[Samba] Joining a new Samba AD DC

Rowland Penny rpenny at samba.org
Mon Jul 24 13:50:43 UTC 2023

On 24/07/2023 13:37, Mark Foley via samba wrote:
> Yes, I inherited this domain name from the pre-2010 Windows AD.  I'll pass this
> info on to the fellow admin'ing the Windows DC.  Apparently he still names the
> numerous Windows AD/DCs he admin's with .local.

Microsoft hasn't been recomending '.local' for quite sometime now.

> I suppose it's too late to change on my setup?

Samba doesn't really provide anyway of renaming a domain in production.

> No, those kerberos commands were run *on* the current/old 4.8.2 AD/DC, not on
> this new one.  As mentioned in another message, I do have another domain member
> Samba version 4.6.16, and the kerberos tests work on that one as well; just not
> on this new one.

Provided the new 'DC' has all the required packages installed and they 
are configured correctly, you should be able to run kinit and get a 
ticket. If this isn't working, I suggest you check everything again.

> I believe I tried that. I documented that in a follow-up email. I see that you
> replied to that message, so I'll look at that response.

Where you will find that, because you missed 'dc' from the command, you 
got a Unix domain member.

>>> Perhaps there is an issue with which Kerberos is running on the DC versus what's
>>> on this new machine?

The thing is, unless Samba is running, there should be no KDC running. 
If there is a KDC running and Samba isn't, then you are highly likely to 
be running a MIT KDC, which would have entailed your distro configuring 
(during the compile) Samba with the fairly obvious 
'--with-experimental-mit-ad-dc' switch.

>> Until you join the computer as a DC and start Samba, there isn't a KDC
>> running on the computer.
> Ah ha! That's what I was thinking and that's why I tried doing the join (but
> apparently did not join as a DC. The Joining_a_Samba_DC_to_an_Existing_Active_Directory
> wiki does not say to start Samba before trying the Kerberos test.
> The join instructions come after the Kerberos and Time Sync steps.
>>> On the DC have have kerberos version Kerberos 5 version 1.11.6
>> Is it possible that you are using the OS's MIT kdc rather than the
>> Heimdal built into Samba ?
> I have no idea. How would I determine that? 'klist -V' only gives the version
> number as shown below, not MIT versus Heimdal.

The problem is, that could be coming from the kerberos tools.

>>> On this new machine I have kerberos version Kerberos 5 version 1.19.2
>>> The version numbers seem to indicate the same kerberos package, but it doesn't
>>> say whether it's Heimdal or MIT.
>> It sounds to me that you are using MIT and if so, that is yet another
>> reason to update. Using a Samba AD DC with a MIT KDC was very
>> experimental at 4.8.x (a lot of things just didn't work, or if they did
>> work, they had missing components), now, whilst there are still minor
>> problems, using MIT doesn't seem to be regarded as experimental.
>> Rowland
> This "new" someday-DC is running Samba 4.15.13 - the most recent available on my
> distro.  Would this not be running Heimdal? Its Kerberos version number 1.19.2 is
> suspiciously close to the ancient DC's kerberos version 1.11.6, so maybe they're
> both running the same, and I going to guess it's Heimdal since the new machine
> is much more recent -- but if there were a way to tell which version that would
> clinch the question.
> Thanks --Mark

All Samba AD DCs normally use Heimdal, it is supplied with Samba, the 
exception would be if, during the build, Samba is configured with the 
'--with-experimental-mit-ad-dc' switch and that is fairly obvious in 
what it does.

Samba 4.15.x versions are no longer supported by Samba and Samba 
versions that use MIT do not get any security patches even if they are 
supported by Samba, you are reliant on your distro backporting any and 
all Samba patches.

If I remember correctly, you are using Slackware, so I think you may 
have to ask them just how they configure Samba.

I feel that I should point out that, if you were to use Debian instead, 
you would find this all a lot easier and you would get a much more 
recent version of Samba, 4.17.8 at present, which would become 4.18.x 
when Bookworm backports is created (or so I am reliably informed).


More information about the samba mailing list