[Samba] Setup a Samba AD DC as an additional DC
Barry D. Adkins
Barry at daram.com
Fri Nov 23 08:20:42 UTC 2018
Samba 4.7.6 Ubuntu
/etc/hosts:
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
/etc/resolv.conf:
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "systemd-resolve --status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 127.0.0.53
/etc/krb5.conf:
[libdefaults]
default_realm = DARAM.COM
# dns_lookup_realm = false
# dns_lookup_kdc = true
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).
# default_tgs_enctypes = des3-hmac-sha1
# default_tkt_enctypes = des3-hmac-sha1
# permitted_enctypes = des3-hmac-sha1
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu
kdc = kerberos-1.mit.edu
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
CSAIL.MIT.EDU = {
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
ANDREW.CMU.EDU = {
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos-1.srv.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
kdc = kerberos-3.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
>You used :
>samba-tool domain join mydomain.com DC -U"MYDOMAIN\administrator" --dns-backend=SAMBA_INTERNAL --option="interfaces=ens2f0"
>not wrong, but can you try.
>
>kinit Administrator
>samba-tool domain join mydomain.com DC --dns-backend=SAMBA_INTERNAL --site=MySite --option="interfaces=ens2f0" -k If that does not work.
>samba-tool domain join mydomain.com DC --dns-backend=SAMBA_INTERNAL --option="interfaces=ens2f0" -k If not,...
>samba-tool domain join mydomain.com DC --dns-backend=SAMBA_INTERNAL -k If not, samba-tool domain join mydomain.com DC --dns-backend=SAMBA_INTERNAL --realm=YOUR_REALM -k
-k option requires an argument
All suggestions failed.
I modified the last suggestion.. I had to add the -U option because there is no user in the DOMAIN for the UNIX user that is running the command.
:~$ samba-tool domain join daram.com DC --dns-backend=SAMBA_INTERNAL --realm=DOMAIN.COM -U"DOMAIN\administrator"
Finding a writeable DC for domain 'domain.com'
Found DC DC01.daram.com
Password for [DOMAIN\administrator]:
workgroup is DOMAIN
realm is domain.com
Adding CN=DCU1801,OU=Domain Controllers,DC=domain,DC=com
Adding CN=DCU1801,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=domain,DC=com
Adding CN=NTDS Settings,CN=DCU1801,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=domain,DC=com
Adding SPNs to CN=DCU1801,OU=Domain Controllers,DC=domain,DC=com
Setting account password for DCU1801$
Enabling account
Calling bare provision
Join failed - cleaning up
Deleted CN=DCU1801,OU=Domain Controllers,DC=domain,DC=com
Deleted CN=NTDS Settings,CN=DCU1801,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=domain,DC=com
Deleted CN=DCU1801,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=domain,DC=com
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: guess_names: 'server role=standalone server' in /etc/samba/smb.conf must match chosen server role 'active directory domain controller'! Please remove the smb.conf file and let provision generate it
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC
ctx.do_join()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1376, in do_join
ctx.join_provision()
File "/usr/lib/python2.7/dist-packages/samba/join.py", line 840, in join_provision
use_ntvfs=ctx.use_ntvfs, dns_backend=ctx.dns_backend)
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 2028, in provision
sitename=sitename, rootdn=rootdn, domain_names_forced=(samdb_fill == FILL_DRS))
File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 614, in guess_names
raise ProvisioningError("guess_names: 'server role=%s' in %s must match chosen server role '%s'! Please remove the smb.conf file and let provision generate it" % (lp.get("server role"), lp.configfile, serverrole))
I am happy to install a different version of Samba, however, I would rather not have to compile Samaba. Moreover, I'd have to uninstall the current Samba Version. However, if easier, I'd just reinstall Ubuntu. Guidance for this would be appreciated.
Barry Adkins
More information about the samba
mailing list