[Samba] Setup a Samba AD DC as an additional DC

Barry D. Adkins Barry at daram.com
Fri Nov 23 08:20:42 UTC 2018

Samba 4.7.6 Ubuntu

/etc/hosts:       localhost.localdomain   localhost
::1             localhost6.localdomain6 localhost6

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts


# This file is managed by man:systemd-resolved(8). Do not edit.
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
# Run "systemd-resolve --status" to see details about the uplink DNS servers
# currently in use.
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.



        default_realm = DARAM.COM
#        dns_lookup_realm = false
#        dns_lookup_kdc = true

# The following krb5.conf variables are only for MIT Kerberos.
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
# The only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

#       default_tgs_enctypes = des3-hmac-sha1
#       default_tkt_enctypes = des3-hmac-sha1
#       permitted_enctypes = des3-hmac-sha1

# The following libdefaults parameters are only for Heimdal Kerberos.
        fcc-mit-ticketflags = true

        ATHENA.MIT.EDU = {
                kdc = kerberos.mit.edu
                kdc = kerberos-1.mit.edu
                kdc = kerberos-2.mit.edu:88
                admin_server = kerberos.mit.edu
                default_domain = mit.edu
        ZONE.MIT.EDU = {
                kdc = casio.mit.edu
                kdc = seiko.mit.edu
                admin_server = casio.mit.edu
        CSAIL.MIT.EDU = {
                admin_server = kerberos.csail.mit.edu
                default_domain = csail.mit.edu
        IHTFP.ORG = {
                kdc = kerberos.ihtfp.org
                admin_server = kerberos.ihtfp.org
        1TS.ORG = {
                kdc = kerberos.1ts.org
                admin_server = kerberos.1ts.org
        ANDREW.CMU.EDU = {
                admin_server = kerberos.andrew.cmu.edu
                default_domain = andrew.cmu.edu
        CS.CMU.EDU = {
                kdc = kerberos-1.srv.cs.cmu.edu
                kdc = kerberos-2.srv.cs.cmu.edu
                kdc = kerberos-3.srv.cs.cmu.edu
                admin_server = kerberos.cs.cmu.edu
        DEMENTIA.ORG = {
                kdc = kerberos.dementix.org
                kdc = kerberos2.dementix.org
                admin_server = kerberos.dementix.org
        stanford.edu = {
                kdc = krb5auth1.stanford.edu
                kdc = krb5auth2.stanford.edu
                kdc = krb5auth3.stanford.edu
                master_kdc = krb5auth1.stanford.edu
                admin_server = krb5-admin.stanford.edu
                default_domain = stanford.edu
        UTORONTO.CA = {
                kdc = kerberos1.utoronto.ca
                kdc = kerberos2.utoronto.ca
                kdc = kerberos3.utoronto.ca
                admin_server = kerberos1.utoronto.ca
                default_domain = utoronto.ca

        .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
        .media.mit.edu = MEDIA-LAB.MIT.EDU
        media.mit.edu = MEDIA-LAB.MIT.EDU
        .csail.mit.edu = CSAIL.MIT.EDU
        csail.mit.edu = CSAIL.MIT.EDU
        .whoi.edu = ATHENA.MIT.EDU
        whoi.edu = ATHENA.MIT.EDU
        .stanford.edu = stanford.edu
        .slac.stanford.edu = SLAC.STANFORD.EDU
        .toronto.edu = UTORONTO.CA
        .utoronto.ca = UTORONTO.CA

>You used : 
>samba-tool domain join mydomain.com DC -U"MYDOMAIN\administrator" --dns-backend=SAMBA_INTERNAL  --option="interfaces=ens2f0"
>not wrong, but can you try. 
>kinit Administrator
>samba-tool domain join mydomain.com DC --dns-backend=SAMBA_INTERNAL --site=MySite --option="interfaces=ens2f0" -k If that does not work. 
>samba-tool domain join mydomain.com DC --dns-backend=SAMBA_INTERNAL --option="interfaces=ens2f0" -k If not,... 
>samba-tool domain join mydomain.com DC --dns-backend=SAMBA_INTERNAL -k If not, samba-tool domain join mydomain.com DC --dns-backend=SAMBA_INTERNAL --realm=YOUR_REALM -k

-k option requires an argument

All suggestions failed.

I modified the last suggestion.. I had to add the -U option because there is no user in the DOMAIN for the UNIX user that is running the command.

:~$ samba-tool domain join daram.com DC --dns-backend=SAMBA_INTERNAL --realm=DOMAIN.COM -U"DOMAIN\administrator"
Finding a writeable DC for domain 'domain.com'
Found DC DC01.daram.com
Password for [DOMAIN\administrator]:
workgroup is DOMAIN
realm is domain.com
Adding CN=DCU1801,OU=Domain Controllers,DC=domain,DC=com
Adding CN=DCU1801,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=domain,DC=com
Adding CN=NTDS Settings,CN=DCU1801,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=domain,DC=com
Adding SPNs to CN=DCU1801,OU=Domain Controllers,DC=domain,DC=com
Setting account password for DCU1801$
Enabling account
Calling bare provision
Join failed - cleaning up
Deleted CN=DCU1801,OU=Domain Controllers,DC=domain,DC=com
Deleted CN=NTDS Settings,CN=DCU1801,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=domain,DC=com
Deleted CN=DCU1801,CN=Servers,CN=MySite,CN=Sites,CN=Configuration,DC=domain,DC=com
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: guess_names: 'server role=standalone server' in /etc/samba/smb.conf must match chosen server role 'active directory domain controller'!  Please remove the smb.conf file and let provision generate it
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 661, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1474, in join_DC
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 1376, in do_join
  File "/usr/lib/python2.7/dist-packages/samba/join.py", line 840, in join_provision
    use_ntvfs=ctx.use_ntvfs, dns_backend=ctx.dns_backend)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 2028, in provision
    sitename=sitename, rootdn=rootdn, domain_names_forced=(samdb_fill == FILL_DRS))
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 614, in guess_names
    raise ProvisioningError("guess_names: 'server role=%s' in %s must match chosen server role '%s'!  Please remove the smb.conf file and let provision generate it" % (lp.get("server role"), lp.configfile, serverrole))

I am happy to install a different version of Samba, however, I would rather not have to compile Samaba.  Moreover, I'd have to uninstall the current Samba Version.  However, if easier, I'd just reinstall Ubuntu.  Guidance for this would be appreciated.

Barry Adkins

More information about the samba mailing list