[Samba] unique index violation on objectSid on samba ad

Rowland Penny rowlandpenny241155 at gmail.com
Tue Oct 20 07:26:19 UTC 2015 

On 20/10/15 05:44, Krutskikh Ivan wrote:
> We actually sell whole systems with isolated lan and centralized
> authentication and password management. Typically about 7 servers and 5
> workstations.
>
> 2015-10-19 18:58 GMT+03:00 Rowland Penny <rowlandpenny241155 at gmail.com>:
>
>> On 19/10/15 16:23, Krutskikh Ivan wrote:
>>
>>> And if you really want to work with cloning, then provision the first,
>>>> join the second, do all your change, take a snapshot of both. Then you
>>>> have the same setup again for the next customer. As long as the
>>>> customers never will met and two of your systems come into the same
>>>> network, is is no problem, because the domain would have the same name,
>>>> SID, etc.
>>>>
>>> I did more or less so and it resulted in subj problem. I guess some
>>> experiments is needed
>>>
>>>
>>> 2015-10-19 18:13 GMT+03:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
>>>
>>> Am 19.10.2015 um 16:02 schrieb Krutskikh Ivan:
>>>>> Let me explain myself here. We ship video surveillance systems with
>>>>> build-in ad domain controllers on 2 servers. Right now we have 4 active
>>>>> projects and 3 more this year. Provisioning dc's by hand each time is a
>>>>> pain I would like to avoid.
>>>>>
>>>>> There's not much I want from a domain: groups 'video' and 'video admins'
>>>>>
>>>> to
>>>>
>>>>> exist, gpo's to auto redirect user profiles to network share and to
>>>>>
>>>> prevent
>>>>
>>>>> users from video and video admins group from windows login and a some
>>>>> specific password age settings.
>>>>>
>>>> What is the reason to ship that system with an DC? I don't know your
>>>> system, but usually this kind of equipment is something I want to
>>>> _integrate_ into my network and not run it as a part that manages my
>>>> network.
>>>>
>>>> Why not make it a domain member or standalone system with local users?
>>>>
>>>>
>>>>
>>>> But if I would have to do this manually for every new system...
>>>> You can script very easy around samba-tool the provisining, the join of
>>>> the second DC, user/group creation, etc.
>>>>
>>>>
>>>> And if you really want to work with cloning, then provision the first,
>>>> join the second, do all your change, take a snapshot of both. Then you
>>>> have the same setup again for the next customer. As long as the
>>>> customers never will met and two of your systems come into the same
>>>> network, is is no problem, because the domain would have the same name,
>>>> SID, etc.
>>>>
>>>>
>>>>
>>>> Regards,
>>>> Marc
>>>>
>>>>
>> Will your appliance need to connect to other machines ? or is it a
>> standalone thing ?
>> What I am trying to get at is, will it run as a domain controller for
>> other machines, if not, then it sounds like overkill to me and it also
>> sounds a bit like the machine I have for our CCTV cameras, it outputs to a
>> monitor (in our case, a TV) and stores everything on a hard drive, a bit
>> like a NAS with eyes :-D
>>
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>

OK, in this case, I think you need to script the install somehow, each 
DC needs to be unique no matter where it is.
The short hostname and ipaddress of each machine in the domain needs to 
be different and all use the same domain name. You also need to ensure 
that each machine uses a different MAC address. You can start with a  
basic cloned base, make the required changes and then set it up in its 
required role.

The one thing that I am struggling to understand is why you typically 
supply more servers than workstations.

Rowland

More information about the samba mailing list