fri, 30 Nov 2018 10:02:56 +0000 Rob Mason via samba <samba at lists.samba.org> wrote:> Hi Rowland - just wanted to follow up and say thanks. It was a > dependency issue with pam. All sorted now.What was missing ? The wiki may need updating.> > May I quickly double check that the current Samba wiki is correct - > there is no automatic sysvol replication? Therefore, I must replicate > my old DC sysvol to the new DC before transferring FMSO roles and > demoting the old DC??You still need to manually sync Sysvol between DCs and you should also sync idmap.ldb from the DC holding the 'PdcEmulation' FSMO role to all other DCs Rowland Acasta Ltd - A Crown Commercial Service Supplier. CyberEssentials Certified QGCE013. Registered in England 6619191. 42 Pitt Street, Barnsley, S70 1BB. VAT Registered 934 6797 75.
On Fri, 30 Nov 2018 11:08:02 +0000 Rob Mason via samba <samba at lists.samba.org> wrote:> Hi Rowland - It was krb5-user, libpam-winbind and libnss-winbind. But > this was partly due to not having the Universe repo installed from > the Ubuntu 18 Live image (this has to manually added when using the > live image).Good, all known packages, I was just making sure something new hadn't crept in ;-)> > I've copied across idmap.ldb from the old (only) DC. Assuming no > changes, I can just replicate Sysvol prior to migration?Yes, but check everything has synced. Rowland