[Samba] Joining a new Samba AD DC
Rowland Penny
rpenny at samba.org
Sun Jul 23 20:07:06 UTC 2023
On 23/07/2023 20:40, Mark Foley via samba wrote:
> On Sun Jul 16 04:21:55 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:
>
>> On 16/07/2023 07:10, Mark Foley via samba wrote:
>>> I am planning up upgrading my AD/DC from Samba version 4.8.2 to the most recent
>>> version in my Slackware distro which is currently 4.15.13.
>>>
>>> In previous threads in this maillist I was advised that the best route to
>>> achieve this was to add a 2nd domain controller, then promote that one and
>>> demote the original. I'm in the process of setting up a 2nd DC to that end.
>
>>>
>>> 2) The next thing the wiki doc says to do is to provision the DC. Will doing so
>>> on this 2nd DC interfer with the current/primary DC?
>>
>> I think you may be following the wrong instructions, the page you linked
>> to is for provisioning the first DC in a new domain.
>> Have you read this wiki page:
>>
>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>>
>> It is only possible to provision one DC in a domain (you actually create
>> the domain and then automatically join the first DC during the process),
>> after that you join extra DCs to the domain.
>
> Thanks, I'm now referencing your suggested wiki.
>
> Question 1: That wiki says:
>
> Configuring the /etc/resolv.conf
>
> Set the DNS server IP and AD DNS domain in your /etc/resolv.conf. For example:
>
> nameserver 10.99.0.1
> search samdom.example.com
>
> Is the nameserver as shown supposed to be the primary/current AD/DC?
It is supposed to be another AD DC (there is no such thing as a
'primary' DC, they are all equal). I have added a note to the wiki page.
< Currently,
> the AD/DC is 192.168.0.2 and in that host's resolv.conf the nameserver IP is set
> to itself. In this joined DC, should the nameserver be the primary/current AD/DC
> or itself (192.168.0.7)?
Initially the nameserver needs to be another AD DC, once the join
succeeds you change it to the new DCs ipaddress (aka its own ipaddress)
>
> Question 2: After setting krb5.conf per the wiki, the test command do not work:
>
> # kinit Administrator
> Password for Administrator at hprs.local:
I really hope that '.local' is placeholder for the real TLD, '.local' is
reserved for Bonjour and Avahi and, as such, shouldn't be used.
> kinit: KDC reply did not match expectations while getting initial credentials
Provided that kerberos and dns are setup correctly, that should work.
>
> # klist
> klist: No credentials cache found (filename: /tmp/krb5cc_0)
>
> Does something have to be running first? Note that samba is installed, but not
> running.
Your DC needs to be able to contact a DC, preferably itself, but if the
computer is pointing at another DC and the required packages are
installed, then kinit should work.
Rowland
More information about the samba
mailing list