[Samba] Problem joining domain [SEC=CLASSIFIED]

[Rowland penny]

On 31/05/2019 08:23, Andrew Bartlett wrote:
> On Fri, 2019-05-31 at 06:21 +0000, Thamm, Russell via samba wrote:
>> UNCLASSIFIED
>>
>> Hi Andrew and Roland,
>>
>> I originally installed samba-4.1.7 on CentOS 6.5. I successfully joined the domain. I intended to take over from the 2003 server but because the domain was being heavily used, I delayed seizing the roles.
>>
>> Now I really, really want to replace the 2003 server. The network is currently not in use and I want to complete the job while I have an opportunity. If I have no other option, I will create a new domain, but I'd prefer to avoid having to create new user accounts.
> How about trying this:
>
> https://wiki.samba.org/index.php/Create_a_samba_lab-domain
Isn't the OP going to run into a chicken & egg situation here, will it 
work against a Windows DC ?
>
> If that works, then you may be able to try this:
>
> https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC
>
> an online backup might work against windows, but I suspect you will
> hit:
>
> https://bugzilla.samba.org/show_bug.cgi?id=13917
>
> If you can apply patches (difficult air-gapped I know), try the
> backported one attached to the bug.
>
> Restoring the backup won't allow the windows server to still operate
> (they will fight), but might get you a way out.
>
> Anyway, I hope this is of some help.  Otherwise we need to try and work
> out a bit more about why the windows DC is unhappy with our list of
> NCs.
>
> Andrew Bartlett

If a Centos 6 Samba AD DC was able to join, then I would try going down 
that path again, but to save time and not compile Samba, I would use 
Debian 8 instead. If you get a Samba DC to join, you could then walk up 
the Samba versions (probably needed unless the bug is fixed) by using 
Louis's repo. Once you get past 4.8.x, you could then seize all the FSMO 
roles and turn off the windows DC and remove it from the domain.

Rowland