[Samba] promote existing domain member to "backup" domain controller
Łukasz Michalski
lm at zork.pl
Wed Dec 7 15:21:07 UTC 2022
Hi,
I have a domain with single DC "site-ad" (samba 4.16) and one domain
member "backup" (samba 4.15). "backup" currently act as files and vm
backup server.
This is my config on "site-ad":
[global]
netbios name = SITE-AD
realm = SITE.SAMDOM.COM
server role = active directory domain controller
workgroup = SAMDOM
idmap_ldb:use rfc2307 = yes
dns forwarder = 10.21.0.1
bind interfaces only = yes
interfaces = lo ifsrv
tls keyfile = /etc/easy-rsa/pki/private/site-ad.samdom.com.key
tls certfile = /etc/easy-rsa/pki/issued/site-ad.samdom.com.crt
tls cafile = /etc/easy-rsa/pki/ca.crt
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/site.samdom.com/scripts
read only = No
And current config on "backup":
[global]
security = ADS
workgroup = SAMDOM
realm = SITE.SAMDOM.COM
log file = /var/log/samba/%m.log
log level = 1
winbind enum users = yes
winbind enum groups = yes
winbind refresh tickets = Yes
dedicated keytab file = /etc/krb5.keytab
kerberos method = secrets and keytab
username map = /etc/samba/user.map
# Default ID mapping configuration for local BUILTIN accounts
# and groups on a domain member. The default (*) domain:
# - must not overlap with any domain ID mapping configuration!
# - must use a read-write-enabled back end, such as tdb.
idmap config * : backend = tdb
idmap config * : range = 3000-7999
# - You must set a DOMAIN backend configuration
# idmap config for the SAMDOM domain
idmap config SAMDOM:backend = ad
idmap config SAMDOM:schema_mode = rfc2307
idmap config SAMDOM:range = 10000-999999
idmap config SAMDOM:unix_nss_info = yes
vfs objects = acl_xattr
map acl inherit = yes
store dos attributes = yes
# Template settings for login shell and home directory
template shell = /bin/bash
template homedir = /home/%U
Currently on "backup" smbd and winbind services are runnning.
I would like to promote domain member "backup" to domain controller, I
am using internal dns server on "site-ad" and I want to use internal one
on "backup" too.
I do not want AD users to login to "backup", it should act only as a
backup DC.
Just to be sure, I have to do following steps on "backup":
- Stop and disable smb, winbind services
- Follow
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory,
but instead of:
samba-tool domain join samdom.example.com DC -U"SAMDOM\administrator"
the first step should be:
samba-tool domain dcpromo DC --option='idmap_ldb:use rfc2307 = yes'
- Remove all lines below "realm" from smb.conf configuration, and
disable smb, winbind service
- Enable and start samba service and check replication and dns.
I did not found a similar tutorial, so I would be very grateful any
hints or steps that are wrong or missing.
Thanks,
Łukasz
More information about the samba
mailing list