Hi all, I appear to have solved this issue for myself by setting up an entirely new AD DC today based on 16.04 LTS, and joining it to the existing domain. I took no action at all on the affected system, and yet today after setting that new system up, the affected system seems to be connecting properly as before, so I suspect that this might very well be the solution. As I said before, I was not able to upgrade any of my 4.1.6 DCs to 4.3.8 as something would get horribly corrupted, but setting up a new one seems to have worked with only minor complications and confusion.
I more or less followed the instructions at the Samba AD Wiki for joining a new DC to an existing domain, except that they seem to specify a few strange things, such as that you MUST set up bind DLZ first before provisioning, which I actually think is impossible, and switching to bind after joining worked fine. The whole process was not too hard, though it was confusing at times, especially since it seemed to not be working until after I rebooted after the join was done. I had a few problems with it at first giving me lots of errors about NT_STATUS_INVALID_SID and such, especially with commands like "smbclient -L localhost -U%", but output of the "samba-tool drs showrepl" command and all the DNS commands looked like they were connecting to the other DC properly, so at one point I rebooted and it seemed to work after that. I suspect that leaving out "idmap_ldb:use rfc2307 = yes" out of my smb.conf might have contributed to fixing stuff, but I suspect it was mostly just the reboot that took care of things, possibly because of the network settings changes involved during the samba config process. I can't confirm for sure what it was, as I did a lot of stuff between reboots and samba restarts, all I can confirm for sure is that my previously affected server is no longer throwing a fit now that it can contact my new DC, even though it cannot contact any of the others. Also, apparently you can have winbind running on an AD DC now since 4.3.X, so I did that, and I can do id username queries from the command line of the DC and they all work. This seems to be a new feature, I think because they replaced the special winbind they were using with AD DCs before with the original winbind daemon. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1572824 Title: Samba Domain Member cannot check passwords against Samba AD DC after "Badlock" update To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1572824/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
