[Samba] Joining a new Samba AD DC

Rowland Penny rpenny at samba.org
Mon Jul 24 06:40:35 UTC 2023

On 23/07/2023 23:12, Mark Foley via samba wrote:
> Hopefully you've noticed that I'm working on two Samba AD issues at the same
> time and have two threads, one for joining a Linux Samba server as a domain
> member to a Windows AD domain, and the other (this one) setting up a new Samba
> DC on an existing Linux Samba domain with the goal of promoting the new DC and
> demoting/removing the old/current one. I am not the admin for the Windows AD
> server, but I am the admin for the Samba AD server.

Yes, I had noticed :-)

>> It is supposed to be another AD DC (there is no such thing as a
>> 'primary' DC, they are all equal). I have added a note to the wiki page.
> Until this one gets promoted, there is only one AD DC, Samba version 4.8.2.
> Hence the need to create a more up-to-date server.

That is a very good reason to update, 4.8.2 is ancient in the Samba 
world and there have been a great many improvements.

>>> Question 2: After setting krb5.conf per the wiki, the kerberos test commands do not work:
>>> # kinit Administrator
>>> Password for Administrator at hprs.local:
>>> kinit: KDC reply did not match expectations while getting initial credentials
>> I really hope that '.local' is placeholder for the real TLD, '.local' is
>> reserved for Bonjour and Avahi and, as such, shouldn't be used.
> Unfortunately, .local is the name. This whole domain started as a Windows Small
> Business Server back in 2010 and I replaced the SBS AD/DC with Samba.
> I did not change original the domain name (hprs.local) as I was very new at this and
> wasn't sure how that would affect the other Windows workstation in the domain.
> The other Windows AD domain I'm working on also has .local, so maybe that's a
> thing with Windows? Anyway, I've disabled/removed Bonjour and Avahi from Windows
> and Linux workstations when present.

Microsoft used to recommend '.local', they now do not, because if you 
use it, you have to do what you have done, turn off Bonjour and Avahi.

>> Provided that kerberos and dns are setup correctly, that should work.
> I think they are. I followed the wiki instructs for krb5.conf, and I can see the
> DC and all domain members via 'host'.
>>> # klist
>>> klist: No credentials cache found (filename: /tmp/krb5cc_0)
>>> Does something have to be running first? Note that samba is installed, but not
>>> running.
>> Your DC needs to be able to contact a DC, preferably itself, but if the
>> computer is pointing at another DC and the required packages are
>> installed, then kinit should work.
>> Rowland
> "itself" is not yet a DC.
> I can contact the DC and DNS seems to be working. If I run these command
> on the DC I get:
>> kinit
> Password for Administrator at HPRS.LOCAL:
> (nothing returned, 0 return status)
>> klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: Administrator at HPRS.LOCAL
> Valid starting       Expires              Service principal
> 07/23/2023 17:56:29  07/24/2023 03:56:29  krbtgt/HPRS.LOCAL at HPRS.LOCAL
>          renew until 07/24/2023 17:56:23
> So, what do you suggest I do to get kerberos working on this wannbe-DC?

It is working, you have got a ticket for Administrator from your 
existing DC.

< It is
> not yet joined to the domain, but I don't think I can do the join until kerberos
> is working. Samba is not running.

If everything else is set up, it looks like you now need to run the 
samba-tool command to join your computer as another DC.

> Perhaps there is an issue with which Kerberos is running on the DC versus what's
> on this new machine?

Until you join the computer as a DC and start Samba, there isn't a KDC 
running on the computer.

> On the DC have have kerberos version Kerberos 5 version 1.11.6

Is it possible that you are using the OS's MIT kdc rather than the 
Heimdal built into Samba ?

> On this new machine I have kerberos version Kerberos 5 version 1.19.2
> The version numbers seem to indicate the same kerberos package, but it doesn't
> say whether it's Heimdal or MIT.

It sounds to me that you are using MIT and if so, that is yet another 
reason to update. Using a Samba AD DC with a MIT KDC was very 
experimental at 4.8.x (a lot of things just didn't work, or if they did 
work, they had missing components), now, whilst there are still minor 
problems, using MIT doesn't seem to be regarded as experimental.


More information about the samba mailing list