[Samba] Setup a Samba AD DC as an additional DC
L.P.H. van Belle
belle at bazuin.nl
Thu Nov 29 12:42:13 UTC 2018
Hai Barry,
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Barry D. Adkins via samba
> Verzonden: donderdag 29 november 2018 11:57
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Setup a Samba AD DC as an additional DC
>
> Thanks Rowland/Louis for your assistance,
>
> > >What is the running AD DC its os version/build, it was an
> MS server?
> > 2 AD DCs Windows 2012, 1 is 2008, but the DC for the join is a 2012
> > windows DC
>
> >Yes, but win 2012 which one? 2012 or 2012R2 Can you open a
> dosbox (cmd) and type : ver The build nummer is?
>
> It is just 2012, not R2. Here is the ver output: Microsoft Windows [Version 6.2.9200]
>
> The 2008 DC is also NOT R2: Microsoft Windows [Version 6.0.6002]
>
> The Windows Certificate Server is running on the 2008 DC.
>
> >and add it on you samba servers
>
> I assume it will need to be added to the Intermediate &
> Trusted Authorities. I will have to search for doing this on
> Ubuntu/Linux. I assume it is simple.
Yes, thats not so hard.
But before you start with the things todo.
You network is expanding as we are asking questions.. ;-)
So you have a :
win2012 as AD DC
Win2008 as ? Member or also AD DC?
Any other windows servers? MSSQL Exchange things like that, because some of these are blocking replication.
And before your waisting a lot more of time, lets make the info more complete first.
And a bit ahead, the cert instructions, but above info first please.
The root CA instructions. Use this
https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/
>
> >create the samba client certificates
>
> Not sure what you mean here. Do you mean to request a client
> certificate for the samba DC from the Windows Certificate Authority?
Yes
Create the client certs and let samba use them.
https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
Do note, use the created cert+key from the DC and check if its done correctly.
How, is in the wiki link.
>
> >I don't think he ever joined, but cleaning out anything to
> do with the
> >new DC from the Windows DC should't harm anything and cleaning
> >out /var/lib/samba will also help.
>
> Never successfully joined. From ADSI Edit samba-tool seems
> to clean up after itself when the join fails. I see entries
> added for the Samba DC and then they have later been removed.
>
> >> - setup/join samba with bind9_dlz.
>
> >You do not actually have to set up Bind9 before a provision/join, it
> >just needs to be installed, then add '--dns-backend=BIND9_DLZ' to the
> >join command, he can worry about setting up Bind9 once the
> DC actually
> >joins ;-)
>
> I have not explicitly installed BIND9, perhaps Ubuntu 18.04
> loads it already. I can certainly install it.
>
> At this point I have not implemented anything from your most
> recent post so-as to only do what you want me to do.
>
> I will research the Linux Certificate store so I can do that
> when you request it.
>
> -Barry Adkins
> --
Greetz,
Louis
More information about the samba
mailing list