[Samba] Joining a new Samba AD DC

Rowland Penny rpenny at samba.org
Sun Jul 23 20:07:06 UTC 2023

On 23/07/2023 20:40, Mark Foley via samba wrote:
> On Sun Jul 16 04:21:55 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:
>> On 16/07/2023 07:10, Mark Foley via samba wrote:
>>> I am planning up upgrading my AD/DC from Samba version 4.8.2 to the most recent
>>> version in my Slackware distro which is currently 4.15.13.
>>> In previous threads in this maillist I was advised that the best route to
>>> achieve this was to add a 2nd domain controller, then promote that one and
>>> demote the original. I'm in the process of setting up a 2nd DC to that end.
>>> 2) The next thing the wiki doc says to do is to provision the DC. Will doing so
>>> on this 2nd DC interfer with the current/primary DC?
>> I think you may be following the wrong instructions, the page you linked
>> to is for provisioning the first DC in a new domain.
>> Have you read this wiki page:
>> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>> It is only possible to provision one DC in a domain (you actually create
>> the domain and then automatically join the first DC during the process),
>> after that you join extra DCs to the domain.
> Thanks, I'm now referencing your suggested wiki.
> Question 1: That wiki says:
>    Configuring the /etc/resolv.conf
>    Set the DNS server IP and AD DNS domain in your /etc/resolv.conf. For example:
>    nameserver
>    search samdom.example.com
> Is the nameserver as shown supposed to be the primary/current AD/DC?

It is supposed to be another AD DC (there is no such thing as a 
'primary' DC, they are all equal). I have added a note to the wiki page.

< Currently,
> the AD/DC is and in that host's resolv.conf the nameserver IP is set
> to itself. In this joined DC, should the nameserver be the primary/current AD/DC
> or itself (

Initially the nameserver needs to be another AD DC, once the join 
succeeds you change it to the new DCs ipaddress (aka its own ipaddress)

> Question 2: After setting krb5.conf per the wiki, the test command do not work:
> # kinit Administrator
> Password for Administrator at hprs.local:

I really hope that '.local' is placeholder for the real TLD, '.local' is 
reserved for Bonjour and Avahi and, as such, shouldn't be used.

> kinit: KDC reply did not match expectations while getting initial credentials

Provided that kerberos and dns are setup correctly, that should work.

> # klist
> klist: No credentials cache found (filename: /tmp/krb5cc_0)
> Does something have to be running first? Note that samba is installed, but not
> running.

Your DC needs to be able to contact a DC, preferably itself, but if the 
computer is pointing at another DC and the required packages are 
installed, then kinit should work.


More information about the samba mailing list