[Samba] Joining a new Samba AD DC

Rowland Penny rpenny at samba.org
Mon Jul 24 06:52:53 UTC 2023

On 24/07/2023 03:16, Mark Foley via samba wrote:
> More information ...
> Just to see what would happen, I started samba and joined this future DC to the
> domain. I do have another Linux Samba domain member on this domain, so I just
> copied its smb.conf, started samba, and joined. Interestingly, the joining
> process re-created my smb.conf, mostly with the same settings, but eliminating
> comments and spaces, removing some settings like 'domain master', 'printing',
> and some others, and added 'server role' and possibly others. Then, the whole
> smb.conf was sorted alphabetically giving:
> # Global parameters
> [global]
>          client max protocol = SMB3
>          client min protocol = SMB2
>          disable spoolss = Yes
>          max log size = 10000
>          netbios name = DC1
>          printcap name = /dev/null
>          realm = HPRS.LOCAL
>          security = ADS
>          server role = member server
>          server string = HPRS DC1
>          template shell = /bin/bash
>          usershare allow guests = Yes
>          usershare max shares = 10
>          winbind enum groups = Yes
>          winbind enum users = Yes
>          winbind nss info = rfc2307
>          winbind offline logon = Yes
>          winbind refresh tickets = Yes
>          winbind use default domain = Yes
>          workgroup = HPRS
>          idmap config *:backend = tdb
>          idmap config *:range = 2000-9999
>          idmap config hprs:backend = ad
>          idmap config hprs:schema_mode = rfc2307
>          idmap config hprs:range = 10000-10099

That is not a smb.conf for a Samba AD DC, it is the smb.conf for a Unix 
domain member
> I then joined (I did not use the --dns-backend parameter):
> # samba-tool domain join hprs.local -U Administrator

The correct version should have been:

samba-tool domain join hprs.local DC -U Administrator

The command should also have failed because you had a smb.conf file, you 
need to remove any existing smb.conf when joining a DC, the join would 
then create a new one

> Password for [HPRS\Administrator]:
> Joined domain hprs.local (S-1-5-21-1052267278-1962196458-4119365663)
> That's all I got as output. I did not get the copious output described in the
> Joining_a_Samba_DC_to_an_Existing_Active_Directory wiki.
> Also, I did not use --option='idmap_ldb' as the wiki suggested (the original DC
> was provisioned with --use-rfc2307), because I didn't read far enough in the
> wiki.  Do you think this would make a difference? I can un-join and rejoin if
> you think so.
> Unfortunately, the kerberos tests still fail:

Well it would, your new 'DC' doesn't appear to be a DC, it appears to be 
a Unix domain member.

> # kinit Administrator
> Password for Administrator at hprs.local:
> kinit: KDC reply did not match expectations while getting initial credentials
> # klist
> klist: No credentials cache found (filename: /tmp/krb5cc_0)
> On the other hand, these commands on the existing domain member (not DC) do
> work. That member is running Samba Version 4.6.16 whereas the "new" machine is Version
> 4.15.13. The DC is running Samba version 4.8.2.
> So, I think I'm a bit stuck trying to figure out how to get kerberos working on
> this new machine. I have proceeded no further with the wiki instructions. I was
> hoping starting samba would magically work.

I suggest you 'leave' the domain, remove the smb.conf and then try the 
join again, this time with the 'DC' in the command.


More information about the samba mailing list