[Samba] Joining a new Samba AD DC
rpenny at samba.org
Mon Jul 24 17:29:38 UTC 2023
On 24/07/2023 17:46, Mark Foley via samba wrote:
> I removed the new computer from the domain and deleted the smb.conf file. I then
> samba-tool domain join hprs.local DC --option='idmap_ldb:use rfc2307 = yes' -U Administrator
> INFO 2023-07-24 09:29:41,946 pid:1261 /usr/lib64/python3.9/site-packages/samba/join.py #105: Finding a writeable DC for domain 'hprs.local'
> INFO 2023-07-24 09:29:41,983 pid:1261 /usr/lib64/python3.9/site-packages/samba/join.py #107: Found DC mail.hprs.local
> Password for [WORKGROUP\Administrator]:
> INFO 2023-07-24 09:29:48,623 pid:1261 /usr/lib64/python3.9/site-packages/samba/join.py #1527: workgroup is HPRS
> INFO 2023-07-24 09:29:48,623 pid:1261 /usr/lib64/python3.9/site-packages/samba/join.py #1530: realm is hprs.local
> Adding CN=DC1,OU=Domain Controllers,DC=hprs,DC=local
> Adding CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hprs,DC=local
> Adding CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hprs,DC=local
> Adding SPNs to CN=DC1,OU=Domain Controllers,DC=hprs,DC=local
> Setting account password for DC1$
> Enabling account
> INFO 2023-07-24 09:30:05,249 pid:1261 /usr/lib64/python3.9/site-packages/samba/join.py #1544: Joined domain HPRS (SID S-1-5-21-1052267278-1962196458-41193656
> 63) as a DC
> plus I got a whole bunch more output not included here, but including messages on
> Setting up idmap db, kerberos, replication, schema objects, SAM database,
It sounds like you now have a DC :-)
> Note that I did not specify any --dns-backend. I hope that's OK as I
> provisioned with --dns-backend=BIND9_FLATFILE on the original/current DC. I do
> have LAN members not part of the domain that need to have DNS service, so I may
> have to redo this later.
If you didn't specify a dns backend, then the default internal dns
server will be used.
> Under "Verifying the DNS Entries" I did change the 1st IP in resolv.conf to be this new host's
> IP, but that didn't work -- couldn't see any other host, so I reverted back to
> the original DC's IP. However, that's not working either, even after a reboot. I
> switched back to the new DC's IP and rebooted. Again, not working. So, something
> is wrong with the DNS setup.
The dns problem is probably because there are no records in AD, you need
to either transfer the records from the flat files (you will probably
have to create the reverse zone) or let your Windows computers create
them in AD.
> $ host webserver
> ;; connection timed out; no servers could be reached
> Note that I ran the following not realizing DNS wasn't working. That could make
> a difference.
> Next I followed the instructions on syncing idmap.ldb. On my original server the
> idmap.ldb in in /var/lib/samba/private, not /usr/local/samba/private;
The wiki is written from the point of view of a self compiled Samba,
where (unless it is specified) everything ends up in /usr/local/samba
< same with
> this new DC, so I copied the idmap.ldb.bak from OLD:/var/lib/samba/private to
> NEW:/var/lib/samba/idmap.ldb. Seem odd to just remove the .bak. The .bak file is
> 4% of the size of the idmap.ldb, so it appears some serious compressing is going
> on. But whatever, that's what the wiki says!
It is correct, backing the .tdb file up also removes anything not
> Next I ran 'net cache flush' on the new DC; seemed to work (no error).
> Next 'samba-tool ntacl sysvolreset', but I had a problem with that:
> # samba-tool ntacl sysvolreset
> set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> ERROR(runtime): uncaught exception - (3221225524, 'The object name is not found.')
> File "/usr/lib64/python3.9/site-packages/samba/netcmd/__init__.py", line 186, in _run
> return self.run(*args, **kwargs)
> File "/usr/lib64/python3.9/site-packages/samba/netcmd/ntacl.py", line 412, in run
> provision.setsysvolacl(samdb, netlogon, sysvol,
> File "/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line 1754, in setsysvolacl
> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
> File "/usr/lib64/python3.9/site-packages/samba/provision/__init__.py", line 1630, in set_gpos_acl
> setntacl(lp, root_policy_path, POLICIES_ACL, str(domainsid), session_info,
> File "/usr/lib64/python3.9/site-packages/samba/ntacls.py", line 228, in setntacl
> What did I do wrong? Note that samba is not yet running.
Did you also sync Sysvol ?
On a newly joined DC, there is very little in sysvol, it needs to be
synced from a DC that holds all the GPO's.
> Also, you noted in your previous message:
>> I feel that I should point out that, if you were to use Debian instead,
>> you would find this all a lot easier and you would get a much more
>> recent version of Samba, 4.17.8 at present, which would become 4.18.x
>> when Bookworm backports is created (or so I am reliably informed).
> In fact, way back in 2010 when I embarked on this venture, I did start with
> Debian, but it wasn't going well; lots of extra packages to download, configs
> not working ... I switched to Slackware and it installed, provisioned and
> worked right out of the box. So I've stuck with Slackware. Now, I have several
> other server (webserver, NAS, VM hosts ...) all running Slackware, so I'd rather
> not switch horses and add a new distro into the mix. Most of my problems on
> this latest effort have been do to my misunderstandings or screw-ups, so I think
> I can probably get this working with Slackware -- inch by inch.
I can understand that, it is just that Debian (and Debian base distros,
Ubuntu for instance) has been the goto distro for a Samba AD DC since
Samba 4.0.0 and there is a lot of Knowledge out there. I run two Samba
AD DCs on Raspberry pi OS (Debian based), so I can vouch that it works well.
More information about the samba