[Samba] Setup a Samba AD DC as an additional DC

L.P.H. van Belle belle at bazuin.nl
Thu Nov 29 12:42:13 UTC 2018


Hai Barry, 

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Barry D. Adkins via samba
> Verzonden: donderdag 29 november 2018 11:57
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Setup a Samba AD DC as an additional DC
> 
> Thanks Rowland/Louis for your assistance,
> 
> > >What is the running AD DC its os version/build, it was an 
> MS server? 
> > 2 AD DCs Windows 2012, 1 is 2008, but the DC for the join is a 2012 
> > windows DC
> 
> >Yes, but win 2012 which one?  2012 or 2012R2 Can you open a 
> dosbox (cmd) and type : ver The build nummer is? 
> 
> It is just 2012, not R2.  Here is the ver output: Microsoft Windows [Version 6.2.9200]
> 
> The 2008 DC is also NOT R2: Microsoft Windows [Version 6.0.6002]
> 
> The Windows Certificate Server is running on the 2008 DC.
> 
> >and add it on you samba servers 
> 
> I assume it will need to be added to the Intermediate & 
> Trusted Authorities.  I will have to search for doing this on 
> Ubuntu/Linux.  I assume it is simple.
Yes, thats not so hard. 

But before you start with the things todo. 
You network is expanding as we are asking questions..  ;-) 
So you have a :
win2012 as AD DC
Win2008 as ? Member or also AD DC? 
Any other windows servers? MSSQL Exchange things like that, because some of these are blocking replication.
And before your waisting a lot more of time, lets make the info more complete first. 


And a bit ahead, the cert instructions, but above info first please. 
The root CA instructions. Use this
https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/ 


> 
> >create the samba client certificates
> 
> Not sure what you mean here.  Do you mean to request a client 
> certificate for the samba DC from the Windows Certificate Authority?
Yes 

Create the client certs and let samba use them. 
https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC 
Do note, use the created cert+key from the DC and check if its done correctly. 
How, is in the wiki link. 


> 
> >I don't think he ever joined, but cleaning out anything to 
> do with the
> >new DC from the Windows DC should't harm anything and cleaning
> >out /var/lib/samba will also help.
> 
> Never successfully joined.  From ADSI Edit samba-tool seems 
> to clean up after itself when the join fails.  I see entries 
> added for the Samba DC and then they have later been removed.
> 
> >> - setup/join  samba with bind9_dlz.
> 
> >You do not actually have to set up Bind9 before a provision/join, it
> >just needs to be installed, then add '--dns-backend=BIND9_DLZ' to the
> >join command, he can worry about setting up Bind9 once the 
> DC actually
> >joins ;-)
> 
> I have not explicitly installed BIND9, perhaps Ubuntu 18.04 
> loads it already.  I can certainly install it.
> 
> At this point I have not implemented anything from your most 
> recent post so-as to only do what you want me to do.
> 
> I will research the Linux Certificate store so I can do that 
> when you request it.
> 
> -Barry Adkins
> -- 

Greetz, 

Louis




More information about the samba mailing list