[Samba] unique index violation on objectSid on samba ad

Mon Oct 19 14:50:21 UTC 2015

Do you know scripts?
Do you read a little bit about Samba? Kerberos? Keytab?

Yes samba-tool domain provision take time. On my VMs (almost same concept
as your containers (I feel like that had to be mentioned) it take something
like 12 seconds. Almost the same for joining a DC to the domain.

I install my Samba domains using scripts. These script provision the first
DC then join the others.

Of course I wrote these scripts myself and that is time, or work, or both.

So to achieve that you will have to work too. But be reassured: it is
possible :)

2015-10-19 16:02 GMT+02:00 Krutskikh Ivan <stein.hak at gmail.com>:

> Let me explain myself here. We ship video surveillance systems with
> build-in ad domain controllers on 2 servers. Right now we have 4 active
> projects and 3 more this year. Provisioning dc's by hand each time is a
> pain I would like to avoid.
>
> There's not much I want from a domain: groups 'video' and 'video admins' to
> exist, gpo's to auto redirect user profiles to network share and to prevent
> users from video and video admins group from windows login and a some
> specific password age settings.
>
> But if I would have to do this manually for every new system...
>
> So please advise me how to make a template domain for this setup.
>
> 2015-10-19 16:33 GMT+03:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
>
> > On 19/10/15 14:07, Krutskikh Ivan wrote:
> >
> >> ok =( Guess I should repeat all the work from scratch. So just to check
> if
> >> I got it right:
> >>
> >> 1) Create a new container. Provision a ad dc on it. Can I join some
> >> machine
> >> to apply some gpo's and to create users at this point? I'll delete it
> >> afterwards
> >>
> >
> > Well NO , there is no point.
> >
> >
> >> 2) Power down the container from 1) and use it as a template for every
> >> other dc I need just by changing ip/dns
> >>
> >
> > NO, clone the container BEFORE you provision Samba, at this point you can
> > use it as a template.
> >
> >
> >> 3) Create another template for the second domain. Clone it and attach
> for
> >> each new dc from 2)
> >>
> >
> > Why do you need different DCs ? if they are all going to be in the same
> > realm, you can use 'sites', if they aren't, then they need to be totally
> > different DNS domains and realms. Speaking of which, all machines in a
> > realm need to be using the same DNS domain, you seem to using different
> > domains on your original DCs (dc.office.mtt & bdc.tsnr.mtt)
> >
> > Will this work? The dc's would work in different lan's.
> >>
> >
> > Don't recommend it.
> >
> > Rowland
> >
> >
> >
> >> 2015-10-19 15:39 GMT+03:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
> >>
> >> Hello Ivan,
> >>>
> >>> Am 19.10.2015 um 12:42 schrieb Krutskikh Ivan:
> >>>
> >>>> I think, I've done something stupid here. At first I've created 2 lxc
> >>>> containers and provisioned one as dc.office.mtt and joined second one
> to
> >>>> the first ad bdc.tsnr.mtt.
> >>>>
> >>> You should not name your DC something like "backup" (bdc). If the first
> >>> one (dc) gets lost, you only have one. There's no primary, secondary,
> >>> etc. in an AD.
> >>>
> >>> But this isn't your problem :-)
> >>>
> >>>
> >>>
> >>> Then I've cloned those containers several times
> >>>> and changed ip adresses and dns names of new containers to different
> >>>> subnets.
> >>>>
> >>> This was the mistake you made. Don't join and then clone! DCs have
> GUIDs
> >>> inside the AD. If you change the name/IP after the join, you have two
> >>> hosts with the same GUID in AD and you will of course get replication
> >>> problems.
> >>>
> >>> Is this already in production or just with a large number of
> >>> user/computers? If not, start from scratch. I think it's much less work
> >>> and risk to prevent upcomming trouble in future.
> >>>
> >>> 1. Install first DC
> >>> 2. Provision a domain on it
> >>> 3. Install second DC as template (just install OS + Samba, but don't
> >>> join!)
> >>> 4. Clone your machine
> >>> 5. Give the clone a new hostname and IP
> >>> 6. Join the cloned machine to the domain
> >>> 7. Repeat 4-6 for all DCs you want to create.
> >>>
> >>>
> >>>
> >>> Regards,
> >>> Marc
> >>>
> >>>
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>