[Samba] Joining a new Samba AD DC

Mark Foley mfoley at novatec-inc.com
Mon Jul 24 16:46:07 UTC 2023 

I'll resume this topic in this thread -- keep the noise down ...

> On 24/07/2023 07:52, Rowland Penny via samba wrote:
>
> > The correct version should have been:
> > 
> > samba-tool domain join hprs.local DC -U Administrator
> > 
> > The command should also have failed because you had a smb.conf file, you 
> > need to remove any existing smb.conf when joining a DC, the join would 
> > then create a new one
> > 
>
> Hi Mark, the only thing you did incorrectly was to not specify that you 
> were joining as a DC. After reading the code, it seems that if you do 
> not specify the type of join, MEMBER, DC or RODC, it defaults to MEMBER, 
> which, in my opinion, it shouldn't, it should error out.
>
> Rowland

I removed the new computer from the domain and deleted the smb.conf file. I then
did:

samba-tool domain join hprs.local DC --option='idmap_ldb:use rfc2307 = yes' -U Administrator
INFO 2023-07-24 09:29:41,946 pid:1261 /usr/lib64/python3.9/site-packages/samba/join.py #105: Finding a writeable DC for domain 'hprs.local'
INFO 2023-07-24 09:29:41,983 pid:1261 /usr/lib64/python3.9/site-packages/samba/join.py #107: Found DC mail.hprs.local
Password for [WORKGROUP\Administrator]:
INFO 2023-07-24 09:29:48,623 pid:1261 /usr/lib64/python3.9/site-packages/samba/join.py #1527: workgroup is HPRS
INFO 2023-07-24 09:29:48,623 pid:1261 /usr/lib64/python3.9/site-packages/samba/join.py #1530: realm is hprs.local
Adding CN=DC1,OU=Domain Controllers,DC=hprs,DC=local
Adding CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hprs,DC=local
Adding CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hprs,DC=local
Adding SPNs to CN=DC1,OU=Domain Controllers,DC=hprs,DC=local
Setting account password for DC1$
Enabling account
:
:
INFO 2023-07-24 09:30:05,249 pid:1261 /usr/lib64/python3.9/site-packages/samba/join.py #1544: Joined domain HPRS (SID S-1-5-21-1052267278-1962196458-41193656
63) as a DC

plus I got a whole bunch more output not included here, but including messages on
Setting up idmap db, kerberos, replication, schema objects, SAM database,  

Note that I did not specify any --dns-backend.  I hope that's OK as I
provisioned with --dns-backend=BIND9_FLATFILE on the original/current DC.  I do
have LAN members not part of the domain that need to have DNS service, so I may
have to redo this later.

Under "Verifying the DNS Entries" I did change the 1st IP in resolv.conf to be this new host's
IP, but that didn't work -- couldn't see any other host, so I reverted back to
the original DC's IP. However, that's not working either, even after a reboot. I
switched back to the new DC's IP and rebooted. Again, not working. So, something
is wrong with the DNS setup.

$ host webserver
;; connection timed out; no servers could be reached

Note that I ran the following not realizing DNS wasn't working. That could make
a difference.

Next I followed the instructions on syncing idmap.ldb. On my original server the
idmap.ldb in in /var/lib/samba/private, not /usr/local/samba/private; same with
this new DC, so I copied the idmap.ldb.bak from OLD:/var/lib/samba/private to
NEW:/var/lib/samba/idmap.ldb. Seem odd to just remove the .bak. The .bak file is
4% of the size of the idmap.ldb, so it appears some serious compressing is going
on. But whatever, that's what the wiki says!

Next I ran 'net cache flush' on the new DC; seemed to work (no error).

Next 'samba-tool ntacl sysvolreset', but I had a problem with that:

# samba-tool ntacl sysvolreset
set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
ERROR(runtime): uncaught exception - (3221225524, 'The object name is not found.')
  File "/usr/lib64/python3.9/site-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python3.9/site-packages/samba/netcmd/ntacl.py", line 412, in run
    provision.setsysvolacl(samdb, netlogon, sysvol,
  File "/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line 1754, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
  File "/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line 1630, in set_gpos_acl
    setntacl(lp, root_policy_path, POLICIES_ACL, str(domainsid), session_info,
  File "/usr/lib64/python3.9/site-packages/samba/ntacls.py", line 228, in setntacl
    smbd.set_nt_acl(

What did I do wrong? Note that samba is not yet running.

Also, you noted in your previous message:

> I feel that I should point out that, if you were to use Debian instead, 
> you would find this all a lot easier and you would get a much more 
> recent version of Samba, 4.17.8 at present, which would become 4.18.x 
> when Bookworm backports is created (or so I am reliably informed).

In fact, way back in 2010 when I embarked on this venture, I did start with
Debian, but it wasn't going well; lots of extra packages to download, configs
not working ...  I switched to Slackware and it installed, provisioned and
worked right out of the box.  So I've stuck with Slackware.  Now, I have several
other server (webserver, NAS, VM hosts ...) all running Slackware, so I'd rather
not switch horses and add a new distro into the mix.  Most of my problems on
this latest effort have been do to my misunderstandings or screw-ups, so I think
I can probably get this working with Slackware -- inch by inch. 

Thanks --Mark

More information about the samba mailing list