Piers Kittel
2019-Feb-08 00:21 UTC
[Samba] Windows client still tries to connect to old AD after replacement
Thanks again Rowland for getting back to me. Here's my comments below: >> /etc/hosts: >> 127.0.0.1 localhost >> 192.168.0.17 ad.domain.intranet ad >> 192.168.0.21 domain-ad.domain.intranet domain-ad > > Remove the line above, this is the old AD domain and shouldn't have > anything pointing to the new one. Have deleted this line. This is a hangover from when I tried to connect both the old and new ADs. No device exists with the IP address 192.168.0.21, luckily. >> /etc/resolv.conf: >> domain Hitronhub.home >> search Hitronhub.home >> nameserver 192.168.0.1 > > This is a DC, it should be pointing to itself as a nameserver. Done. >> realm = DOMAIN.INTRANET >> workgroup = DOMAIN > > What did you say about workgroups ? > I do hope that 'DOMAIN' in the above line isn't the same as on the new > AD DC. Hah. Fair enough. Unfortunately yes, your fear has been realised, the domain & workgroup for both are the same. I've now put in a new domain & workgroup, hereinafter referred to as NEWDOMAIN and NEWWORKGROUP respectively, and the old names would be OLDDOMAIN and OLDWORKGROUP. I've updated the following files to reflect the new domain & workgroup names - let me know if I've missed something: - /etc/hosts - /etc/resolv.conf - Provisioned new domain using samba-tool (note, couldn't find how to delete an old domain, so I'm dangerously assuming provisioning the new domain will overwrite the old one), although... root at olddomain-ad:/home/kit# samba-tool domain info 192.168.0.11 Forest : newdomain.intranet Domain : newdomain.intranet Netbios domain : NEWDOMAIN DC name : olddomain-ad.newdomain.intranet DC netbios name : olddomain Server site : Default-First-Site-Name Client site : Default-First-Site-Name root at domain-ad:/home/kit# I'm concerned about the DC netbios name though, that'd match the old DC netbios name. root at olddomain-ad:/home/kit# klist Ticket cache: FILE:/tmp/krb5cc_1000_LUxuAq Default principal: Administrator at NEWDOMAIN.INTRANET Valid starting Expires Service principal 07/02/19 19:20:01 08/02/19 05:20:01 krbtgt/NEWDOMAIN.INTRANET at NEWDOMAIN.INTRANET renew until 08/02/19 19:19:50 root at olddomain-ad:/home/kit# Only issue I can see is the last line of the below output: root at olddomain-ad:/home/kit# smbclient -L localhost -U% Domain=[NEWDOMAIN] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian] Sharename Type Comment --------- ---- ------- netlogon Disk sysvol Disk Profiles Disk users Disk IPC$ IPC IPC Service (Samba 4.5.12-Debian) Domain=[NEWDOMAIN] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian] Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP OLDWORKGROUP root at olddomain-ad:/home/kit# Whew. So I went to the test client, got it to leave the olddomain, it asked to restart, and when it came back up, I found it was impossible to log into *any* account on the computer, whether local, olddomain or newdomain! After fruitless hours trying to enable the local admin account and reset its password, I gave up and reinstalled Windows so the test client is now fresh and blank. So now I've done the following: - Added in a local account for myself only - Enabled local admin account and set password (in case something like the previous happens again!) - Changed DNS to point to 192.168.0.11 - Joined domain newdomain - Rebooted and logged in as NEWDOMAIN\Administrator All worked fine, was able to go to 192.168.0.11 in Explorer and see all the shares. OK, can see the 4 shares listed. So I then used RSAT to add in a new user (kit) and tried to assign the Profiles and user home folder shares to the new user and was unable to. Looked at the shares, found the domain admin has no access to all the shared folders and all the users listed that had permissions to access had SIDs from the old domain profile, so followed the instructions found here https://wiki.samba.org/index.php/User_Home_Folders to reset the permissions etc. I got up to the "Advanced Security Settings for users (\\olddomain-ad.newdomain.intranet)" bit in the HOWTO, made the changes suggested by the table (set access levels for Domain Admins, Domain Users, and CREATOR OWNER) and clicked "Apply" and got a permission denied error: "An error occurred while applying security information to: \\192.168.0.11\users. Failed to enumerate objects in the container. Access is denied". Now, I'm not sure how to reset this, am hoping you can point me the right way please? (Sorry, I'm now 7 hours past my clocking-out time!) Many thanks! With kind regards - Piers
Rowland Penny
2019-Feb-08 09:55 UTC
[Samba] Windows client still tries to connect to old AD after replacement
On Fri, 8 Feb 2019 00:21:47 +0000 Piers Kittel via samba <samba at lists.samba.org> wrote:> Thanks again Rowland for getting back to me. Here's my comments > below: > > >> /etc/hosts: > >> 127.0.0.1 localhost > >> 192.168.0.17 ad.domain.intranet ad > >> 192.168.0.21 domain-ad.domain.intranet domain-ad > > > > Remove the line above, this is the old AD domain and shouldn't have > > anything pointing to the new one. > > Have deleted this line. This is a hangover from when I tried to > connect both the old and new ADs. No device exists with the IP > address 192.168.0.21, luckily. > > >> /etc/resolv.conf: > >> domain Hitronhub.home > >> search Hitronhub.home > >> nameserver 192.168.0.1 > > > > This is a DC, it should be pointing to itself as a nameserver. > > Done. > > >> realm = DOMAIN.INTRANET > >> workgroup = DOMAIN > > > > What did you say about workgroups ? > > I do hope that 'DOMAIN' in the above line isn't the same as on the > > new AD DC. > > Hah. Fair enough. Unfortunately yes, your fear has been realised, > the domain & workgroup for both are the same. I've now put in a new > domain & workgroup, hereinafter referred to as NEWDOMAIN and > NEWWORKGROUP respectively, and the old names would be OLDDOMAIN and > OLDWORKGROUP. > > I've updated the following files to reflect the new domain & > workgroup names - let me know if I've missed something: > > - /etc/hosts > - /etc/resolv.conf > - Provisioned new domain using samba-tool (note, couldn't find how to > delete an old domain, so I'm dangerously assuming provisioning the > new domain will overwrite the old one), although... > > root at olddomain-ad:/home/kit# samba-tool domain info 192.168.0.11 > Forest : newdomain.intranet > Domain : newdomain.intranet > Netbios domain : NEWDOMAIN > DC name : olddomain-ad.newdomain.intranet > DC netbios name : olddomain > Server site : Default-First-Site-Name > Client site : Default-First-Site-Name > root at domain-ad:/home/kit# > > I'm concerned about the DC netbios name though, that'd match the old > DC netbios name. > > root at olddomain-ad:/home/kit# klist > Ticket cache: FILE:/tmp/krb5cc_1000_LUxuAq > Default principal: Administrator at NEWDOMAIN.INTRANET > Valid starting Expires Service principal > 07/02/19 19:20:01 08/02/19 05:20:01 > krbtgt/NEWDOMAIN.INTRANET at NEWDOMAIN.INTRANET > renew until 08/02/19 19:19:50 > root at olddomain-ad:/home/kit# > > Only issue I can see is the last line of the below output: > > root at olddomain-ad:/home/kit# smbclient -L localhost -U% > Domain=[NEWDOMAIN] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian] > Sharename Type Comment > --------- ---- ------- > netlogon Disk > sysvol Disk > Profiles Disk > users Disk > IPC$ IPC IPC Service (Samba 4.5.12-Debian) > Domain=[NEWDOMAIN] OS=[Windows 6.1] Server=[Samba 4.5.12-Debian] > Server Comment > --------- ------- > Workgroup Master > --------- ------- > WORKGROUP OLDWORKGROUP > > root at olddomain-ad:/home/kit# > > Whew. So I went to the test client, got it to leave the olddomain, > it asked to restart, and when it came back up, I found it was > impossible to log into *any* account on the computer, whether local, > olddomain or newdomain! After fruitless hours trying to enable the > local admin account and reset its password, I gave up and reinstalled > Windows so the test client is now fresh and blank. So now I've done > the following: > > - Added in a local account for myself only > - Enabled local admin account and set password (in case something > like the previous happens again!) > - Changed DNS to point to 192.168.0.11 > - Joined domain newdomain > - Rebooted and logged in as NEWDOMAIN\Administrator > > All worked fine, was able to go to 192.168.0.11 in Explorer and see > all the shares. OK, can see the 4 shares listed. So I then used > RSAT to add in a new user (kit) and tried to assign the Profiles and > user home folder shares to the new user and was unable to. Looked at > the shares, found the domain admin has no access to all the shared > folders and all the users listed that had permissions to access had > SIDs from the old domain profile, so followed the instructions found > here > > https://wiki.samba.org/index.php/User_Home_Folders > > to reset the permissions etc. I got up to the "Advanced Security > Settings for users (\\olddomain-ad.newdomain.intranet)" bit in the > HOWTO, made the changes suggested by the table (set access levels for > Domain Admins, Domain Users, and CREATOR OWNER) and clicked "Apply" > and got a permission denied error: > > "An error occurred while applying security information to: > \\192.168.0.11\users. Failed to enumerate objects in the container. > Access is denied".Did you click on the hyperlink that would have taken you here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs> > Now, I'm not sure how to reset this, am hoping you can point me the > right way please? (Sorry, I'm now 7 hours past my clocking-out time!)Been there, done that. Rowland